In most businesses, when you sit down at a computer to access information, you are required to log in. The reason for preventing anyone from logging in is obvious: the information that you will be accessing has value.

On-line access to information has become so ubiquitous that, except for those who have been a victim of identity theft, most people don’t even think twice about the value of the information they are accessing. In the case of an on-line bank account, the value is easy to determine. But in the case of most businesses it is much more difficult.

Almost every business requires that their employees use a login name and password to access their data. Within the confines of an office, most businesses feel like that is sufficient; and it probably is. There are really two risks here: an insider could steal your information, or an outsider could gain access to your information. The former is far more likely than the latter: figures vary by source, but I think a number around 70% is probably about right. Secure authentication cannot prevent insider theft.

But that still leaves 30% of the cases where an outsider accesses your systems, and in these cases implementing secure authentication can stop them cold. What do I mean by secure? I am really referring to multi-factor authentication. There are three types of factors:

• Something you know (like a username/password credential);
• Something you have (like a token, or a smart card, or a swipe card);
• Something you are (like your fingerprint or retinal pattern).

With multi-factor authentication, you combine your user credentials with a secondary factor: this helps to ensure that the person who is actually logging in is in fact who they are supposed to be and not someone else.

In my judgment, it is too easy to have your username and password either stolen, guessed, or hacked. Adding a second layer of authentication for users who log in outside the physical confines of your office makes sense to me. And a very easy, inexpensive way to do that is with the callback/SMS token that can be sent to your user’s cell phones when they try to log in through an SSL-VPN appliance. That combines something you know (your credentials) with something you have (your cellphone) to help ensure that the right person is logging in.

And if the information that your network contains has high value, I suggest you consider implementing the same type of solution inside your network as well.

Following up on last week’s post defining the need for and what Secure Remote Access is, we wanted to provide some solutions for small business. One disclaimer, there are numerous products on the market, the ones mentioned here are the ones we have the most experience with because they work well for our small business customers.

IPSec VPN – Advantages are it is cheap and built in to most firewalls. Disadvantages are it brings new complexities due to Network Address Translation (NAT) and it typically “opens” the entire network to the client machine. It may not support secondary authentication factors (which we’ll discuss in an upcoming post), and, most importantly, it can create administrative headaches since it typically requires resident software.

SSL VPN – This solution is simpler to deploy than IPSec and allows for more granular control. Main disadvantage is certificate encryption may be easier to break than IPSec encryption. There are two methods of access using SSL.

• Network Tunnel, which has the same security risk as IPSec in that it allows the remote device full access to the network
• Proxy based, where the security appliance controls access based on policy

Appliance-based SSL-VPN – The three solutions we typically recommend to small business are:

• Sonicwall Firewalls – these have limited number of users because of heavy processing requirements. They currently only support Network tunnel mode
•  Sonicwall SRA Appliances – these are purpose-built appliances appropriate for most small businesses. They are true portal-based appliances and they support two-factor authentication
• Aventail and Citrix Access Gateway – these are high-end devices with significant granular control and End-Point Analysis (EPA). They provide better support for VoIP and other latency and jitter-sensitive applications and are great for organizations with large Citrix deployments. With all of this functionality comes a much larger price tag. One way to mediate this cost is the ability to purchase a “spike” license that allows an organization to dramatically and temporarily increase the number of people accessing systems remotely (say there is a large snowstorm and people are working from home…I know, it’s a situation that is hard to imagine.)

Software-based solutions

•  Citrix— The most robust platform for secure remote access, scales extremely well. The software solution is really application access instead of remote access. It supports all platforms, including iPad and mobile devices and Includes security to prevent screen scraping and file transfers.
•  PCAnywhere – One of the first tools on the market for remote access. It does require a “hole” in the firewall
• Managed Services Monitoring Tools – these are what companies like ours use to remotely “take over” a user’s machine to diagnose problems and troubleshoot, but we often configure them to allow users to access their PCs remotely as well. That’s just an added benefit of workstation management with us.
• GoToMyPC, Bomgar, et all – These can be used by individuals and support organizations. Some require a hole, others are proxy based
• RDP and Apple Remote Desktop -- The least secure but (strangely enough) the most prevalent solution

Let us know what your experience has been with these solutions in the comments!

Please allow a break in our “regularly scheduled programming” for this very personal post.

For those of you who don’t know, I am recuperating from two separate hip surgeries in the last four months. I am doing quite well, thank you…I have just been given approval to ride my bike again. But I recently learned that this simple exercise cannot be taken for granted by so many people. As a result, I have committed to ride in Wounded Warrior Project’s (WWP) Soldier Ride Washington, D.C., scheduled for May 7^th in Annapolis. It is my personal goal to raise funds to support our wounded servicemen and women of our nation’s armed forces. Please help me reach this goal:  sponsor me by visiting my ride website.

Funds raised support the programs and services of WWP, a nonprofit organization whose mission is to honor and empower wounded warriors. Thousands of wounded warriors and caregivers receive support each year through WWP programs designed to nurture the mind and body, and encourage economic empowerment. WWP is dedicated to fostering the most successful well-adjusted generation of wounded warriors in our nation’s history.

If you prefer to send a check, please make it payable to Wounded Warrior Project, and mail the check to: Wounded Warrior Project, 7020 AC Skinner Parkway, Suite 100, Jacksonville, FL 32256. Important note: please indicate on the memo portion of the check the donation is for Soldier Ride, the city where the ride takes place, and my name (Soldier Ride Annapolis, Jeff Greenspan).

Together, I know we can make a difference in the life of a wounded service member.

Again, thank you for your support.

Last week we hosted a Lunch and Learn on how small businesses can achieve secure remote access for their employees. For those who could not make it, we’ll be summarizing the information presented in a series of posts here.

First, a little stage setting. Remote access is no longer a nice to have, it’s a need to have. With more telecommuting and after hours work being done at home, there is a need for employees to be able to access information from office computers and servers from anywhere. Next, we need to define what secure really is. Secure access is standards-based, encrypted, and ideally includes multiple layers of authentication (more on each of these criteria in future posts).

With these definitions in mind there are  four main options for secure remote access:

- IPSec VPN

- Firewall-based SSL VPN

- Appliance-based SSL-VPN

- Software-based point solutions

We’ll go into the details of the pros and cons of each of these in upcoming posts. For today, we’ll simply look at the differences between IPSec and SSL.

IPSec is a standards-based protocol for securing internet communications. The methods provided by IPSec are extraordinarily secure, but they can be problematic for small firms to implement. In my judgment, the worst problem is that IPSec requires that software be installed on every endpoint computer that needs access to the network, a logistical challenge. Some of today’s newer devices, like iPads, may not support this software. Another problem is that IPSec solutions generally provide full access to the network, which can be a significant security risk. Who knows where that road-warrior’s computer has been?

SSL is much easier to deploy. These solutions also have better granular policy control, allowing administrators to limit the access of individual users to particular files, applications, etc. however, SSL is not as secure as some of the encryption methods available under IPSec.

Stay tuned next week for a discussion of specific product solutions in each of these categories.

Join us Wednesday April 6 12:00 pm at our Annandale office for a Lunch and Learn about Secure Remote Access.  Looking to increase remote access for employees to work from home or on the road? Concerned about maintaining the same level of security you have in the office? Join us as we discuss five different ways that your users can securely access their applications remotely. Lunch will be provided. RSVP to Jim Pirisino 703-752-3500 This e-mail address is being protected from spambots. You need JavaScript enabled to view it This e-mail address is being protected from spambots. You need JavaScript enabled to view it .

If you are a small business and your IT provider hasn’t approached you about providing “Managed Services,” just wait five minutes. They will!

Managed Services have been around for a while and have finally reached widespread acceptance in the SMB space. In a typical scenario, your IT provider will load an “agent” on your servers and/or workstations and charge you a fixed amount per month to keep those devices up and running. There are myriad variations on this theme, with some providers including on-site support and services as well. The main benefit of managed services should be enhanced reliability of your IT infrastructure, resulting in enhanced productivity for you.

The key benefits of managed services are also obvious for IT providers. By utilizing automated tools, we should be able to enhance productivity too! The reality, it turns out, is far more complicated. While managed services tools do automate many tasks, they also raise many “alarms” about problems that occur on your equipment. Most of the smaller IT service providers are not appropriately structured to deal with this onslaught. As a result, many small items that could enhance your IT productivity are in fact simply ignored. We have had to add additional staff to monitor and remediate problems that in the past might have been ignored until they became fires.

Managed services create another unexpected problem for SMBs. In the “good old days” of break-fix, your IT provider came on-site every time something went wrong. It is truly a huge benefit for both IT providers and SMBs that most work can today be done remotely: after all, who enjoys sitting in traffic? Remote support for simple issues should be nearly instantaneous. Nonetheless, even though most SMB owners and managers are far more technically savvy than the good old days, I suggest that the face-to-face relationship time is seriously important. It is during these on-site visits that IT providers can serve their most important role: business consultant. If we are to truly serve our clients, we must build time into our managed service process to act as our clients CIO.

I stated in the previous paragraph that “remote support…should be nearly instantaneous.” Running a managed services practice is significantly different than running a break-fix operation. In the latter practice, the provider makes money only when staff is deployed to clients. With managed services I strongly believe that your provider should maintain the capacity to support inbound calls for help in a timely fashion.

One final thought: providing managed services is not a set-it-and-forget-it process. Managed services tools are powerful and complex, as are the systems that they manage. As much as we would like to, we cannot completely eliminate downtime for all clients. What we can and must do, though, is learn from our mistakes. You should expect from your managed services provider some process for self improvement.