As today's road warriors rally to the technology banner and launch campaigns against the commercial competition, their teleworking comrades bravely man the phones at home. With the battle hotting up, IT managers must assume the role of generals - selecting and maintaining the right technical armour to support the assaults. A mobile workforce can give your organisation massive competitive advantages, but there's no gain without pain. The potential benefits come only at the cost of potentially skyrocketing IT support overheads and, if the remote link is not properly managed, devastating security risks. With the arrival of faster modems, GSM, ISDN and increasingly sophisticated software to manage access, full remote system control has become a viable commercial reality. The technology is beginning to come of age and businesses are increasingly reaping the benefits of its implementation. Remote working is one of the hottest growth areas in today's business world. Industry analysts Gartner Group predicted that, by 2003, more than 140 million professionals will be spending at least 20% of their working time beyond the confines of the office. Gartner research director, Nigel Deighton, identified four key drivers behind this growth in the remote market. "There is the ubiquitous availability of the Internet and telephone services, both fixed and mobile," he said. "Technology is now here that provides palmtops and mobile devices which really can put information into mobile professionals' pockets. Ecological considerations, including cutting down pollution from travelling, are becoming more significant. Finally there is the question of staff retention in a market with a huge shortage of good IT people. Allowing staff to work from home is very big carrot to make them work for you," he added. The first priority for an IT manager considering such an implementation is system security. There was a time when this simply meant locking the office door before you went home. However, remote links now create many virtual doors and it is vital to ensure only authorised users are able to open them. Remote network access projects run the risk of opening a Pandora's Box of potential problems, according to Mike Madgin, director of information security services at financial consulting group KPMG. "All remote links are, by definition, inherently insecure. The possibilities of unauthorised access are quite significant. Security should be a dynamic combination of technical and procedural issues which fit snugly together like a jigsaw," he said. This view was endorsed by Clive Longbottom, strategy analyst at CSL Consultancy Services. "Remote access is a massive can of worms, but for an IT manager considering the options, you can distil the decision process down to three vitally important points. These are security, security and security," he said. "It's not enough just to look at the technology; you have to consider the human factor. There is no point in having a 42 character password if people just get fed up and write it down on a label stuck to the screen. Remote security needs to be addressed at all levels," he added. Longbottom advised the implementation of a multi-layered holistic security model with remote control management software acting as the first tier of defence. This software identifies the remote users, determines what network privileges they enjoy and limits their access levels accordingly. It also, where applicable, encrypts the data being transferred. The next line of defence is physical password security on the remote clients which helps to protect the machines' data in the event of theft. Depending on the sophistication of the remote management software, it is possible to predefine actions such as locking the remote client out permanently or deleting remote data after a number of failed login attempts. In addition to these measures, security can be improved by the use of one-time encrypted password smart cards such as Security Dynamics' SecurID. These products dynamically generate a single-use password for the remote client that is co-ordinated with and recognised by the central site.
Biometric security devices, such as fingerprint readers, which are currently under commercial development by companies including Compaq, could also be potentially valuable. "Security is not just about stopping unauthorised people accessing your systems. It should include setting the remote management software to centrally back up the remote clients and co-ordinate with the server-side back ups," said Longbottom. The remote access market can be broadly segmented into three areas. At the most basic level is the DIY software-only solution which is loaded onto existing equipment. The next step up is an integrated hardware and software combination which offers greater scalability, albeit at greater cost. Very large-scale implementations tend to be achieved by outsourcing the entire responsibility for remote access installation and management to a telco, or possibly an ISP. The optimum configuration depends on the size and remote access needs of the individual organisations. John Girard, research director at Gartner, was sceptical over the overall cost of ownership associated with software-only systems. "If you buy a software-only product like Attachmate RLN or Microsoft NT RAS, you still have to get and maintain the hardware to go with it. "NT RAS is like the fairy story about stone soup. This involved a soldier claiming to have magic stones which could make soup. He convinced a number of people to contribute an ingredient each and so made soup. With software like NT RAS, all the ingredients come from the user, who provides additional management, support and hardware," Girard said. He warned users will almost certainly find a software-only solution will be more expensive than buying a dedicated out-of-the-box remote system because support and maintenance costs with such set-ups will invariably be more complicated. In contrast, he pointed out the hardware-based remote access market was more likely to offer cost savings as it is currently very dynamic with manufacturers competing aggressively on cost and functionality. At the large corporate level, Gartner believes outsourcing managed connections could, after aggressive negotiation, cut remote access costs in half. If successful, the purchaser should be able to get incremental connection charges at rates comparable to those available for an in-house, equipment only configuration. The key cost benefit will come in the form of inclusive management and administration, in addition to the actual equipment supplied. The organisation even cited research, indicating it should be possible to haggle for, and receive first line support for remote end users.
Whatever option is selected, it is important to realise the support overhead for remote users can be very much higher than for their centrally located counterparts. The increased costs come from a combination of call charges, out of hours helpdesk support and the difficulty inherent in remotely troubleshooting complex hardware and software configurations. "In general, you can never save money by offering remote access. If you offer casual day extension privileges to a typical user, our research indicates that you will raise the budget costs of supporting that user by about one third. To give them simple full-time access you will increase your budget costs by about two thirds. If you go above about 5,000 hours of remote access every month, it is well worth looking to outsource the remote links to a PTT. Otherwise you will build a new empire and suddenly find that your IT department has set itself up as an ISP," commented Girard. At a fundamental level, the requirements for all remote access connections are the same. An adapted network device card on the remote client system is used to connect with the central LAN's specially configured remote access server, typically using a rack of modems or ISDN terminal adaptors. This central server can be either a standard LAN server loaded with a software package, or a more sophisticated specially configured server-based unit from a remote access specialist. In either case, remote access management software on both ends of the link is crucial to success or failure of the project. This software manages the transfer and, if applicable, performs user-defined functions at both ends such as virus checking, distribution of software upgrades to remote clients and data compression to speed up throughput. The other function of this software is to provide first-line security and ensure the remote client is recognised by, and authorised to, access the central network. "Getting the right remote access software and configuring it correctly are vital factors," said Longbottom. "This will ensure data synchronicity between remote and central sites. This is key because it means the remote users will always have the latest business information and latest versions of critical applications such as virus checkers automatically downloaded. For a road warrior who only sees the office once a month there is no other viable solution." There are some attractive cost savings on offer if the remote user is configured to access the central LAN over the Internet via an ISP. In these circumstances the maintenance overhead of modem racks at the main LAN may be removed by buying a single high bandwidth ISDN, Frame Relay or ATM dedicated link from the ISP. In addition, calls will no longer incur long-distance or international charges as the remote client dials only into a local ISP. The key difference is that, instead of passing over a single private circuit from the PTT, the connection is "piped" via the public Internet and security and quality of service can be compromised. Some degree of security for this pipe can be achieved by using technology such as Point-to-Point Tunnelling Protocol (PPTP). After authentication, the tunnelling protocol converts data into cryptographic packets. These are then sent securely across the Internet. When they arrive at their final destination they are decrypted into a readable form and passed across the private network. In this way users can, at least theoretically, achieve something close to a virtual private network (VPN) over the Internet. Industry analysts are divided over the potential of the Internet in this respect. "It depends. Some companies will never be going to the Internet for remote access because of security. If you are a nuclear power plant then the Internet is not a viable solution. But for the vast majority of companies we are seeing a gradual migration towards the Internet," commented Brendan Hannigan, senior analyst at Forrester Research. Girard remained sceptical: "If you go through the phone company's line you are effectively on the most secure link that is available. The moment you go onto the public Internet it gets very much more complicated. You're going to need firewalls to deny access into the LAN and data stream encryption to try and protect yourself from eavesdropping. In addition, very strong password authentication will also have to be in place. After all this it is practically impossible to get a guaranteed quality of service." Raman Rai, IT director at construction giant Arup, is responsible for linking 60 offices in 40 countries - for a company that boasts the Sydney Opera House among its completed projects. He has considered using the Internet for remote access: "We have had quite a lot of discussion about the possibility of creating a firewall network which used the Internet rather than costly international leased circuits. The problem is security. It's too much of a gamble. I know that security technology is getting better, but I still do not think that it's good enough," he warned. For a corporate LAN connected to the Internet, Gartner recommends a three-tier network system protected by a single central firewall to filter access. In this model the first tier is a public access front hall. The next level is a partner LAN for business partners who need to exchange files. This area would contain sensitive, but not highly classified, information.
The third tier is the internal company network. This level contains the firewall which acts as a multi-dimensional switch and controls the routing of users through the three sections. Whatever remote access configuration may be chosen, industry experts agree road warriors need special treatment. "Many remote projects fall foul of the fact people think remote workers are just the same as users attached to the WAN or LAN. But remote access links are orders of magnitude slower than native LAN speeds. It is vital to recognise the special circumstances and provide a system where users can dial in and work productively," said Deighton. HALIFAX INDEPENDENT FINANCIAL ADVISORS Mobile sales staff constitute the very heart of the organisation at Halifax Independent Financial Advisors (HIFAL). The independent subsidiary of Halifax Building Society could not function without its team of 150 mobile staff. "The nature of our business is fundamentally mobile. We do not work from Halifax branch premises, " said Nick Johnston, HIFAL's business technology manager. As a result, each advisor was issued a Toshiba Satellite Pro laptop loaded with Stirling Commerce's CONNECT : remote software to manage the access link. Advisors log on by modem to a dedicated PC server located at the company's head office in Leeds. This server confirms the agent's identity and batch transfers new sales leads from a SQL database of customer enquires produced by HIFAL's call centre. Back ups and details of the agent's sales activity are also uploaded from the laptop. Johnston admitted support for the remote team was expensive. "Any breakdowns are going to be expensive, you have to keep them to a minimum. If you buy a flaky piece of hardware or software you only have yourself to blame if you encounter problems. Saving money on your essential equipment can be a real false economy," warned Johnston. "Agents don't even know they are using the remote management software as it fires up from within PIAS. This is important as our staff are financial experts and not IT people." The commercially sensitive nature of this financial data means that tight security was a pre-requisite when HIFAL implemented its remote network. Data stream encryption was combined with firewall protection. Radius software on the main LAN server provides an additional level of security. The effectiveness of the overall security package had to be approved by Halifax's in-house specialists before the rollout could commence. Additional security features were built into the laptops to prevent data being compromised if a machine is stolen. CONNECT : remote is configured to allow three failed login attempts. After that the system rejects any further attempts until a new password has been issued from a central server. Some problems were encountered during the early phases of the project. The laptops suffered from apparently random date and time changes. Initial investigation centred on the systems' batteries, but these were found to be working normally. The cause of the fluctuation remains unclear, but as a workable solution, the system was configured to automatically correct the date and time on the remote laptops every time a connection was made. Johnston plans to expand this type of central software management and distribution to include product upgrades for HIFAL's financial and support systems. He envisages regularly posting a variety of packages, including anti-virus tools, onto the central servers for automatic distribution. "We are highly regulated under the terms of the Financial Services Act and have to make sure we are up to speed," he said. "If something changes the rules we must be able to get new software quickly and safely to our agents. By sending the data out electronically we have a valuable audit function where we know the latest version of software is in use. This helps us keep an eye on our assets in the field."
Commons Science and Technology Committee calls for new post-Brexit skilled-workers immigration system
Committee calls for visa-free travel and permit-free work for skilled workers
Eleven 'normal' outer moons, and one described as 'oddball' found circling Jupiter
Scientific discovery has found a quadrillion tonnes of diamonds in the earth's mantle
Mobile payment app makes users' details public by default