SmartAdvice: Measuring Business Value Of IT Investments
It's hard to quantify the return on IT investments, but it's in IT's best interests to help in the documentation effort, The Advisory Council says. Also, control VPN access from home computers to improve security, and look at what you want from your system before deciding whether to delay server upgrades.
Question B: A growing proportion of our workforce is telecommuting, leading to increased use of our VPN from computers in employees' homes. What security measures should we be taking?
Our advice: The natural inclination when implementing a virtual private network is to focus on the security of the encrypted VPN connections themselves--what protocols to use (Internet Protocol security, Point-to-Point Tunneling Protocol, Layer Two Tunneling Protocol, proprietary); whether to use a firewall-based VPN versus VPN services on a general-purpose operating system; how to authenticate users, etc.
While it's necessary to consider all these issues, it's easy to overlook the most serious potential security exposure associated with VPNs--the remote-client systems.
There's a subtle danger from the use of a VPN, particularly from home computers owned by employees. In addition to using firewalls to isolate the company network from the Internet, companies often take great care to "lock down" the software configuration on office computers, to prevent the inadvertent installation of "malware" (malicious software) that could compromise their networks. Once a home computer has a VPN connection to the office network, however, any malware present on the home computer has access to the company network. As home WLANS on broadband connections become more common, the risk will increase of malware spreading from another home PC (perhaps with quasi-legal peer-to-peer file sharing) to the employee's PC and then to the office network.
Employees' home PCs with VPN access therefore require the same kinds of defense-in-depth that should be applied to office networks--up-to-date operating system and application patches, software firewalls, antivirus software, least privilege, strong passwords, etc., to enforce this discipline. To reduce this exposure, VPN access should only be permitted from computers that are under the control of the company's IT staff. If VPN access from home computers is permitted, there should be strict policies regarding the software configuration and other uses (e.g., by other family members) of the home computer.
Building A Mobile Business MindsetAmong 688 respondents, 46% have deployed mobile apps, with an additional 24% planning to in the next year. Soon all apps will look like mobile apps – and it's past time for those with no plans to get cracking.
Join us for a roundup of the top stories on InformationWeek.com for the week of December 14, 2014. Be here for the show and for the incredible Friday Afternoon Conversation that runs beside the program.