Another method

The American Academy of Ophthalmology takes a different approach to managing security on home workers' computers. Until recently, the organization used only the security available in Microsoft Windows Active Directory and its virtual private network (VPN) software.

As viruses began disrupting bandwidth on the corporate network, however, Vice President of IT Joe Carr decided to take further measures. He installed Safe Access, an appliance from StillSecure that ensures that user devices have updated virus-protection software and appropriate firewall status before allowing them on the VPN. "We've had productivity in the office interrupted due to viruses, so we needed to make a change in the way people managed their equipment outside the office," Carr says.

Carr is also testing a policy in which Safe Access will check on the last time home workers performed virus scans on their machines. If more than a certain amount of time has passed, it will require a scan before allowing the device onto the VPN. "We test new policies with users to make sure the action is working before ratcheting it up academywide," he says.

Another TriNet policy forbids home workers from storing corporate data long term on their laptops, Dehnhardt says, although he doesn't know of any technology to help him enforce that. Instead, telecommuters are expected to access data through the company's VPN and store data on network home folders, which are backed up nightly. They're also discouraged from using USB or thumb drives because they can easily be lost or stolen.

Of course, some data must reside on the laptop for times when the employee has no network access, like during customer visits. In such cases, remote workers are instructed to take only the data they need for that visit and delete it from the laptop immediately afterward, after saving any changes to the network drive, Dehnhardt says. "It's a fine line to walk," he acknowledges.

Mark Rhodes-Ousley, an information security architect and co-author of Network Security: The Complete Reference (McGraw Hill Osborne Media, 2003), agrees that data should mainly reside in centralized corporate repositories.

"Home workers should be granted access to view and change data only from a distance," he says. That can be facilitated with systems that provide front-end access, such as Secure Sockets Layer VPNs.

Remote access makes the home computer a part of the company network, Rhodes-Ousley explains, whereas front-end access makes only the user interface accessible, separating users and their computing environments from the actual servers that manage the data. This technique presumes that users have a good broadband connection, Gold says, because dial-up could never handle the traffic load.

Everyone agrees that home workers should keep data encrypted, but relying on end users to do that is risky, says John Girard, an analyst at Gartner. "Typical office applications have the ability to encrypt," he says, "but the choice is often voluntary, and the user can usually choose a simple, weak password and encryption algorithm."

That's why it's best to run the home PC as a virtual machine that's encrypted, where the user logs on to bring up an image of a company workstation, he says. Or home users could run an on-demand virtual session that encrypts saved data even if the workstation is otherwise not managed by the company, Girard says. This is possible with software such as Cisco Systems' Secure Desktop, Symantec's On-Demand Agent and Check Point Software Technologies' Integrity Clientless Security Secure Workspace.

At TriNet, all home laptops are encrypted using software from Beachhead Solutions. The software provides centralized encryption management and remote data destruction if the laptop is lost or stolen.

Dehnhardt uses IPsec for encryption on TriNet's VPN, and he requires home wireless networks to be encrypted using Wi-Fi Protected Access when accessing the VPN. The only way to enforce this now, however, is through a signed statement and employee training, he says. "We don't have the [resources] to support home wireless equipment," he says. "It's better to educate the users to protect their home environment than to do it for them."

Dehnhardt also advises home workers to change their default service set identifier and administrator passwords on their wireless access points.

This year, TriNet managers will also periodically visit the homes of remote workers, in accordance with the company's policy for inspections of home offices for ergonomic, safety and security reasons. "If employees do not agree to this, their VPN access and laptops will be pulled, and they will not be allowed to work from home," Dehnhardt says.

This is an unusual policy among U.S. companies, according to the Runz­heimer study. Only 13 percent of respondents said they conducted irregular or initial inspections as part of their virtual office policy. "There are some privacy concerns as to how frequently these inspections should take place and what advance notice is required," says Heidi Skatrud, a vice president at Runzheimer. "But companies absolutely have the authority to enforce security policy in people's homes."