Telecommuting has freed many to work far from the confines of the office via laptop, but the price of working while sipping a latte at that sunny café is the danger that a public network will not keep the data that passes through it safe. Now, to combat the risk inherent in remote access, the National Institute of Standards and Technology (NIST) has updated its guide on maintaining data security while teleworking.
The revised guide offers advice for protecting the wide variety of private and mobile devices from threats that have appeared since the first edition appeared in August 2002. Together with the preponderance of dangerous malware on the Web, the vulnerability of wireless transmissions from mobile devices has created dramatic new security challenges.
"In terms of remote access security, everything has changed in the last few years. Many Web sites plant malware and spyware onto computers, and most networks used for remote access contain threats but aren't secured against them," says Karen Scarfone of NIST's Computer Security Division. "However, even if teleworkers are using unsecured networks, the guide shows the steps organizations can take to protect their data."
Among these steps is the recommendation that an organization's remote access servers—the computers that allow outside hosts to gain access to internal data—be located and configured in ways that protect the organization. Another is to ensure that all mobile and home-based devices used for telework be configured with security measures so that exchanged data will maintain its confidentiality and integrity. Above all, Scarfone says, an organization's policy should be to expect trouble and plan for it.
"You should assume external environments contain hostile threats," she says. "This is a real philosophy shift from several years ago, when the attitude was essentially that you could trust the home networks and public networks used for telework."
The new guide provides recommendations for organizations. A companion publication* offers advice for individual users on securing their own mobile devices.
While intended primarily for U.S. federal government agencies, the guide has been written in broad language in order to be helpful to any group that engages in telework. Formally titled Special Publication 800-46 Revision 1, Guide to Enterprise Telework and Remote Access Security, it is available at the NIST Computer Security Resource Center's draft publication Web site: http://csrc.nist.gov/publications/PubsDrafts.html.
* SP 800-114, User's Guide to Securing External Devices for Telework and Remote Access, http://csrc.nist.gov/publications/nistpubs/800-114/SP800-114.pdf.
Edited on Feb. 25, 2009 to insert proper document links.