Turning off the Internet tap

Frustrated with the combined costs of lost productivity, virus cleanups, and e-mail monitoring, it’s very likely that many companies may soon be taking a “just say no” approach toward employee requests for Internet access.
Written by Tim Landgrave, Contributor
Frustrated with the combined costs of lost productivity, virus cleanups, and e-mail monitoring, it’s very likely that many companies may soon be taking a “just say no” approach toward employee requests for Internet access.
In fact, some CIOs I’ve talked with indicate that they’re likely to shut off all Web access in the next couple of months and then plug in software that will selectively reenable access on an as-requested basis. Others relate that they’re pursuing less draconian, but just as restrictive, policies to control the growing administrative costs of unfettered Internet access. It’s a good time to examine some available Web-access alternatives under consideration by CIOs.

E-mail filtering and restricted access
Most CIOs have installed, or have plans to install, e-mail filtering software. In some cases, this means turning on the native capability within their corporate e-mail software (such as Notes, Exchange, or Groupwise) to quarantine any attachments at the server level. This approach requires a user to specifically request that a quarantined file be extracted and sent to them on a case-by-case basis. While it clearly adds an administrative burden (most commonly on the help desk), the labor cost pales in comparison to the cleanup of an inadvertent virus attack.
If CIOs don’t want to filter, adding virus-checking features to the e-mail server is a good alternative. These server-based virus products (including products from Sybari and Network Associates) scan for known viruses in incoming e-mail and quarantine files found to be affected. The key word here, however, is “known.” Although updating virus signatures is automatic with a server-based virus program, it’s still no guarantee that an infected file won’t slip by before a virus patch is available. That’s why many companies are beginning to err on the side of safety and block all attachments, rather than on the side of convenience by attempting to block only infected attachments.
Yet even full blockage of attachments isn’t a cure-all for preventing viruses. If users are allowed to surf without restriction, there is still the possibility of a user infecting the system through downloads and outside e-mail via a public account. The user not only infects his or her own workstation but also can easily infect other computers on the same physical network. One workaround to this situation is the use of virtual terminal technology.

Dedicated or virtual Internet access stations
Many corporations are limiting Internet exposure by providing physical or virtual dedicated browsing stations. Physical browsing stations are a set of dedicated PCs in a common area that are used by employees to browse the Internet. These PCs are connected via an isolated subnet, and while they provide access to the Internet, they are not connected to the internal network. In this configuration, employees can browse sites but cannot infect other machines on the true corporate network. While it protects the main network systems, use can be inconvenient, especially for managers.
Virtual PCs are Windows Terminal Services (WTS) or Citrix sessions hosted on a set of machines in a data center called a “hosted Internet cluster” (HIC). Employees use the PCs to check e-mail or to access the Internet. Users are provided screen icons tagged as Check E-mail and Browse the Web. When they click on an icon, they access a centrally managed e-mail client or a centrally managed browser. By locating all of the potentially dangerous activity on a cluster setup, corporations are provided a single point of Internet access, control, and recovery.

Outsourced e-mail and access
The cluster scenario is a good fit for ASPs that are currently struggling to create profitable corporate products, as well as ISPs seeking niches to fill. I expect both market segments will soon consider creating some kind of per-user version of the HIC. Moving an HIC off-site allows a company to outsource Internet e-mail and access hassles, and lets internal resources focus on real line-of-business problems.

These new Secure Access Providers (SAPs) will live or die on their ability to report on access and eliminate virus damage throughout a customer’s systems. Companies that previously saw ASPs as a fad may see these new SAPs as a potential business partner. While it’s likely that SAPs will be used more by smaller companies and those without an internal IT staff, many larger companies would be well served to consider this as an option.

Web services to the rescue?
But while I envision new services being created, I also believe that the access security issues facing many companies today will be short-lived. In my opinion, companies will ultimately control both the content and delivery mechanism for employees by eliminating Web browsing and replacing it with intranet connections to specific services that the company chooses to provide to employees.

In the future–-the very near future—intranets will use Web services to provide these types of services via remote Web servers. Given administrators’ angst over the dangers presented in opening up port 80 to all PCs, I can see a day when port 80 extends to the intranet servers, and they, in turn, provide any additional services in a format consistent with the company’s needs and policies.

Within a couple of years, Web browsing will be viewed as primarily a consumer phenomenon. The Web will finally turn into a ubiquitous network that allows companies to share information across a standard set of protocols. That’s the upside, however. On the downside, if a company relies on corporate workers using its Web site, and the public Internet, to generate revenues during work hours, then it might be in a heap of trouble.

Editorial standards