5 Key Security Considerations For Securing the Remote Workforce
This poses an unprecedented challenge to security technologists/CISO's of the organizations to protect the employee's, and the enterprise's digital assets
The adoption of ‘digitization’ among businesses and government across the globe has steadily grown since the dawn of this millennium. It has allowed them to expand ambitiously, globally and stay ‘always ON’. Top that of with affordable mobile computing, residential broadband, ubiquitous mobile and wireless data, today’s employee prefers to ‘blend’ work and life effortlessly. Employers are happy to provide that flexibility to achieve the ‘always ON’ status.
The technology was on a steady path to achieve that utopian goal of ‘work anywhere, anytime, using any device’. It needed no other catalyst.
But then came the pandemic!
Working remotely became the only way to achieve business continuity. The term ‘WFH’ was only in vocabulary of a minority of tech-savvy and white-collar workforce. The pandemic pushed that to common place, multiplying remote workers manifold. Research shows, most of that behavior will continue in the post-pandemic time.
This poses an unprecedented challenge to security technologists/CISO’s of the organizations to protect the employee’s, and the enterprise’s digital assets.
While security measures can be endless (literally), I would like to list down the five ‘key’, available, easy considerations to secure the bulging remote workforce and the enterprises that are adapting to this change.
Zero trust user access
Zero trust is a security paradigm defined as, “Do not trust anyone to access an enterprise asset, unless explicitly allowed.” Technically called ‘whitelisting’, it is different from the firewall/VPN era remote access solutions (‘blacklisting’).
A traditional VPN tunnel lands a remote user inside an enterprise local network (LAN), where user has lateral access to all other services. This is a dangerous proposition. In addition to that, a traditional VPN tunnel would also have to be backed by complex firewalling within the enterprise network to make it full proof. The complexity introduces human/administrator errors, which can prove costly.
Zero trust user access intercepts the user access requests to enterprise applications, performs authentication (valid user?) and authorization (what privileges does the user have?) before allowing access to respective services.
The inversion from ‘blacklisting’ to ‘whitelisting’ not only prevents lateral movements, but also simplifies the policy making/human errors, thereby securing services dispersed in many hosting environments. The real winner is the remote worker though. No more dialing into VPN server before accessing the office environment.
Data encryption and back-up
Ransomware have become super potent through the pandemic and morphed a new class of attack named as “ransomhacks”. Ransomhack not only encrypts the content of a user device, it also exfiltrates them. The ransom demands are increased for these double whammy attacks.
The no-brainer way to prevent paying up the ransom is to encrypt critical data on the user devices continuously with high quality ciphers and to back up the data periodically inside the enterprise datacenter. These solutions have been present for several years now and can be easily set up for IT managed user devices.
MFA ‘ON’ by default
It’s wise to set up multi-factor authentication (MFA) for all critical access ‘by default’ and enforce it. A second factor of validation using an OTP, or a secure token generated by a second user device ensures correlated, higher authenticity to the user. The threat actors cannot just rely on brute-forcing and cracking a weak password to gain unrestricted access to the user as well as enterprise critical data.
MFA is gaining popularity for user access, however, there is a laxity in applying this technology to critical network infra such as firewalls, UTMs, perimeter routers etc. Compromise of an, often weak, admin credential of critical network infrastructure can be protected by MFA with very simple implementations.
Fingerprinting the devices
Most compromises are caused by user devices not being up to date with security patches and updates provided by their respective operating systems. Also, when complete flexibility is given to the user to use any device to access corporate services, the holistic security solution becomes difficult.
An employee watching a cricket match on television, clicking through the television’s app store to check corporate messaging is not an uncommon sight nowadays. Ability to determine the nature and posture of the device being used by the remote employee (OS, version, vendor, etc.) is critical in providing flexibility to business while safeguarding the assets.
Distributed protection powered by behavioral anomaly detection
All the security considerations recommended above are done keeping in mind that today’s remote workforce often chooses to use personal devices (non-IT manage assets) to access the enterprise services. However, a personal device is definitely more susceptible to infection because of targeted phishing, browsing habits, free Wi-Fi access at public spaces, etc.
There are two choices for the IT departments to provide this flexibility to users with utmost security in mind.
First, enroll employee’s personal devices to IT asset base and install an end point security agent on it. With this step, the user’s personal device becomes as managed as any IT supplied device. The end point agent can perform distributed firewalling, download specific policies and manage access, compliance and posture of the devices. However, this does make employees uncomfortable as they are apprehensive of what telemetry from the personal devices are being collected by the employer through that security end point agent.
The second approach would be to allow a few, preferably cloud hosted, applications such as ‘company email, calendar and messaging’ services with proper MFA in place. And to make doubly sure, service chained network-based protection technologies (such as firewalling, data leak prevention, etc.) can be used to guard enterprise services.