This relates to the earlier post of "The perimeter isn't what it used to be", but it is an issue that is deserving of a bit more explanation.

How many times have you seen this?

  • Requirements for remote access: AV installed, firewall configured, a bunch of configurations on security and networking, 2-factor authentication, blood sample, polygraph exam, deposit of $1000, 5 personal references, a copy of the key to your house, and the names and addresses of all known family members.
  • Requirements for LAN access: plug your laptop in.

OK, so maybe I exaggerated the different requirements just a tad.  But you get the idea.  It is very common to have two sets of security standards: one for remote access, and one for local access.

But such a concept is getting outdated, and is not serving us well anymore.  For the same reasons I talked about in the earlier post regarding the perimeter.  Too many computers go in and out of your network now for us to have different security standards for different access methods.  The line between "out there" and "in here" has become so porous that weak security standards in any scenario are now the weakest link in a chain.  They used to be two different things, sitting next to each other.  "We've got remote access over there, from these unmanaged machines at people's homes that are always at their homes; and we've got local access over here, from these office desktop machines that are always in the offices."  That's not the case anymore.  What we have now is "We've got this laptop, which goes here, to his home, to his friend's house, to a hotel network, to a conference, to a coffee shop, and then back into the office." 

We also have to consider malicious internal attacks.  We can't assume that just because someone has made it through the door that they can be perfectly trusted and should have total open access to your network.

Whatever it is you are trying to protect yourself from with strict remote access security standards, you are facing the same threats on your internal network.  The same minimum level of security standards have to be applied to all your access scenarios.  Stop thinking about applying strict controls for the remote access space, and loose access controls for the local access space.  Start looking at everything as just "access", and don't think so much about "remote access" and "local access".  The technology in the world of computing is moving away from "remote access" and "local access", and is moving towards "anywhere/everywhere access".  Our thinking has to move the same way.