There's No Business Like Snow Business

by Andrew Moloney on 2/5/2009

For those of you who live in colder climes you must have had a little chuckle to yourselves watching us over here in the UK trying to deal with a few inches of snow  recently! The transport network pretty much ground to a halt, the Federation of Small Businesses estimated that 20% of the UK's working population, or 6.4 million people, around the country would not make it to work.

Of course, if you’re reading this, chances are, like me, you are classed as a “knowledge worker.” A “snow day” would likely not be considered too much of an issue if, again like me, you regularly work from home, hotel rooms, airports etc., using your token and “VPN’ing” in on your laptop from wherever, enjoying secure broadband access to your office network. For the IT guys it’s pretty straight forward to manage as well – calculate the total number of people who need the capability to work remotely, then estimate the percentage likely to be engaging in such an activity at any given moment, add a margin of error, then provision the infrastructure and workers accordingly.
 
And in general, that works. That is until some unforeseen “Act of God” descends and suddenly ALL your remote workers try to work remotely at the same time! Indeed, it may be worse than that. What about the guys that don’t normally work remotely and now need to be provided with secure remote access without being able to visit the office first and pick up a token?

A couple of our customers at big UK banks told us they struggled to get access to their corporate networks due to capacity issues. From a security point of view, it’s these scenarios that the hackers and fraudsters love. Companies who have not put in place a strong business continuity strategy are suddenly faced with a loss of productivity and/or “lowering the bar” to allow access via less secure means. Given the choice, most businesses choose the latter over the former, often rationalising their decision that it will be fine “just this once.”

It’s a shame and it’s a significant risk, because unlike the past where the only real secure means of providing strong authentication was via deploying hardware tokens, the world has moved on quite substantially. It’s now possible to add into the mix “on-demand” authentication via SMS and email, as well as being able to remotely deploy software-based tokens to phones and computers. And with flexibility in licensing options now possible, allowing for such “bursts” of demand, there’s really no excuse now for allowing such incidents to impact your security policies.

By the way, I’m pleased to report that here at RSA we had no such issues during the snow storm and I was able to happily continue on with my full day of conference calls from the comfort of my home office, hot cup of coffee in hand...