How to approach remote-working security
Everyone must work from home! Easier said than done? No, it’s quite simple to execute. If an organisation has a relatively modern technology environment, giving access to its applications and resources to remotely-based employees is not a tall order. If that environment includes a sufficient and affordable data service, software-as-a-service applications and cloud-native services, it’s even simpler.
But all things are relative. It’s easy to climb a mountain. It’s a lot tougher to climb a mountain and not get injured in the process. And this is exactly where many organisations find themselves: extending the reach of their systems to remote users safely and securely is an enormous challenge.
Users are the weakest link. Compromising someone’s credentials is by far the preferred way attackers get into systems. Phishing attacks, which specifically target users, lead the trend, followed by malware - often delivered through compromised user accounts - and weak passwords.
Companies have taken measures to reduce these attacks. Still, many of those rely on the idea that the majority of users are on-premises. This is the problem vexing organisations, explains Khipu Networks Country Manager, Gareth Trollip.
“The big question is: if you implement security for home users, how can it be the same security posture that you have at the office? The two differ in many critical aspects. But the real problem is that nobody was prepared to have so many users work offsite so suddenly. Security is made worse by increasing complexity, and the sudden need to work from home has made things very complex.”
Determine your requirements
Fortunately, a modern security service should have the tools to manage this transition. For example, leading security services include cloud-based credential and access management. But before pulling those levers, it’s crucial first to understand what your needs are. These needs can be captured in four questions:
1. What are you trying to achieve? Are you trying to create access to internal resources, or providing perimeter security to staff? Likely both, but these are nonetheless two different scenarios. Distinguish your requirements between them.
2. Where are your applications? Some might be on your servers, some are in the public cloud, and some are straight SaaS products. Answering this helps determine where your security perimeter really ends and is ideally needed. It will also reveal how exposed your different systems are when users are outside your carefully-established security perimeter.
3. Who needs access, and to what? There are three types of users: staff, contractors and students. Chances are your customer-facing systems don’t have to be considered because they are already out in the wild and should be contextually secured. But the other classes might need regular access to internal systems such as CRMs and ERPs. What are the scenarios for those users who now work remotely, but must operate as if they are in the office?
4. What devices are they using to access the resources? This may seem trivial and is often overlooked. But devices are very important, and can be divided into managed devices, BYOD and mobile. Managed devices are either company-provided or a user’s device, but distinguished by being prepped and managed to meet certain security needs. This can include limiting certain applications to only run on a managed device. BYOD refers to a user’s device, likely one not being managed too actively. And mobile refers to the fact that many devices - managed or otherwise - are mobile devices needing specific security measures. But can a privileged app on a managed device work remotely? Do the BYOD devices suddenly need access to internal business systems?
Stepping up remote security
How well you can handle these scenarios depends on the security service you are using. But, says Trollip, it’s fair to expect certain features from that service.
“Firstly, your service should be able to facilitate remote access to internal resources. Second, your firewall and policies should be able to extend to remote client devices. And third, your solution should offer and scale VPN options. Other features you should look for is whether it can differentiate between access to internal resources and access to cloud services. That will impact your costs since you don’t want to put all your users under the same profile.”
He adds that cloud-based authentication tools could help create perimeters. To summarise, a modern security service ought to extend its perimeter features beyond the traditional scope and into virtually-defined areas that include user devices and cloud services. These features may depend on licensing, but many of them are contained within core products.
You should additionally consider if your security service has the capacity to handle increased traffic. Do you have sufficient bandwidth and VPN tunnels to accommodate the larger volume of users? Not paying attention to these can incur greater costs down the line as you expand bandwidth or licensing.
“It’s very unfortunate that we have to experience these lessons during a devastating pandemic,” says Trollip. “But this is an opportunity to test if your security solutions are really offering best practice and proper features. Not all security solutions can do the above, but they really should be able to because these are no longer nice features. They are critical. So make sure you look for them and, if they aren’t there, to look for a security solution that does offer them.”