Mobile Computing- More Securely

Publication:

Orange County Lawyer Magazine

Date:

June 2007

Author:

Jeff Lenning

Overview
There is a strong possibility that you already have access to your corporate network while out of the office, or that you would like to. If you already have remote access, is it secure? Especially given the confidential information stored on your corporate network. This article discusses one security-enhanced approach to mobile computing.
Mobile Computing
Just as email has become both essential to daily life and increasingly portable with handheld devices such as Blackberry phones, so is access to your network information. Having access to your corporate information anytime from anywhere is becoming increasingly critical. Gaining access to the information on your corporate network is no longer a luxury reserved only for the largest firms, it is affordable and secure enough for the smallest of firms.There is a strong chance that you already have access to your network from remote locations. However, given the sensitive nature of the information stored on your corporate network, you can’t risk security breaches. And, unless your remote access was set up properly, there is a risk that unauthorized people have access to your data. In fact, if you can gain access to your corporate network simply by entering in a username and password, then you are at risk. Your possession of key knowledge (username/password) allows you to gain access to your network. Hackers attempt to gain that same knowledge by guessing your username/password pair or by using brute-force password hacking tools.Therefore, we strongly recommend using at least two-factor authentication. Authentication simply means authorizing your access. Two-factor means two security steps, instead of just one (username/password). Generally, there are three types of authentication methods available:

  • What you know (username/password)
  • What you possess (a physical device)
  • Who you are (biometrics, fingerprints)

Two-factor authentication therefore means using two of the three methods above. Historically, multi-factor authentication was very expensive and difficult to set up, and therefore only used by the largest firms and the likes of the CIA or FBI. Today, all of that has changed and the prices and technology are here for the masses.

Let’s walk through an example. Here is how remote workers gain access to our network from remote locations:
(1) Open a web browser from any internet connected computer.
(2) Enter the username and password (First Factor: Knowledge).
(3) The system instantly sends an email or text message to the user’s cell phone with a one-time-password.
(Second Factor: Possession of a Device).
(4) The user enters the one-time-password from the cell phone and the system grants access.

Screen shots have been provided for reference below.

Step 1: Go to company website from any internet enabled computer, as shown in figure 1.

Figure 1

Step 2: Enter in the username/password, as shown in Figure 2

Figure 2

Step 3: Enter One-Time-Password that was just emailed to the cell phone, as shown in Figure 3

Figure 3

Step 4: Begin using network resources, as shown in Figure 4

Figure 4

As you can see, Two-Factor authentication is far more secure than username/password combinations alone. Even if a hacker was able to guess or brute-force the username/password, access is denied without physical possession of the cell phone device.Details
There are many brands and options for selecting a Two-Factor authentication system. The one we use for our clients, and the one we recommend, is the Sonicwall SSL-VPN with One-Time-Passwords. We like this product for many reasons, including:
· It is cost-effective, starting at around $600
· It uses existing devices like cell phones
· It provides an easy and friendly web-interface for users
· It requires no up-front software install on the remote computers, making it fast and easy to deploy
· Each remote worker can have their own custom interface, with bookmark links to specific network resourcesAnytime you open your network for remote access, security is paramount. Thus we recommend having these devices installed by properly trained network administrators.Well, enjoy the freedom of mobile computing with the peace of mind that comes with two-factor authentication.Jeff Lenning CPA CITP is available for additional questions/comments at jeff@clickconsulting.com. His Seal Beach based firm, Click Consulting, Inc., provides network support and web application development. For more info, visit www.clickconsulting.com.

This article was written by Jeff Lenning