Software // Enterprise Applications
12:11 PM

SmartAdvice: Measuring Business Value Of IT Investments

It's hard to quantify the return on IT investments, but it's in IT's best interests to help in the documentation effort, The Advisory Council says. Also, control VPN access from home computers to improve security, and look at what you want from your system before deciding whether to delay server upgrades.

Question B: A growing proportion of our workforce is telecommuting, leading to increased use of our VPN from computers in employees' homes. What security measures should we be taking?

Our advice: The natural inclination when implementing a virtual private network is to focus on the security of the encrypted VPN connections themselves--what protocols to use (Internet Protocol security, Point-to-Point Tunneling Protocol, Layer Two Tunneling Protocol, proprietary); whether to use a firewall-based VPN versus VPN services on a general-purpose operating system; how to authenticate users, etc.

While it's necessary to consider all these issues, it's easy to overlook the most serious potential security exposure associated with VPNs--the remote-client systems.

Related Links

Survivor's Guide to Security

There's a subtle danger from the use of a VPN, particularly from home computers owned by employees. In addition to using firewalls to isolate the company network from the Internet, companies often take great care to "lock down" the software configuration on office computers, to prevent the inadvertent installation of "malware" (malicious software) that could compromise their networks. Once a home computer has a VPN connection to the office network, however, any malware present on the home computer has access to the company network. As home WLANS on broadband connections become more common, the risk will increase of malware spreading from another home PC (perhaps with quasi-legal peer-to-peer file sharing) to the employee's PC and then to the office network.

Employees' home PCs with VPN access therefore require the same kinds of defense-in-depth that should be applied to office networks--up-to-date operating system and application patches, software firewalls, antivirus software, least privilege, strong passwords, etc., to enforce this discipline. To reduce this exposure, VPN access should only be permitted from computers that are under the control of the company's IT staff. If VPN access from home computers is permitted, there should be strict policies regarding the software configuration and other uses (e.g., by other family members) of the home computer.

-- Peter Schay

2 of 3
Comment  | 
Print  | 
More Insights
Building A Mobile Business Mindset
Building A Mobile Business Mindset
Among 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps and it's past time for those with no plans to get cracking.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest, Dec. 9, 2014
Apps will make or break the tablet as a work device, but don't shortchange critical factors related to hardware, security, peripherals, and integration.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.