The further employees get from corporate, and from corporate networks, the more likely they are to do things with their computers that security managers would rather they didn't. Envision buyers or sales people in hotel rooms late at night trying to kill time. Could these people be doing things (e.g., downloading malware) that could bring down your company?
If they are not connected to the corporate network (and even if they are), you may not know about it until it's too late and the malware has already propagated throughout your network.
We have done many interviews lately about remote workers: employees working on their own computers from their homes, road warriors (and "road pacifists") in sales and marketing, and store employees. In many cases, there is clearly a "mobile blindspot" when it comes to being able to monitor the state of their systems (viruses, patching, file integrity, etc.). Although most of the merchants we've spoken with do have endpoint security of various types, these controls only work when employees are connected to the corporate network.
Mobile workers often do some pretty bizarre things on the road (referring to computing practices, of course), such as using many Web-based applications that might normally be blocked by policy management tools such as Cisco's NAC if they were working at corporate. The bottom line is that it's pretty easy for remote and mobile workers who use their own PCs to do things that you may not be able to detect when they reconnect to the corporate network. That's your mobile blindspot.
One way to take a peek into your mobile blindspot is to implement behavior monitoring software (i.e., monitor keystrokes, Web sites visited, downloads). However, there are legal and ethical implications to consider. We have also been talking with European companies lately, and the issues of employee privacy and global security policies are frequent topics.
Because European data privacy laws are stronger than equivalent U.S. laws, the idea of using employee behavior monitoring tools to "spy" on employees may not fly globally. Generally, a defensible approach is to define specific, detailed policies regarding what remote workers can and cannot do while using company property or acting on behalf of the company and then to deploy controls that are matched to these policies.
The goal is to detect threats to the corporate network, even when employees are not connected to that network, which is very different than spying on employees. Your policies, tools and data analysis process must be consistent with this perspective, or the company could be in violation of some of the data privacy laws.
The primary point we're trying to make here is that it is clear from talking to mobile workers and compliance officers that we have "extended" our enterprises far beyond our ability to secure them through the use of most endpoint security tools, which focus the controls at the point where road warriors reconnect to the enterprise network.
But the number of home workers (often part-time) who use non-dedicated machines and the number of mobile workers who are connected to the Internet far more often than they are connected to the corporate network will continue to grow. It's time to redraw the network security boundaries to better reflect the extended enterprise reality.
The case of the over-extended enterprise is an excellent illustration of how an organization can be compliant yet not secure. To prove PCI compliance, for example, all an organization would have to do is prove that all mobile and home workers are not a part of the cardholder environment. That is, prove that there is no way for any of these people to have access to any cardholder data from their computers.
OK, so maybe that's not so easy in some cases, depending on what these mobile and remote workers do for the company. For organizations that cannot effectively "segment off" mobile and remote workers, it's critical to have controls in place to encrypt the data and to monitor and log user access to card data—the whole nine yards (or 12 yards, in the sense that there are 12 PCI controls). Therefore, not only do you need to extend endpoint security to embrace the extended enterprise, you also need to extend PCI controls and the assessment process. With PCI 1.2, the instructions to PCI QSAs make it clear that a review should include a thorough sampling of stores and remote locations. As a result, we expect increasing attention to be paid in PCI assessments to the extended enterprises and the vulnerabilities that mobile and home workers can entail.
We have spoken with several leading merchants who are on top of this problem. They have offered a number of best practices when it comes to securing mobile and remote workers, and they have some tools that they would recommend.
If you want more information, I'd encourage you to visit the PCI Knowledge Base and read what your peers are saying about this topic.
We're considering adding a discussion forum about this topic. Let me know if you think that's a good idea. Lastly, if you're a retailer, we want to get you involved in the PCI Best Practices study we're doing with the National Retail Federation. It's 100 percent anonymous. Just send us an E-mail at [email protected]