Sometimes the only way to make progress is to leave something behind.
As the popularity of mobile devices increases, so, too, does the demand for organizations to support telework. Getting many different devices and software to work well together can be a major IT challenge, even without taking security into consideration. Fortunately, some simple steps can help ensure a secure environment for telework.
For many school districts, remote access may be provided by one or more technologies, such as virtual private network (VPN) tunnels, web portals and client virtualization (terminal servers). Most of these technologies can encrypt network communications to protect them from being intercepted by others as they pass over the Internet, wireless networks and other networks that may be poorly secured. This defense is essential for protecting telework data.
If a remote access technology doesn't provide strong encryption, a user can generally "wrap" its communications with a separate encryption technology, such as using HTTPS to transport another network protocol.
Telework client devices, such as notebook PCs and smartphones, face the same threats that other client devices face — in addition to a significantly higher likelihood of loss or theft. And these devices aren't protected by the enterprise's network security controls, such as firewalls and network intrusion detection systems.
Districts should secure telework client devices using the same client-based security controls that they would use for any client device, such as applying patches promptly and disabling unneeded services and functionality. However, district IT departments also should apply additional security controls to compensate for the lack of network security controls and the risk of loss or theft. For example, full-disk encryption and other storage encryption technologies can protect the confidentiality of telework data stored on client devices. That way, if a device is lost or stolen, an attacker cannot readily recover the data it carries.
More than one type of authentication should be required for remote access. IT departments should ensure that users are authenticated before gaining access to the telework device, such as entering a PIN to access a smartphone. Then users should be authenticated again, using different credentials, to gain access to the organization's remote access methods. Districts also should require authentication to unlock storage encryption technologies; otherwise, an attacker can bypass them and gain access to sensitive data.
Regular passwords alone are generally not strong enough for remote access, especially because they are so often stolen. Districts should use multifactor authentication for remote access whenever possible to thwart such threats. An example of multifactor authentication is a one-time password provided by a secure token, along with a memorized password.
It's also feasible to use strong authentication methods, such as cryptographic keys, that are device-based, not user-based. Many organizations choose to authenticate the device instead of, or in addition to, authenticating the user. This is important if, for example, an organization has chosen to permit only organization-owned smartphones to remotely access the network. Districts should be able to determine that a device belongs to the organization before allowing it access. Storing cryptographic keys on devices is one way of accomplishing this.