In my last post, I talked about several impending inflection points for information security. One of them was: More than half of our employees spend the majority of their working hours connected to networks we don’t own and don’t control (airports, hotels, home, wireless, 3G and so on) This brings me to my fifth security no-brainer (for the previous four see this post): Security and management tools for endpoints must work when the endpoints are network-connected, but not connected to the enterprise network. Many of the tools today require the end-user to be directly connected (or to establish a VPN connection back) to the enterprise network to receive AV updates or patches. Why not provide a way to reach out and connect to the end-user device without a VPN? This can be accomplished in many ways, including:

• Placing a copy/replica of the management server in the DMZ that the remote devices can see no matter where they are connected
• Using some type of relay server in the DMZ that can proxy the requests to/from the remote devices
• Using a “cloud-based” provisioning service from the vendor (for example, they provide the AV signatures directly to the end user from their Internet-based infrastructure)
• Using a solution like Microsoft’s DirectAccess so that every machine can be treated as if it is attached to our enterprise network no matter where they are connected

Ideally, a vendor would provide several alternatives for extending security and management policies to machines that are network-connected, but just not connected to our enterprise network For many users, working on the road and using alternative networks will be their normal experience. Rarely will they connect to the enterprise network, even using VPNs. We must be able to extend our security and management policies to these devices. Some vendors can provide this functionality today. Why shouldn’t we demand this from all of our security and management vendors? Seems like a no-brainer to me.