One of the tools that organizations are leaning on for pandemic responses is remote access to computing systems. Technologies such as VPNs, Citrix servers, terminal servers and other forms of remote access are widely appearing in the plans we are reviewing and are among the most discussed items in the planning sessions we have been holding with clients.
However, there are some issues that are emerging around many of these tools. To start, they can introduce a great deal of risk to the IT infrastructure and security posture if they are not deployed and managed properly. For example, blindly exposing terminal services, SSH and other remote access technologies to the Internet is a common path to compromise. Attackers are very good at finding these services and exploiting them, either with technical exploits or through credential discovery via social engineering, browser attacks and/or brute force. These exposures are often present in the major data breaches and serve as a danger point for organizations.
Blindly exposing remote access mechanisms such as these is usually a pretty bad approach. A better approach is to leverage a stronger access method such as VPN. VPN technologies are typically built around stronger security platforms and with greater security in place to protect the users and the organizations they serve. They will require a bit more “care and feeding” than blind port forwarding deployments, but they are a much safer solution for remote access to your environment.
VPN technologies also do not need to be expensive. Projects like OpenVPN and other open source approaches have reduced the costs to deploy VPN access to the lowest of levels. Basically, the cost of hardware and the human resources to install and support the system are the only costs involved. Many tools exist in this family and more are emerging every day.
Another significant issue to consider when looking at the remote access capability of your pandemic plan is capacity. More than likely, your solutions were implemented, as are most, with the idea that a somewhat limited subset of your entire employees would be using the access tools at any given time. That may not be the case in the event of a pandemic. The number of employees accessing the system may exceed your current designs and testing, so be sure you think through how you can expand that capacity, rotate shifts or use other techniques to plan for the impact from the surge in demand.
Lastly, be sure and test these mechanisms before you need them. Things in life often don’t work as planned the first time around, so practice for pandemics before one arrives. Have dedicated work from home days, plan for teams or lines of business to practice their plans and create lessons learned feedback loops to capture issues and work on minimizing them.
Preparation will likely pay off, both in the continued operation and bottom line of your business and in the reduction of panic should a pandemic every rear its ugly head. Thanks for reading, and let us know if we can assist you in planning or testing with pandemics in mind. Please, stay tuned to the blog for more information on the possible H1N1 pandemic, pandemic planning and other security issues that might emerge. At MSI, we are dedicated to helping you establish the means and mechanisms to keep your business, your business…