For years, remote desktop software has remained under IT’s watchful eye and iron-fisted control. These incredibly useful tools allowed employees on the move to remotely access their office desktops with little or no threat to the enterprise. But the surge of client-side apps, particularly on smartphones, has wrested control from IT.
“These apps, although convenient, are potentially dangerous to organizations,” says Rob Fitzgerald, president of Lorenzi Group, a digital forensic firm. “They immediately give employees control of company data.”
Fitzgerald cites the recent case of a City of San Francisco administrator who refused to hand over administrative control to the city’s FiberWAN as an example of how things can go badly when the employee, rather than the organization, controls the database. It cost the city $900,000 to regain control. The motive, said the district attorney, was job security. “This is nothing more than his attempt to become an indispensable employee,” Assistant DA Del Rosario said in the closing arguments. “You suspend me; the FiberWan goes down.”
Several state regulations hold CIOs personally responsible for data security. Imagine the hundreds of possible scenarios your department might face, and the potential risk of additional access via remote desktop software becomes even scarier.
“Sixteen states are looking to pass regulation similar to Massachusetts’, Nevada’s and California’s laws requiring CIOs to sign off on data security under possible civil and criminal penalties,” says Fitzgerald. “With multiple phones and easily-obtained remote desktop apps that cross platforms – how can you lightly sign off on that?”
Now that remote services have gone rogue, what’s an IT department to do to regain data control?
Scale, Scope, and Surge
“One must remember that smartphones are powerful; they are equal to PCs about ten years ago,” says Tom Blackie, vice president of mobile at RealVNC, a company founded by the original developers of virtual network computing (VNC), the de facto standard for remote control computing.
Smartphones are perfectly capable of wreaking havoc with data security. They are also becoming more prevalent. The trend of 80% dumbphones and 20% smartphones is reversing. “The industry expects a complete reversal, that is 80% of all phones to be smartphones, within three to five years,” says Blackie.
Such a startling uptake of smartphones coupled with the easy-to-get, easy-to-use remote desktop apps could lead to widespread, albeit unintentional, admin privileges — if your data isn’t secured properly.
“And, the surge of remote computing has just begun — the automotive industry, for example, considers the VNC protocol to be the latest hot thing in telematics,” Blackie explained. “Soon VNC will be commonplace in vehicle dashboards to automatically connect PCs, iPads, phones, etc. to the screen in the car.”
PC and software manufacturers are also producing remote desktop capabilities as a routine offering. Microsoft has its Remote Desktop Services and Intel is embedding it directly in its chips.
“Intel is embedding our VNC product directly into its silicon so that no software is needed,” explains Blackie.
The primary reason Intel, Microsoft and others are including VNC or related remote desktop tools is to aid customer service and helpdesk functions.
“Intel KVM Remote Control, working as a part of Intel Core vPro processors, makes remote PC servicing significantly easier, allowing businesses to keep their PCs up and running with less disruption when issues occur,” said Rick Echevarria, vice president and general manager of Intel Business Client Platforms Division in a recent statement to the press. “This capability can transform help-desk processes for IT as well as enabling new service capabilities for IT outsourcers.”
While it would be folly to forbid remote access entirely, it is reckless for enterprises to neglect to address it responsibly.
To compound the problem further, employees are demanding remote desktop access in record numbers. “Demand is increasing rapidly; it isn’t just salespeople that want remote desktop software now,” says Jae Lee, manager for product marketing for Array Networks. “Everyone wants it.”
The pressure on IT to provide the software is reminiscent of the earlier movement to accept and support employee’s personal cell phones. And, just like before, employees can circumvent IT completely if they feel their needs are denied or if they decide that IT is too slow in delivering.
Meanwhile, other computing trends – from cloud computing to telecommuting – are shifting workers outside company walls, necessitating managers to form a new mindset towards access and security.
It’s the Data, Not the Device
The answer to this burgeoning dilemma is in protecting the data itself. “Protect the database as a whole,” advises Steve Moyle, CTO of data security provider Secerno. Moyle’s original research in machine learning and security was done while he was a member of the Oxford University Computing Laboratory where he still continues to give guest lectures. He is also a frequent presenter at RSA conferences in Europe.
“Look at the database as a whole rather than how devices are connecting,” he says. “Data leakage prevention (DLP) technologies protect data the same if it moves to a Blackberry as it does if it moves via e-mail. The key is to protect the movement of data rather than the device it is moving to.”
That is not to say, however, that connections and transfers should be unsecured. Certainly every enterprise should have strong policies and procedures already in place regarding encrypting data, public hotspot use, and stolen device lockdowns. Many of the remote desktop offerings also include encryption and other data safeguards.
“IT departments should also implement network monitoring solutions,” advises Fitzgerald. “Remote network and desktop computing is an excellent way to control and move data. Rogue employees will move the data; network monitoring will help you catch that.”
Safety Beyond Technology
Technology alone cannot stop potential problems with remote desktop access.
“You need to have policies in place similar to pornography policies,” says Fitzgerald. “Be specific about whether such [remote] apps can be used, how and when, allow no exceptions, and specify punishment for deviations from the policy.”
Fitzgerald says termination for a first offense makes sense, “It sounds harsh but we see so much data leaving organizations without them ever being aware of it,” he says. “You need to make it clear that the ‘Ask for forgiveness later rather than permission first’ approach carries dire consequences.”
Indeed, so much of an organization now exists outside its walls that a new mindset towards security is in order.
“The companies that fare the best have a ‘Jericho is falling’ approach to security. They trust no one and no technology and they plan their security accordingly, inside and out,” says Moyle.
“The companies that fare the worst think they only need to protect the perimeter and build a better firewall to keep intruders out.”
The key is in balancing access with security. Too little access will impede business, too much will give control away.
“It’s easy in a large enterprise to give too much access rather than take the time to weigh the matter per individual worker,” says Moyle. “Access then becomes totally uncontrolled as employees come and go and their privileges are not managed and changed accordingly.”
Want more like this? Sign up for the weekly IT Expert Voice newsletter so you don’t miss a thing!