Michael Weirich works as a security analyst in the Cybersecurity Services department of eco, the German Association of the Internet Industry. He has already supervised many security projects for eco and knows from his own experience what’s involved when employees access the corporate network remotely. In an interview, he describes the pros and cons of various procedures.
- Employees working from home or in the field need secure access to company data and applications.
- Encryption, anonymised data transfer and protection against "eavesdropping" are fundamental.
- The standard solution is a virtual private network (VPN) but there are also alternatives.
How did you come to be involved in IT security?
The first phase of my IT career began in 1996 when I started at America Online (AOL). I was still a student at the time. I initially worked in support, until a few years later when an internal helpdesk needed to be set up. I then took charge of it. When Hanse-Net bought out certain segments of AOL, I transferred to the e-mail team. Because problems with spam were becoming more and more serious at that time, we were increasingly involved in IT security. A few years later when I was asked if I wanted to come work for eco, the German Internet industry association, I immediately said yes. I collaborated on the Botfrei.de security portal and represented eco in the EU’s ACDC project on spam and dangerous e-mails. eco was the consortium leader. The project was extremely successful. We were able to supplement messages with additional information in real time and forward them to the responsible partners in the ACDC community. In recent years, I’ve collaborated on the SIWECOS project, a service for secure websites. Today I work for eco in their Cybersecurity Services department.
Do you have a speciality in the IT sector?
Since I’ve spent a lot of time on spam analysis and Trojans, you could say that that’s my area of expertise. But in the future, I’ll be focusing more on information security management systems (ISMS), because information security is becoming more and more comprehensive and risk and emergency management are now an indispensable component of corporate IT security. Otherwise, I’m technically more of a generalist and am currently doing most of my work in the field or from home.
When people work from home, they need secure access to company data and files. What does this entail and how can it best be ensured?
A suitable solution has to ensure that access is possible only for authorised persons and that it’s direct, with no intermediaries. External anonymity must be guaranteed, meaning that no third party is allowed to see who’s connecting to whom. Protection of privacy and data integrity have to be guaranteed. And, of course, a suitable application also has to be efficient and stable.
What are the different options for secure access to the corporate network and how do they differ from one another?
The traditional version is the VPN, or virtual private network. A VPN reroutes all data traffic through the corporate server. Even if I surf the Internet, that goes through the company network. So a PC in a home office is virtually integrated into the corporate network and hardly differs from a PC in the company’s offices. However, this requires that the company have the complete infrastructure available, including Internet access with a suitably dimensioned bandwidth.
Another option is to use remote desktop solutions, such as Teamviewer. In this case, users remotely access their desktop computer in the office and can use the applications installed on it as though through a display window. But unlike a VPN, it isn’t possible to access the entire network remotely. The two versions are comparable from the standpoint of security, but remote desktop solutions are more limited. This solution wasn’t developed for a home office. It’s more suited to remote support, because the PC has to stay switched on. The solutions from Citrix are similar but much more efficient. However, the company has to have a separate server. In this case, the company no longer has to have a PC for every employee. The Citrix solution is comparable to a virtual PC, for example. Users install a client on the computer that displays the company PC’s desktop in a window. Secure authentication is required to guarantee security and data is transferred via a secure connection. But the privacy isn’t comparable to that of a VPN, because the IPS can exactly track data traffic, so you don’t have the anonymity of a VPN.
Another possibility is zero trust network access. In this case, secure access is controlled on an application-specific basis, meaning administration of IT security is shifted to the application level. The user connects to a broker, which is a type of gateway that performs the security check. Not only the person is authenticated, but also the computer. Access to the application isn’t granted until both have successfully passed the check. So users can no longer log in from just any computer – from an Internet café, for example. The principle behind zero trust is that no user, device, or service is trusted, which serves to minimize security risks for companies. It means as few authorizations for users or applications as possible and access only when necessary. Of course, up-to-date policies and guidelines are a basic prerequisite, because these define which authenticated users, services, devices, and applications are allowed to communicate with one another. A great deal of effort is involved in the initial setup, but it’s worth it in terms of increased security. This solution is especially suited to cloud services, because it bypasses the company computer. The server on which the services run is completely invisible to outsiders.
Which version do you most recommend on the practical level?
The traditional VPN is the most elegant solution. It’s the easiest way to completely safeguard everything, because all data traffic is rerouted. It’s definitely the simplest solution for users, as well as for the administrators who configure the service. Setting up network access with Citrix or a zero trust network is much more resource-intensive, at least on the administrative side. But with a VPN, accessing the company’s network involves a higher network utilization, and that has to be taken into account.
How do the different VPN solutions differ?
In the case of a conventional VPN, I install a client on my terminal device. But there are also VPNs that run in a browser, meaning they operate without a client. Even Firefox has recently started offering something similar, but it’s more a matter of preventing the website from seeing where I’m coming from, who I am, etc. So it’s about anonymization, in that it conceals the user’s surfing behaviour. These are often cases where geolocation also plays a role – for example, for shopping abroad when offers are limited to a specific country, or for TV programs and streaming services that can only be received in a particular country.
Some DSL routers also have a built-in VPN. Companies can provide these to employees so that they can connect to the company securely. The advantages are that no further measures are required on the PC in the home network, and the user can change PCs and still be in the VPN.
A basic distinction has to be made between secure access to the company and the anonymization of data traffic. These are two different objectives. In the latter case, I need to know where the provider keeps the servers to which the VPN data traffic is rerouted, in what country they’re located. This can become a data privacy issue.
What should be taken into account when choosing a solution?
Some of the most important criteria are the trustworthiness of the manufacturer and user-friendliness. In terms of security, all the providers are on a high level. Otherwise, the same selection criteria apply as for other software within the company, such as the support offered by the provider. And, of course, the client has to be able to run on the platforms used within the company.
You will also find news about all aspects of it-sa and the IT security environment in the it-sa Security Newsletter.