Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Employee remote Access and Security

From: Todd Haverkos <infosec () haverkos com>
Date: Mon, 13 Sep 2010 11:46:51 -0500
S0h0us () yahoo com writes:


So we have a policy in place to allow our employees to work from home. A corporate VPN is in place, multifactor 
authentication, endpoint security deployed, (you name it) remote access limited to employees with business need (IT 
staff, etc), we have developed policies for accessing resources over this vpn and guidelines for best security 
practices (acceptable use and sanction policies). We monitor VPN usage (login/logoffs, etc). Our company deals with 
sensitive customer information. With all that a level of risk still exists. Most people's concerns are that 
confidential information is being accessed from locations outside the physical control of the company (a nature of 
this technology) so  this information could be exposed to unauthorized individuals. I'll get "how do we know that Joe 
isn't showing all this information to his friends when he's home"..yeah, I know...
So I was wondering what other controls were being used by you to allow remote access while maintaining appropriate 
security controls...Suggestions have been made regarding creating a profile for VPN users that limits their access to 
confidential data but that would defeat the purpose of the work from home effort...
Thanks for your feedback...



The class of products you seek are "data loss prevention" technologies,
often abbreviated DLP.  If you seaerch for DLP and you'll get lots of
offerings from the usual suspects like Symantec/MCafee as well as many
many others.  "DLP vendors" as a search term will lead you to roundups
like this
       http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1371529,00.html

DLP solutions endeavor to have a description of data you care about
losing (patterns of credit card numbers, for example, social security
numbers, personal data--this would be customized for your company
depending on what data your company cares about), and then look for that
data in motion on the network or at rest on a workstation or disk, and
then log/alert when that info is accessed.

There's a free open source DLP solution to be aware of as well...it's
quite new:
           http://code.google.com/p/opendlp/
           http://seclists.org/fulldisclosure/2010/Aug/362


--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: