IT’S PRETTY WELL ACCEPTED by now that most enterprises are going to have to deal with traveling, at-home or remote employees, consultants or vendors. Once the sole domain of the sales staff of “road warriors,” personnel from management through every phase of the organization now often require access to corporate data and systems in order to do their job. Moreover, with the huge increase in both the number and the power of smart phones, netbooks, laptops, drives and other devices (even gaming devices) and the varying environments from which they can be used to access the central system, it is now imperative for most organizations to provide secure and consistent network connectivity for these “BYOD” (bring-your-own-device) workers. Access by workers and management at the main office level now have capabilities that provide superior control due to the increasing use of fibre-optic lines (saving money over T1 and T3 lines), password and encryption security software, collaboration software, video and web conferencing, instant messaging (“IM”) and the like.
There are basically three technologies that can be used to achieve this link:
1. Publishing a desktop across the Internet. Remote desktop technologies are used to connect to a centralized or decentralized server or virtual desktop, which is in turn granted access to a private network.
2. Providing a VPN (“Virtual Private Network”) or VDI (“Virtual Desktop Infrastructure”). A VPN is used to provide a software-configured connection to let a laptop or home computer access resources on a private network (such as e-mail, files and databases). VDI is used to decouple hardware from software, and can replace large terminal servers with many virtual machines.
3. Using “Cloud” computing. This takes advantage of applications hosted within the Internet, available anywhere and anytime to anyone with an Internet connections.
Considerations for this level of service must consider access, speed and security. Bandwidth must constantly (or at least periodically) be monitored to eliminate bottlenecks for certain users or locations where speed is compromised. Different levels of access must be assessed, depending on the worker’s requirements and connection. In addition, security must consider the type of hardware (e.g. smart phones, laptops, USB flash drives) and connection (e.g. cabled, Wi-Fi) being used in order to prevent leakage of important or proprietary data. In particular, smart phones and flash drives must be secured by a detailed and uniform policy.
In many areas, we find that standardization is useful. Not so much here. While standardization (everyone receives the same brand of device, loaded with the same software and identical security) might be useful for reducing troubleshooting and synching with network resources, it can be much more costly than customization of devices. Choosing devices for workers should take some thought. Each employee has unique needs to perform his or her job - which may require such special devices as ruggedized hardware, multiple rather than all-in-one devices or specialized software not required by other employees. Management may require a laptop with number-crunching software, while sales may need a smart phone with contact management software. In any event, IT should provide training, which will reduce daily troubleshooting, as well as remote management, probably through third-party tools, which can resolve problems quickly rather than via long telephone calls. In a larger organization, it’s often useful to develop and train a “leader” in each department who can spot trends in the use of devices and convey that information to IT and management. Finally, don’t forget to consider how the addition of all of these mobile devices will affect the existing systems, possibly requiring infrastructure upgrades to keep up service. And plan for the future, not just the present - think about what you may be needing in five years or more.
It’s also necessary to pair the devices with the appropriate level of security. Encryption is imperative and easy to implement, and works on all devices, right down to a thumb drive. But it has to be installed and, in many cases, enabled. Password protection is easy and basic. A “kill switch” which shuts down a device remotely should it be stolen or compromised may also desirable. [Windows Exchange Server and System Center Mobile Device Manager, for example, have built-in self-destruct sequences you can use to remotely wipe a lost or stolen device.]
Even if the data is secure, it still has to be backed up. The more data on your server, the less to back up from the individual field devices. If your enterprise is using the Cloud, you have comparatively little to worry about. If not, you may be at the mercy of the individual worker, and that has a very poor track record. Luckily, there is “monitoring” software available to make sure that backups of remote users’ laptops and mobile data are completed on a regular schedule with out all of the e-mail baby-sitting that would otherwise be required. Such software also makes it easier to download Windows updates or anti-malware software to the machines as well. Finally, it’s always a good idea to have a “golden image” of each computer in the event that a hard drive or device fails. Such an image would not only include the software and operating system, but also the individual settings such as volume, backlight, power settings, schemes and other “creature comforts” for the user.
Remarkably, one of the most insecure links in your organization is your voice communications. Voice networks are very hackable. Because, for example, voice communications over smart phones are hardly ever encrypted (and most often cannot be), they can easily be eavesdropped by someone with inexpensive software and a wireless antenna. Once again, your workers must be trained to understand this and to comply with policies limiting the nature of their communications over these devices. [A review of the Data and Security pages of this site will show you that it is not outside hackers that put your organization most at risk, it is your employees.] Of course, this smart phone culture is a double-edged sword: It brings down the learning curve to put applications onto a device that the user is already familiar with on a daily basis, but it also has security holes that must be plugged. Your choices for security range from taking control of the user’s entire device with a complex password issued by IT to the “sandbox” or “containerized” approach where specific apps can only be “unlocked” by login and managed by IT, to “push” technology which can be locked by a single remote keystroke from IT. The complexity of your security will vary with the size and scope of your organization, your hardware and your particular data.
If all this sounds like it can be time consuming and expensive, sometimes it is. But consider: The more you have to protect, the more that you can’t afford to lose your data, the larger your organization, the more hardware you must control, the greater will be your need for a uniform and complete policy for mobile devices, otherwise the cost of leakage could disable or even destroy your organization.
For more information, please call us for a consultation.