Are users the weakest link in the security chain?

IT departments often write users off as being of low importance, but they actually have a primary role to play in corporate security. Experts agree that overall security is only really equal to the security of its weakest link – and when it comes to corporate security, that link is the user.

So what actually are the risks this introduces to the company? What user factors should the company take into account when designing solutions? These questions are too often swept aside, to detrimental effect. Users are a key link in any company. From their position at the heart of an information system, users handle company data, connect to company applications, interact with company hardware, and make use of the company network.

Even so, it is extremely difficult to paint a “one-size-fits-all” portrait of a typical user to help manage user-based security risk. Whether office-based or on the road, use of computer tools is varied. The hardware sector is experiencing strong growth (laptop sales are still growing by 13% per year and over 50% of computers sold today are laptops). Every new device arrives with its share of new features. An IT manager needs to manage multiple levels of security, not just one. The current economic situation presents companies with a huge challenge: to grow their businesses and improve their customer relations in a secure way, while also maintaining strict control over costs. For the IT department this means assisting users in their use of the information system, while still maintaining control over resources and hardware.

The sweet spot is difficult to find. It’s a short step from a position which is very permissive (eg, users having full rights to their workstation) but not very effective (87 per cent of incidents could be avoided with reasonable controls) to a position which is very restrictive, and far less effective. Mobility is also a key need today. Everybody should be mobile and everybody should be permanently connected, but an important question arises: how do you connect to, and access, the enterprise’s resources without compromising the information system?

Many solutions are designed to address the first point: EDGE, 3G, 3G+, 4G solutions, and so on. These are based on network operator offerings and afford the greatest geographic coverage. Although monitoring of these communication channels is not impossible, options are rather sparse.

Wi-Fi access points generally offer a low level of security, and there is very little security around the edges of operators’ public hotspots.

Personal connections involve Internet access at the employee’s home, often via ADSL, and now even via fibre. Here, the security level is variable and can go from entirely open (WEP – weak encryption, key can be broken in less than five minutes) to WPA – much stronger encryption (if the shared key is sufficiently complex). WPA is increasingly being offered as standard by operators at their access points.

This variable security level means that enterprises need to strengthen their access method. To achieve this, two major solutions for accessing internal corporate networks are available:

  • standard telephony service, giving the user direct access to their company LAN
  • access via a virtual private network (VPN).

The first solution is offered by all operators that provide access through protocols such as GSM, EDGE and 3G. Once the user has connected to their network, they redirect the connection to the company’s network through a gateway (eg, MPLS). This service is simple, placing no restrictions on corporate IT departments, and it is fairly secure (with regard to the restricted monitoring that can be carried out). However, its throughput is also low.

The VPN (virtual private network) solution has now been in place for a number of years and supports all types of connections (eg, telephone, ADSL, fiber, hotspot). The idea is to recreate a private network, over a public network.

Many companies are now choosing SSL technology, which has the following advantages:

  • simpler to use (connect directly via a web portal)
  • not necessary to use any client or to download a “thin” client (Java applet, ActiveX) from the portal, so no maintenance required
  • nearly all the enterprise’s applications work through VPN-SSL tunnels.

On the other hand, providing access via a portal (through the Internet) to the internal corporate information system is not without risk. Anyone in the world can access the home page (including indexing spiders, vulnerability scanners, etc). The IT department must provide stronger user authentication in order to be able to maintain control over access to company information. Protecting the enterprise from computer threats and operational and financial risks means relating to the users and the data they handle. The issue, in short, is to cover all domains to ensure the most effective security. In other words, this means prevention, protection and control of network connections, peripheral devices, data and applications.

Given that total security is an impossible goal, the issue for every enterprise is to find the overall approach that will allow it to achieve the best security suiting its own requirements. The challenges, issues and risks created by security are such that it ultimately makes sense to seek help from professionals. It is possible to have a basic understanding of how a car works without claiming to be a mechanic, and the same goes for computer security. An increasing number of threats created by the increasing number of software products used in an organisation, makes on-going technological monitoring and maintenance of the required expertise impractical.

The benefits of outsourced solutions are not limited to auditing or, consultancy generally. There are many competent security specialists offering rich solutions that provide overall approaches to security for users and their workstations. This trend is, for once, ahead of demand from clients needing to work within budgetary constraints (as well as ecological imperatives and the exploding rate of attacks).

Too often, overtaken by events which are rarely of a technical nature, IT decision makers must seek out appropriate solutions suited for survival in this environment. For this reason, the outsourcing of some (or all) of a company’s user security, in exchange for the delivery of a well-defined service, is now being considered with renewed interest. Of course, there is no silver bullet to eradicate all risks and threats – a multi-layered approach is still necessary.

Original Publication on CSO