SmartAdvice: Measuring Business Value Of IT Investments - InformationWeek
Software // Enterprise Applications
12:11 PM

SmartAdvice: Measuring Business Value Of IT Investments

It's hard to quantify the return on IT investments, but it's in IT's best interests to help in the documentation effort, The Advisory Council says. Also, control VPN access from home computers to improve security, and look at what you want from your system before deciding whether to delay server upgrades.

Question B: A growing proportion of our workforce is telecommuting, leading to increased use of our VPN from computers in employees' homes. What security measures should we be taking?

Our advice: The natural inclination when implementing a virtual private network is to focus on the security of the encrypted VPN connections themselves--what protocols to use (Internet Protocol security, Point-to-Point Tunneling Protocol, Layer Two Tunneling Protocol, proprietary); whether to use a firewall-based VPN versus VPN services on a general-purpose operating system; how to authenticate users, etc.

While it's necessary to consider all these issues, it's easy to overlook the most serious potential security exposure associated with VPNs--the remote-client systems.

Related Links

Survivor's Guide to Security

There's a subtle danger from the use of a VPN, particularly from home computers owned by employees. In addition to using firewalls to isolate the company network from the Internet, companies often take great care to "lock down" the software configuration on office computers, to prevent the inadvertent installation of "malware" (malicious software) that could compromise their networks. Once a home computer has a VPN connection to the office network, however, any malware present on the home computer has access to the company network. As home WLANS on broadband connections become more common, the risk will increase of malware spreading from another home PC (perhaps with quasi-legal peer-to-peer file sharing) to the employee's PC and then to the office network.

Employees' home PCs with VPN access therefore require the same kinds of defense-in-depth that should be applied to office networks--up-to-date operating system and application patches, software firewalls, antivirus software, least privilege, strong passwords, etc., to enforce this discipline. To reduce this exposure, VPN access should only be permitted from computers that are under the control of the company's IT staff. If VPN access from home computers is permitted, there should be strict policies regarding the software configuration and other uses (e.g., by other family members) of the home computer.

-- Peter Schay

2 of 3
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
How Enterprises Are Attacking the IT Security Enterprise
How Enterprises Are Attacking the IT Security Enterprise
To learn more about what organizations are doing to tackle attacks and threats we surveyed a group of 300 IT and infosec professionals to find out what their biggest IT security challenges are and what they're doing to defend against today's threats. Download the report to see what they're saying.
Register for InformationWeek Newsletters
White Papers
Current Issue
2017 State of the Cloud Report
As the use of public cloud becomes a given, IT leaders must navigate the transition and advocate for management tools or architectures that allow them to realize the benefits they seek. Download this report to explore the issues and how to best leverage the cloud moving forward.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of November 6, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll