Network professionals should prepare for the era of VPN, which may be coming as security lapses prompt tighter legislation on companies to protect sensitive data.
More laptops, desktops and even mobile phones will need to support tough security standards as the demand to mobilize data -- giving a sales force CRM access on the iPhone, for example -- competes with the need to do so safely and compliantly.
The Massachusetts legislature has passed a bill that imposes tight restrictions on how data is encrypted. Organizations that do business in Massachusetts will have to comply with the law by next January.
The legislation was spurred in part by high-profile data leaks like TJX, in which more than 45 million customers had their data compromised. Nevada has passed a similar law, and California recently tightened its public disclosure rules for such data breaches.
"I'm not sure if there is a common driver [currently] for use of VPNs for corporations, but what is going to drive that is state or government mandate," said Chris Hazelton, an analyst with the 451 Group. He said identity theft and consumer data protection were becoming top of mind for state legislators after the high-profile leaks.
Fortunately, just as requirements have stepped up, so have the capabilities.
Protecting mobile devices
Today, enterprises rarely deploy VPN clients on smartphones, but vendors are expanding support for them while looking for ways to ease mobile headaches such as a lost connection.
"On a mobile phone, you expect much more immediate, quick access," Hazelton said. The multi-step process of logging into the VPN and then the corporate application will frustrate these users, he said. This frustration level only grows when mobile data connections are momentarily broken, forcing users to log in to the VPN again.
At CTIA last week, Columbitech announced advances to its mobile VPN clients that keep a VPN session intact even when temporarily interrupted by a lost connection. Motorola and Ericsson have already licensed the technology.
"That goes toward alleviating the pain of using a VPN on a mobile device," Hazelton said. The broadening ecosystem of phone support for VPNs is also easing that pain, he said. With its 2.0 release, even the iPhone got VPN support, with the option of four protocols to help securely encrypt Web traffic.
A broader range of applications
As enterprises broaden the range of devices their employees use to access sensitive data, they are also expanding the number of applications that are transmitting the data. More CRM applications are being pushed out into the field, for example, and mobile email is exposing untold amounts of data to potential breaches.
All of it needs to be secured.
"We've got folks using email as a filing system, and we need to ensure when that's being accessed remotely, nothing is being saved on the machine or at home," said Chris Silva, an analyst with Forrester. Even if they are acting in good faith, employees who load sensitive data to their desktop or a USB memory stick are creating a security risk and possibly breaking the law.
These risky behaviors are driving more companies to look into encryption. The first companies to adopt the technology were in tightly regulated industries like healthcare and financial services.
But even companies in less regulated industries should be careful, particularly around their most sensitive data assets.
"You'll see a lot of organizations that deploy, for example, a Citrix environment where your local machine is only providing a view of that [remote] screen," Silva said, a process that leaves nothing on the end device and thus no risk that even if the laptop or phone is stolen, any data will go along with it. "That's quite a big step to take on."
A simpler, yet still effective method, is to place a VPN around all corporate applications, even those (like many webmail clients) that have built-in security.
"In most cases, SSL is reasonable in ensuring that data is protected, and it meets the letter of the law for most applications," Silva said. "But once [companies] start to move those systems online, they start thinking about the two-factor login."
In other words, users must first log in to the corporate VPN through a browser-based portal (no local installation necessary) and then use a different login for the email client, adding one more layer of security and letting IT organizations tune their security policies. For example, depending on the level of security checks the VPN client is given (is antivirus running? Is a firewall installed?), users may be allowed to access email, or email and SharePoint, or a whole range of even more sensitive services. But they would be able to do this only if the computer from which they are accessing it meets the proper security requirements.