T 5.93 Permitting use of RAS components by third parties

If RAS components are deliberately made available to unauthorised persons, then the security of the RAS system can no longer be assured (see also T 3.30 Unauthorised private use of telecommuting workstations). The resulting possible threats are set out below.

• Unauthorised RAS access could occur if the security guidelines are not adhered to. For example, it is a common occurrence for administrators to allow RAS dial-in to unauthorised persons (e.g. for use of the Internet) out of mistaken friendliness.

• RAS users give authentication data or tokens to unauthorised third parties to enable them to access the LAN remotely (under their ID). Possible motives for doing this might include the fact that a colleague is not authorised under the RAS security concept to use remote access or has forgotten to apply for RAS permission in good time before a business trip. As one RAS user account is now being used by several users, in case of damage it will no longer be possible to unequivocally identify the person responsible.

• Where telecommuting is permitted, the problem often arises that the RAS client is used by members of the family or friends of members of the family. If persons who are outside of the organisation are using the RAS client, they will generally ignore the security rules which apply to the RAS client. As a result, the security of the LAN can be compromised.

The possibility that IT systems in remote locations will be used by third parties can never be excluded as the security mechanisms of an IT system can be circumvented once physical access has occurred.