With the new Government rules on flexible working, which came into force on 6 April 2003, working from home is now back on the agenda. It can offer both the employer and the employee enormous benefits with improved productivity and staff retention. Add to this the disruption caused by the uncertainties of public transport and fears of terrorism and working from home becomes much more attractive. Furthermore staff would not have to live close to their employers, which would give employers greater flexibility in relocating their offices or dealing with tight labour markets. Diversity of staff working on projects would be improved – promoting collaboration from staff potentially worldwide.
Despite this there has been a reluctance by employers to take up home working. They often cite worries about supervising staff that are not always present, and staff are concerned about not having the same amount of facilities or contact as their office-bound colleagues. There are also concerns about the investment that will have to be made in remote access solutions, including the security and manageability of these solutions.
Many employers will mistakenly believe that the new rules on flexible working require them to allow their employees to work flexibly if requested to do so. This is not the case. The regulations actually set out a wide range of valid reasons for a request to be refused, including detrimental impact upon quality or performance, additional cost, problems re-allocating work, and recruitment difficulties. Home working also brings additional health and safety costs for employers, as they remain legally obliged to provide a safe working environment, including dealing with workstation and VDU issues in the home workplace as well as the workplace. Therefore, although the position is likely to change as the technology improves and remote working takes hold in society, at present most employers will find it relatively easy to justify refusing home working on costs and performance grounds.
However many employers may want to use these regulations to kick-start their teleworking arrangements. The cost of the IT infrastructure to support this has been expensive in the past, but the costs are falling and most large, medium, and even small organisations will be in a position to make the necessary investment. The employer’s equation can take into account both the financial cost and also any impact upon performance and quality of work.
Delivering the Applications
From a technical perspective, there are three main ways of delivering the desktop to the home worker. The first option is to try and replicate the work-based applications at home. With relatively simple products such as e-mail (ie Outlook) this can be straightforward, but with more complicated applications such as document management this can be a problem and create a significant support overhead. Applications that follow the client server model require the application to be installed on the home machine. Even with simple products, such as e-mail, configuration information such as the route to the e-mail server, login credentials and security considerations, will have to be explained to the home worker, or configured by the IT department. More complex applications will require installation and configuration by experienced personnel, and will require a greater level of support if and when problems occur.
The second option is to provide a server-centric solution (eg Citrix) that relies on minimal configuration of the home PC. This normally just requires some client software that facilitates delivering the applications to the home worker. Again there will be some support implications associated with this option, but not as much as with full client-server applications. These solutions run the applications on a central server and pass only screen images and mouse clicks/key presses to the client machine so many applications can be run over a dial-up link. However, this can mean some investment in infrastructure and software depending on the numbers of users and applications. As this solution depends on the server running and delivering the applications, the server will need to be quite powerful, and most proprietary server-centric solutions will have significant licensing costs.
The third option would be to deliver the applications in a browser-based format. Many software vendors are providing browser-based solutions and their offerings have got considerably better over the last 12 months. For example, Microsoft Outlook Web Access 2003 is almost identical to Outlook 2003, so there is little user retraining. Using ASP, XML/XSL, or .NET technology there is no requirement to install anything in advance on the home worker’s PC. As everything is Web-based, the only requirement is a suitable browser (usually Internet Explorer 5.5 or 6). This lowers the total cost of ownership considerably as application support is almost completely concerned with delivering Web pages.
Connectivity Options
In order to use our applications remotely, we need to get access to where the data is held. There are two main options. This would be either a direct link to the office, or by utilising a Virtual Private Network (VPN).
For the home worker a direct link will be either a modem connected to a standard phone line or an ISDN line. Depending on the demand, the organisation would have to run one or more Remote Access Service (RAS) servers with enough incoming lines to meet the needs of its remote users. This could be relatively inexpensive to set up but the ongoing costs could be significant, taking into account line rental and call costs. Access would be very slow and possibly unreliable.
The best option would be to use a VPN. VPNs work by providing a secure “tunnel” through the Internet and can use encryption to secure the data (for example IPSec). It is effectively using the public infrastructure to create an extension of your private network. A VPN is established via an Internet connection, which connects through to the corporate network via the Internet. This can be a dial-up, or preferably a broadband connection. As broadband can offer speeds in excess of 400Kbps downstream and 200Kbps upstream it is ideal for running a VPN. The hardware required to run a VPN is either a dedicated VPN unit, or a VPN solution is sometimes included within some firewall products. VPN solutions that can handle up to 500 simultaneous connections are relatively inexpensive and thus would give most companies a significant proportion of their staff with facilities to work from home.
Some software can deliver work-based applications purely through an Internet connection and a browser. For example most document management solutions offer a Web interface which can allow document access through a public Web site. Obviously security is an issue here and the Web sites generally are secured with public/private keys.
The important issue here from the IT department’s perspective is to reduce the amount of configuration and support that has to be done on the home worker’s PC. This is potentially the most expensive aspect of working from home. This is why browser-based applications give the organisation the most control over how their applications are delivered. Browser-based solutions can either be delivered via a VPN as outlined above, or via the Internet using encrypted Web sites with SSL to give additional security.
Security
Security is always an issue. It is important that anti-virus software is kept up to date; especially where home workers may not be quite as diligent at updating the software on their home machines. Many large anti-virus vendors are now offering solutions to allow home workers to use the company’s anti-virus software. Some solutions are more complex than others, but this is a vital area that cannot be ignored.
With the growing popularity of broadband, more home systems are becoming targets for malicious attacks. This was less common with dial-up as access times were generally quite short before the connection was broken. It is now possible to a leave home machine connected indefinitely, which can leave them open to unauthorised access. Therefore it is vital that some sort of firewall is put in place to protect against this. There are various software firewalls available, but these can be quite complex and difficult to set up. A preferred solution is a broadband access point that has a built in firewall. This can be preconfigured by the IT department before being installed at the employee’s home.
One of the greatest weaknesses in corporate networks are passwords. Many people use extremely simple words as their password, which could be easily cracked. With the advent of permanent Internet connections and remote working we no longer have the security of the front gate to prevent intruders from potentially accessing our data. One possible solution is the use of one-time passwords, or ‘smart’ systems that generate a new access code every few minutes. This way it is difficult for a hacker to guess a password, or break it with continuous attempts. The organisation may consider investing in intrusion detection systems if this is considered to be a significant risk.
For most organisations a good policy would be the best place to start. For example employees must ensure their home machines are virus free, and take the same amount of care as they would in the office when accessing attachments or material from the Internet. Passwords need to be of a minimum length and not be obvious names.
With security comes complexity and it is a trade-off. A typical set up involving a VPN, a personal firewall, and perhaps a secure Web site will deter all but the most determined intruder. However, there is no such thing as a completely secure network and it is a matter of how much risk you are prepared to assume.
Conclusion
Delivering flexible working does not have to be a huge headache. With the advent of browser-based solutions, most software can be delivered to the home worker’s PC relatively painlessly. The key is to install as little as possible on the home worker’s PC to reduce the incidence of support issues whilst being mindful of the security implications. The infrastructure the organisation needs to consider is:
- a leased line, or permanent connection to the Internet – most organisations will have this for corporate e-mail and staff Internet access
- a VPN solution – this can be a separate unit or part of a firewall
- a firewall
- Web-based access to key office applications such as e-mail and documents
- security policies for staff to follow, and possibly intrusion detection software if this is perceived as a risk.
The home worker would need:
- a VPN client on their home machine (Windows 2000 and XP come with a very reliable VPN client, which will connect to a variety of VPN servers, alternatively many VPN hardware vendors provide all the required connectivity software)
- Internet Explorer 5.5 or 6 – most browser-delivered applications require the advanced features of the latest versions of IE
- an e-mail client for accessing e-mail via a VPN connection if not using a browser-based solution
- anti-virus software
- a personal firewall, either as a software solution or as part of the broadband connection hardware.
Home working must be easy to use by the employee, and both easy and cost-effective to support by the employer. If it is not then the employee is likely to feel isolated and the employer will see it as contrary to the business interest. With the technical advances in connectivity and application delivery, this is likely to become a more common mode of working.
Simon Bennett is IT Director at Tarlo Lyons: Simon.Bennett@tarlolyons.com.
