Security: So You Want to Work Remotely?

Tuesday, October 26, 2010

Christopher Burgess


Do you have an office to which you commute each and every day? Do you need one?

Personally, I haven't had a desk in an office building for more than five years, and have been able to work from any place on the globe where I am able to plug into the Internet.

I personally love the flexibility it affords and it fits my lifestyle with perfection. Though this may work for me, is it practical for everyone? Does your professional situation lend itself to being able to work remotely?

According to a recent Cisco study "The Cisco Connected World Report", I find I have a lot of company, as three out of five employees believe it unnecessary to be in the office and contend they can be just as productive working outside their traditional brick-and-mortar workplace, as within.

So let's assume that your employer agrees with you. What should they expect from you, as you leave the "office" and move to the "mobile office?"

First and foremost, I think they need to be assured as to your level of understanding of the environmental differences.

You are no longer within the four walls of the employer, and you no longer have that physical security surrounding you and the assets. Your mobile environment by definition is physically outside their ability to monitor for the physical security threats which every office addresses.

In addition, there is the technological side of the equation. When you work remotely, how are you collaborating with your colleagues who are also working remotely or those who are still within the company's offices?

If you are using a laptop, do you use a virtual private network (VPN) connection to your employer so that your information is protected at the same level of security afforded to you prior to becoming mobile?

If you don't, but rather use virtual third-party collaboration spaces, is the connection between these service providers and your laptop secured by a secure socket layer (SSL)?

How is the information secured? Can the service provider or another subscriber of the service see or access your data?

These are all questions that your information technology team will be asking as they work their way through the equation and solution to enable you to enjoy the benefits of being a mobile worker.

Then there is the expectation of when you, the mobile worker, will be available. Being connected from your home does not necessarily mean that you are available 24/7/365.

For example, I tend to close my office door on Friday evening and not open it again until Sunday evening, to only confirm the time and location of Monday's first appointment. This is something you absolutely want to iron out so that expectations are fully managed at the outset.

Then there is the home/mobile office environment. What if you lost your laptop or smart-phone? Would you lose sensitive company data? Would you lose personal data? Would you lose customer data?

I have a number of thoughts for mitigating the damage when or if a device is lost or stolen:

  • Encrypt your hard drive and any backup drives, USB sticks, smart cards, etc. There are a number of quality encryption solutions available. My rationale is that in the event your device(s) become separated from you, they are in essence nothing more than glorified paper weights, vs. a treasure chest of exploitable data.
  • When traveling, put a decal on your laptop so that you can distinguish it from others going through the security checkpoints and are able to keep an eye on it. I recommend against putting a company decal or business card on the outside of the laptop. The intent is to make your specific device visually distinguishable when you are separated from the device.
  • Use a privacy filter. A privacy filter cuts down on the ability of others to shoulder surf or otherwise inadvertently view your screen and your work product. I can't count the number of times I have sat in a coffee-shop or airplane seat and had foisted into my field of vision company confidential information, which would have been obscured had the individuals simply used a privacy filter.
  • Technologically lock your laptop, mobile phone, etc. If you lose the device you don't want it to be easy for the individual who finds the device to harvest the data from the device. This is in addition to encryption.
  • If you must leave your laptop unattended for a period of time, shut it down to invoke the encryption protocol and use a cable-lock to raise the level of difficulty for the laptop to be lifted and carried off. There is an important point to remember when using cable locks. Secure the cable lock to an immovable object or point of attachment. For trunks of vehicles, secure it to the bolts attached to the trunk's floor. For hotel rooms, loop it through the built-in-desk, or in a pinch you can connect it to the commode.
  • If you are printing in a mobile environment, and it is company confidential information, you need to understand the expectations of how the paper should be handled and ultimately destroyed. A cross-cut shredder is a good starting point. I use one, and then I compost the shred with our horses' offering, manure. The paper composts nicely, and we don't get many dumpster divers.
  • Don't mix your work email with your personal email.

I am a strong advocate for the ability to work from any place at any time.

The items previously mentioned are those that I addressed early on in my engagement, and I encourage you to do so as you pursue your desire to work remotely.

Christopher Burgess is a senior security advisor to the chief security officer of Cisco.

Cross-posted from Huffington Post

Possibly Related Articles:
SSL Remote Access
Post Rating I Like this!
Mark Gardner Christopher,

I was having the very same conversation regarding remote security opportunities.

It seems to me, that whilst there are many jobs out there for the Security professional, many are still tied to some form of location on application.

How can this barrier be broken down?

Terry Perkins Great article, Christopher. And... great question, Mark. I'm curious as well. I would like to propose working remotely at some point.
Alexander Schjelde Great article Christopher,
I would have liked to see some comments regarding the importance of a secure network connection. Many of us are using wireless networks (hot-spots or at home) and not having proper encryption (WPA-2) is to me a as dangerous as not having the storage media encrypted. We even have our other family members on the same network (no pun intended for creative college kids).
Another issue is that many people forget that if they are remote, they may not have the same automated features available such as Antivirus updates or Security patching etc. It is easy to become vulnerable to exploits.

I am a strong believer and a user of remote work capability and are utilizing a virtual environment.

All applications (that I have the need to access) are hosted in a secure VMWare environment at the corporate office incl. MS Office etc.
I cannot store data locally.
VPN / encrypted tunnel, password protected screensavers, antivirus is all included and it is extremely fast on top of it.

Since it's like a sand-box environment, none of my local data / applications can be accessed or vice versa. Meaning, even if I had a virus on my local machine, it would not endanger my corporate environment.
Cloud computing in all its glory.

Thanks again for a good article.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.