Last week, RBC Capital Markets equity research group released a report about Check Point Software discussing an potential upcoming product called "Abra." Abra would be sold in the form of a USB stick that end users plug into personal / non-corporate laptops used to access their corporate environments.
Last week, RBC Capital Markets equity research group released a report about Check Point Software discussing an potential upcoming product called "Abra." Abra would be sold in the form of a USB stick that end users plug into personal / non-corporate laptops used to access their corporate environments. The sticks would have all the antivirus, VPN, and endpoint security software they need (including potentially having application packages for local execution). RBC seems pretty psyched about this, going so far as to say, "We believe remote products such as Abra could ultimately lead companies to adopt a policy of Buy-Your-Own-PC or BYOPC which is becoming increasingly popular because they allow employees to work from the device of their choice..."
I agree 100% with their views about BYOPC, but I hope we don't need things like Abra to make it happen!
What's the easiest way to securely access corporate resources from an untrusted device?
Obviously a remote display protocol-based solution like TS or VDI is an option and probably gives you the greatest amount of security since you can 100% control the execution environment and no data leaves the datacenter. I guess the only real downsides are that it doesn't work offline and you need a lot of backend infrastructure if you're not using TS or VDI anywhere else.
The "other" way that companies have been handling remote access is via VPNs. VPNs were simple back in the good old days, but now the security vendors have added millions of features to them (antivirus scans, memory scans, host OS and patch-level compliance scans) that simply meeting all the requirements just to get on the VPN in the first place becomes a goal in itself. (This even happened to me with TechTarget. They finally just updated the web VPN so that it will support Windows 7, but then it didn't recognize my AV even though it was on the list... long story short I spent three hours trying to connect to the VPN and was so tired when I finally did that I shut off my computer and went to bed.)
I mean seriously, if a VPN company's products are so complex that their move to bundle all of them onto a single USB stick is viewed as worthy of a research note, then I think we have a problem!
But of course Check Point isn't the first to go down the put-everything-on-a-USB-stick path. Gabe wrote about Accario's AccessStick two years ago? (There's a rumor that Accario isn't in business anymore, despite their website still being there. Can anyone clarify that? Actually, if Accario isn't around maybe that goes to show how well these all-in-one VPN sticks are received?)
USB stick-based remote access
Even though I'm not a fan of the VPN-on-a-stick, I actually really love the concept of having some kind of USB stick that runs anywhere which is used to remotely access corporate environments. (I'm thinking MokaFive here. Or maybe RingCube for Windows PCs only. Anyone else?)
Of course this thing would have to be secure, so you probably want to go with a stick that has hardware encryption from someone like IronKey.
That got me thinking... when most people think of secure remote access, they think of SecurID. "Wow," I thought, "I wonder if RSA makes a version of the SecurID keyfob thing that doubles as a USB stick? Then we could run our software from there while still having two-factor security!" I am not kidding when I say that I was actually browsing through the results of a [securid usb stick] Google search before I realized how stupid that was! (I mean the whole point of the SecurID's changing password is to ensure that you physically possess the device, so obviously if you have the IronKey or whatever with your certificate on it, then DUH!, you have the second factor! :)
My point, though, is that I do love the aspect of two-factor security, and if the second factor is going to be something you have, then it might as well be a USB stick which works on any computer as opposed to a stupid fob with a flashing number on it.
And if it's going to be a USB stick that works on any computer, I'd probably rather have a complete VM-based secure operating environment as opposed to a something that tried to secure my insecure device.