There's no going back – the world has gone mobile. Moreand more financial institutions – credit unions included – areallowing employees to telecommute. Therefore, when securing yourcredit union's network, you need to think that they are no longerjust the small local area network inside your office, with oneInternet access point.

Our networks are growing less well–defined, with more than oneentry point and each access having a different level of trust.Securing this increasingly complex environment now takes someserious effort.

Whether you allow a select number of credit union employees towork from home, from the airport, or from anywhere else – any time,all the time – there are some important and serious securityimplications you need to consider. Here, we'll attempt to analyzethem and provide valuable insights about what to do to ensure thatyour remote workstations, laptops – and, especially, data – areproperly protected.

Challenges and Hazards

The security challenges you will face are not necessarily thesame for each remote scenario, so let us analyze first the issueswith an employee working from home. We will assume that by now nocredit union will allow a simple, unprotected connection to anoffice LAN. Your remote employee will use a virtual privatenetwork.

The three most prevalent types of VPNs today are PPTP, IPSEC andSSL. IPSEC and SSL are the most secure because they can use thehighest security encryption (AES 256), i.e., 256 bits of encryptionand a protocol (AES) that took almost 10 years to develop and wasdesigned to last well into the 21st century, even with the power ofcomputing increasing at the usual rate. SSL VPN is the mostflexible, and the one we prefer.

So, the data travels from the credit union to the remoteworkstation and back, well encrypted and very secure. But when itgets to the workstation, it is unencrypted and written at leastinto temporary files. When the user disconnects from the VPN, thesetemporary files remain on the remote workstation, unencrypted and,most likely, unprotected. And if the information exchanged wasconfidential, you now have confidential data stored on a remoteworkstation you have no control over.

Now, picture the situation where this home computer is also usedby someone else in the house, someone who might browse to a websitethat will download a Trojan on this workstation. Another hazardoushome-computing scenario involves peer-to-peer networks, where userscan share files with other participants without the need for acentral server – even accessing another user's documents withoutpermission. Suddenly, those possibly confidential files that wereleft over from a VPN session are being shared with millions ofpeople.

Ensuring that the data traveling through the VPN also staysprotected when it reaches the remote computer is something werarely consider but is something that can cost your credit unionquite dearly.

Solutions and Tips

There are several steps you can take to ensure higher securityfor this traveling data. First the most obvious thing to do is tonot allow your users to connect to the VPN using their homecomputer. If you have telecommuters and are in a position toenforce this, ensure that they use an employer-issued laptop andthat you have full control over what's installed on it and how it'sconfigured. Also, have fully working, well-updated anti-virus andendpoint security on it.

Second, ensure that the user can't get to the Internet usingthat laptop unless he or she is connected through the VPN. Thereare plenty of software solutions on the market that allow you toblock direct access to the Internet unless the VPN is on.

If for any reason you are not in a position to issue laptops toyour telecommuters, but still want to allow them to work remotely,at least make sure they are not allowed to have an administrativeaccount, and limit what their account can see and do. This won'tprotect you completely, but, at a minimum, it should greatly reducethe risk of exposure.

Demand that their remote PC be kept up-to-date with patches andanti-virus signatures. Also consider issuing an endpoint securitylicense for that workstation, even though it will be installed onan asset that does not belong to your company.

If the remote user is connecting from a hotel or other remoteplace away from home, you run into another issue – that thiscomputer is connecting to a network that is not yours and can beexposed to local attacks.

A wireless connection at the airport is open to anyone who wantsto connect. The downside of this is that your computer ends up in apossibly large network, with other people you do not know.Therefore, the possibility that someone with ill intentions may beconnected to the same network is a real one.

The most important thing to do in this case, and, perhaps, theonly really serious protection you have, is to install endpointsecurity software on the laptop that can intercept connectionattempts, Trojans, unauthorized or surreptitious data transfer, andother possible intrusions.

In addition, your users should be advised to stay logged ontothe wireless only for the time strictly necessary and to use a VPNwhen transferring confidential information. It's also a good ideato protect the laptop physically, because a high number of laptopsare stolen every year.

If you allow your users to check their mail remotely (by usingOutlook Web Access, for example), you should ensure they do thisfrom their own laptop and not from a public computer, which willremain at the mercy of the next customer once your user leaves.

The temporary files left on that computer during your user'ssession might contain data you do not want left around, and theyare fully accessible to the next customer and to the administratorsof that computer. This will lead to leakage of information, eventhough you have everything else well protected. GeneralConsiderations

Whether your telecommuters are working from home or on the road,there are some general considerations that are valid in all cases.One very good way to protect potential data loss is to encrypt it,either the entire disk or only certain file systems. The secondoption gives you more flexibility and allows recovery of the data –if the encrypted data is on a separate logical disk – should theoperating system become corrupted. Either one is a good solution toensure that the data cannot be stolen.

Another great way to limit your risks is to avoid having thedata transferred to the remote computer altogether. This isachieved by using thin-client technology, such as Citrix. With thistechnology, the application runs on the server, the data isprocessed on the server, and it never leaves the server.

What does leave the server is the graphic information to ”paint”the remote screen, which contains the data in visual form but doesnot usually contain anything worth stealing. Even if it does, thedata is usually kept in memory and is lost when the client computeris turned off. The files in the swap area will be quicklyoverwritten as well, so no trace of the data should be left on theclient computer.

Now, we come to the subject of passwords – strangely enough,still a common issue. Too many users choose birthdates, commonnames, pets' names and similarly easy-to-remember passwords.Unfortunately, what is easy for us is often even easier forhackers.

A strong password is paramount to protecting your data, nomatter where it is. This is particularly important for roamingusers, since their computers are more likely to be stolen orsomehow hacked into: an estimated 10% of all laptop computers arestolen at some point, and 97% of them are never recovered.

Passwords need to be changed but try to strike a balance so thatchanging the password does not become a weak point in the securitychain.

The bottom line: secure your credit union's network and datawhen employees are working from home or on the road. Implement theabove suggestions, and the chances of remote workers' files beingcompromised will indeed be remote.

Pierluigi Stella is chief technology officer atNetwork Box USA in Houston, Texas.