We recently deployed RSA SecurID software authentication tokens to replace the hardware tokens we had been using to provide strong authentication for remote access via a VPN client. Hardware tokens are more secure for two-factor authentication in some ways (but not in every way, as you'll see), but the software tokens can be used on mobile devices such as phones; they are much less expensive; and they can be deployed more quickly and easily. What's more, when a user no longer needs access, it's much simpler to disable a software token than it is to retrieve a hardware token from somewhere like China, Russia or India.
Of course, RSA suffered a notorious security breach last year, but after I was briefed on the details, I felt comfortable moving forward.
Deployments such as this software token rollout can be interesting, because you have a chance to learn about some scary practices that had been going on without your knowledge.
For example, once employees got word that their hardware tokens will no longer be operational, some of them started asking for software tokens to be installed on their home PCs and Macs. Clearly, they had been taking advantage of the fact that the hardware tokens could be used with any computer. Our VPN client allows full network access, and that, combined with our lack of Network Admissions Control, meant that we were ending up with untold numbers of noncompany computers on our network. Naturally, I can't vouch for the integrity of any of those noncompany assets. Home PCs are often used by family members and other people, any of whom might install untrusted applications, click on things they shouldn't and end up infecting our internal production network.
I'm also concerned about protecting intellectual property, which is my responsibility. We are free to inspect the contents of any device we have issued to our employees, but we have no legal right to inspect any personal device, even if that device is connected to our network. In addition, laws are vague in some states and countries regarding our ability to monitor activity when an employee is using a personally owned device. If such an employee were to leave the company, our intellectual property could easily go with him.
For good measure, let's throw in the risk of license compliance issues.
Help Desk Too Helpful
While employees might not be aware that they shouldn't be connecting to the network from their own PCs, our help desk personnel should know that, right? Truth is, they've been helping employees install the VPN client on their home PCs. As an experiment, I called the help desk with an urgent request for access from my home PC. They actually sent me the full VPN client and walked me through the installation on my computer. After that experience, I reviewed some help desk tickets and found that the techs had also assisted in the installation of the VPN client on PCs at public Internet kiosks and hotel lobbies.
These exception requests are being met with a stern response. If an employee needs to access our network from home or another remote location, then the company needs to issue that employee a laptop. In many cases, the employee already has a laptop and is just too lazy to take it home or prefers using a Mac. But until we deploy a more secure method of remote access, such as a virtual desktop environment or a sandboxed VPN, I will hold the line against these sorts of exceptions.
At issue: When software tokens replaced hardware tokens for two-factor authentication, our manager discovered that a lot of noncompany computers had gained access to the corporate network.
Action plan: Lay down the law on remote access, with no exceptions.
This week's journal is written by a real security manager, "Mathias Thurman," whose name and employer have been disguised for obvious reasons. Contact him at firstname.lastname@example.org.