by Nick Boothe

When your workforce is all over the place, you need a VPN

Aug 01, 20129 mins
MobileMobile AppsSecurity Software

In the information war, the general public has got the taste for conflict and they’ve tooled themselves up with tablets, smart phones and all kinds of gadgets.

While they are feeling brave it is the CIO that has to lead the front and who will carry the can when the inevitable casualties happen.

Consumerisation is being hailed a user’s revolt. However, CIOs should bear in mind that few revolutions are bloodless and it’s only a matter of time before we see some casualties.

Soon people may start to feel nostalgic about the old order and want the authority of the CIO to return.

“Yes, the users have risen,” says Nader Henein, security adviser with RIM, “it’s like the Arab Spring. The old days when IT had a plan, selected the hardware and worked out their strategy for security have gone. Now you have to be an enabler and can’t be seen to be getting in the way.”

It’s not time to abandon hope yet though, he says, because this is all part of the constant push and pull between end users and the IT department as they battle for control over the means of production.

The battle could soon swing back in the IT department’s favour soon. A good high profile security scandal should do the job.

“One of the problems is that there haven’t been enough high profile incidents involving iPads,” says Gartner analyst Leif-Olof Wallin, “so nobody believes that there is a massive security exposure. Malware attacks haven’t been bad enough yet so few CIOs are able to say no to the users.”

Lars Kamp, Accenture’s mobility services strategist, says the users don’t seem to have any historical perspective.

“It’s the 1990s Internet mania repeating itself,” says Kamp.

“Suddenly a new technology swept in, threatening and promising to change the way people worked and lived. It became an instant priority for IT, but its multiple facets weren’t so easily nor quickly mastered.”

Lessons learned If CIOs can apply any of the lessons from the 90s to the current mobile mania, it is that companies that got caught out then were spending money on brochureware, while savvier companies realized that only careful back-end investment would save them from disaster.

By ditching the carefully laid out security plans created by Blackberry, with its secure servers and mobile VPNs, the new tablet users are putting the enterprise at risk.

The first priority should be to re-establish VPNs. But won’t that get in the way of users? Having secured the company first, they could move on to offer the benefits: data access to employees, partners and suppliers.

If all goes to plan that will lead to unprecedented transactional opportunity via e-commerce and other channels.

Accenture Research, backs up his theory and two separate studies suggest that history is repeating itself.

“Confusion still reigns over how to accommodate divergent employee and customer needs, especially with the fragmentation of the mobile device market and widespread concerns about security, costs, and connectivity,” concludes The Accenture CIO Mobility Survey 2012.

“The biggest concern is not malware, but consumer apps running on enterprise devices,” says RIM’s Henein.

One of the prices that CIOs are paying, as they surrender control over the IT infrastructure, is that all kinds of cloud services are being granted access to sensitive corporate data, as users sign up for consumer apps.

It’s only going to get worse. A Check Point study of mobile device usage in January 2012 indicated that 78 per cent of enterprises had seen the number of mobile device connections double on their networks since 2010.

“People want access to the network and resources, and they want it on the device they carry with them,” says Terry Greer-King, UK MD for Check Point. “The CIOs get the headache of securing those devices.”

CIO Event:

The CIO Big Conversation Consumerisation: How to manage the new era of mobility

Date: Thursday 25th October 2012 Time: 6:30pm Location: The Mandarin Oriental Hotel, London

To register for your place, email

Event Overview:

The Big Conversation is a business technology leadership forum that brings IT leaders together to listen, share & shape opinions on the key issues the CIO community faces. The evening will include a keynote from a top CIO 100 speaker sharing his experiences on this topic, as well as the opportunity to share your views with fellow CIOs over networking drinks and canapés.

There are really only two ways to retrospectively achieve this, he says. Firstly you could try to audit and certify every single device that users want to use.

This is obviously an impossibly onerous task, unless there are CIO and IT teams out there with nothing else to do. Even then, the sheer range of devices and versions you are likely to present would make this impossible.

The alternative way to work with the demand for BYOD by using a there’s-an-app-for-that approach to security, says Greer-King.

That means providing VPN capacity at the gateway and cajoling users to download the appropriate Apple or Android or Windows or Symbian app to secure their device’s access.

This makes the security quick and easy to provision, and it covers the vast majority of devices at a stroke.

If that’s sounds like a patchy response to security, that’s because it is. These days CIOs have to accept that they have lost some control over the IT landscape, and need to win it back after the event.

The consumerisation of corporate IT means it will ever be thus, says RIM security adviser Nader Henien.

I told you so Relinquishing control brings its own rewards, says Greer King, as most CIOs contacted by Checkpoint (71 per cent) said they believed smartphones and tablet PCs have contributed to an increase in number of security events in their organizations within the past two years.

“Few organisations could run extended and mobile workforces without the security VPNs offer,” says Simon Leech, the european solution architects manager at HP’s enterprise security group TippingPoint.

VPNs need careful management so that risks are managed effectively.

“Being able to access remote resources without physically being there is clearly a boon to smaller organisations or widespread staff,” says Leech.

Well, yes. But do they actually need a VPN to secure them?

If organizations are to exercise any kind of control over the type of devices they allow onto the network, it’s important that there is some uniformity of compliance checking before a device is permitted to access the infrastructure via VPN, says Leech.

If not, they could introduce an uncontrolled threat into the corporate infrastructure.

“If a company doesn’t have this and it hasn’t taken the systems connecting via VPN into its security management infrastructure, then there will be an issue with the VPN potentially allowing other machines the ability to shoot threats right into the heart of the enterprise. That’s the downside,” says Leech.

“Think how the VPN infrastructure is connected to the organisation and where it terminates. If this isn’t connected right, you will end up with VPN sessions passing straight through whatever perimeter defences have been put in place uninspected.”

There are many servers offering remote desktop protocol capacity connected directly to the internet that can be accessed without a VPN.

“People often don’t think about it when designing the infrastructure and that means when a bug as serious as the recent MS12-020 targets RDP, your corporate servers become a sitting duck, inviting attackers to wade in,” says Leech.

This highlights another of the less documented issues about VPNs. The importance of good patch management and having adequate inline network defences.

In the case of MS12-020, Microsoft thought the publication of the bug would result in an exploit in around thirty days.

“In fact it took only a couple of days for a proof of concept to become available,” says Leech. “A good reason to have a VPN.”

Cisco sets quite a good example to the industry with its mobile VPN management. Cisco employees access corporate services from over 60,000 mobile phones and tablets.

“Apple, Android, Blackberry, Windows, Nokia, you name it. A growing number of people have three or more devices,” says Ian Foddering, Cisco’s chief technology officer in the UK & Eire.

In-built precautions Cisco IT’s security problem was that these devices greatly expand the borders of a secure network. So Foddering demands that secure mobile devices have a number of in-built precautions. Such as:

– They must have a 4-digit PIN or greater to open each device’s access – The devices shut down if unused for 10 minutes – All contents have to be fully encrypted and the devices can be fully wiped, remotely, if the employee reports the device lost or stolen, or leaves the company

If the device can do all the above, then it should also run Cisco’s mobile VPN client, AnyConnect Secure Mobile Client.  This uses certificates to set up a secure VPN connection into Cisco’s intranet from the device.

Securing all the devices was not an easy job, admits Foddering. You need to do a lot of work getting the users on your side, by making it easy for them to work with the system.

Securing the endpoints also means protecting them from viruses, malware, social engineering and phishing. These days, he says, that involves using a cloud security solution like ScanSafe.

“With VPNs on mobile devices, you need to make sure that it’s easy to use. Mobile device keyboards are hard to use with most password-based VPN clients,” he warns.

VPN clients are not easy for people to set up the first time.  You can save a lot of time in the long run if you can build a script to automate setting up the client on 10,000 phones, rather than have a help desk person walk you through it.

At Cisco the IT group wrote a script that users initiate by clicking on a URL on an email on the phone, from within the secure wireless corporate network.

This loads the VPN profile and certificates in about 5 minutes.

Be prepared to constantly re-examine your VPN security. Like any security solution, no VPN is a perfectly secure solution forever.

As hackers get more sophisticated, the VPN solution will have to get more sophisticated over time. 

“It’s good to have or hire or consult with someone who can,” says Foddering.

Meanwhile, the users really are revolting and need protecting from themselves.

“At the moment, most consumer devices are used in an insecure fashion, with little remote management capability,” says Dean Bubley, at Disruptive Analysis.

Pic: paulswansencc2.0