One Size Does Not Fit All
Ubiquity in broadband connections to the Internet and the increasing pervasiveness of mobile devices (laptops, PDAs, and Smartphones) plus the accompanying evolution in how, when, and where “business gets done,” businesses are experiencing unending growth in remote access. Whether access originates from employees, business partners, or customers, the facts are clear that there are more remote access users and sessions than ever before. Plus, the diversity of resources being accessed (e.g., file shares, intranet websites, and email and other business critical application servers) is expanding.
An additional pair of inescapable facts are remote access occurs: (1) through shared network environments such as the Internet and from public and office-deployed wireless access points, and (2) from end-user devices where the security state of those devices is uncertain and far from uniform. As shared network environments, they are open to all and consequently polluted with users and activities that are unwanted, disreputable, and dangerous. From the perspective of end-user devices, “getting business done” has irrevocably changed the population of devices from predominantly owned and managed by the business IT organization to include several categories of devices that IT cannot proactively control the security health of (e.g., patched software). Categories of uncontrolled, unmanageable, and, by default, untrusted devices include: employee home PCs, partner and customer-owned PCs and laptops, user-owned handheld devices, and shared Internet kiosks.
As untrusted, these networks, devices, and even the users themselves, if confirmation of their true identities is weak, contribute to a rising tide of business and security risk for firms that are increasingly dependent on remote access in their business operations. Certainly the level of risk will vary across businesses as the risk profile and risk tolerance for each firm is as unique as fingerprints – no two firms are the same. Nevertheless, the fact remains that risk is present and indifference to that risk has consequences.
