Thanks to the quick actions of IT technicians, organisations around the world have faced the challenges posed by COVID-19 and enabled their teams to work remotely. Now we’re over the rapid deployment stage, Intercede CTO, Chris Edwards looks at the steps IT teams can take to gauge their remote working security posture, and makes a number of recommendations on how working from home can be made more secure and painless for IT teams and remote workers alike.
Many industries have been operating with modest levels of remote working for several years now, but the COVID-19 crisis has brought about an unimaginable rise in the number of people suddenly propelled into working from their kitchen tables or garden sheds.
Such a situation would have been unthinkable as little as 10 years ago, but fortunately the recent rise in cloud computing services, collaborative working tools and high-speed broadband availability have enabled vast numbers of people to continue working effectively, without having to travel to the office.
For the IT support departments of many organisations however, this massive escalation in remote access to corporate resources has been a frightening experience. This is especially true for those companies that have maintained a ‘closed perimeter’ approach to system security, rather than joining the growing number of cloud service consumers for core business applications.
There is no doubt that removing the physical barrier between ‘inside’ and ‘outside’ risks exposing your enterprise to a wide range of malicious attackers who would love to break into your systems for reasons of industrial espionage, business disruption, ransoms or even political ends. So, what lessons can be learned from the organisations that have been at the vanguard of secure remote working for the past few years? What should we be concentrating on to maintain the integrity of our valuable digital assets?
Secure the endpoint
Fundamentally, the focus has to be on assuring trust between your employees, their endpoint devices and the corporate and cloud data-services they need to perform their roles. To trust the endpoints, you need to apply best practice principles for avoiding malware and to mitigate the risks due to equipment loss or theft when off premises. This is a well-known problem – encrypt laptops and other mobile devices, ensure operating systems and applications are patched, and deploy a good anti-malware solution. Secondly, be sure to monitor the status of these on all of your equipment so that you can detect whether every computer is fully up to date.
Enable strong authentication
Now ensure that logon to your remote computers is strongly authenticated. A basic username and password is no longer enough. You should be considering solutions such as smart card logon, virtual smart cards (VSC) or Hello for Business (H4B) on windows computers. Mobile phones should have screen locks enforced and ideally require strong secondary authentication for accessing apps and services from the devices. Corporate owned devices should be under the control of a mobile Device Management system.
The next step is to implement a VPN for accessing the corporate network (assuming you have resources on your network that are needed remotely). Multi-factor authentication is important here too. There are numerous solutions, but the most convenient and secure are those that use certificate-based authentication with a well-protected private key. If you are using a smart card, VSC or H4B, this again is easily achieved if you can deploy a suitable credential management solution to deploy and maintain those credentials.
Strong authentication at the perimeter is of course only part of the story. Internal virtual network segregation and firewalls play an important role in restricting access from different origins with different levels of trust. You need to consider how to lock down access to every asset, so that even if the gateways are breached, there is still another barrier to be overcome in order to acquire or alter information. This is where cloud network and document management services excel with their very granular permission management solutions.
So, having secured the end-point devices and the traffic into your corporate network and digital assets, you now need to turn your attention to other risks. The first relates to the local area network within which the client computer is operating. Most home networks are going to be much less secure than your corporate network, so advising your staff on how best to isolate their work computer from other devices on their home network is important. In Windows, setting the network profile to ‘Public’ to block file and resource sharing is a great starting point.
Encrypt, encrypt, encrypt
So now we have to consider the applications that are going to be used. Email has been the traditional approach to remote working communications and for many people this is still going to be of high importance. This is one area where there is no real change from office-bound working. It is of course best if you can digitally sign emails (and also encrypt especially sensitive ones), but surprisingly few companies choose to do this, despite it being a great defence against spear-phishing attacks. Using a smart card, VCS or enhanced H4B, this too is quite simple to implement.
A high proportion of companies are now using cloud services such as Office 365 for their line-of-business applications. However, you should be employing some means of strong authentication to that service. Ideally this would be certificate based (yet again smart cards, VSC etc) as these are very convenient to use and in the case of VSC or H4B, do not require additional hardware. Other multi-factor solutions are available of course, but with increasing levels of inconvenience or reduced security benefits.
Maintain security patches
Finally, a word on the ‘new normal’ for so many of us: collaboration and video conferencing tools. These have arguably been the oil that has lubricated business operations since lockdown and enabled both business and social continuity in the most trying of circumstances. Whether you use Teams, Slack, Zoom, GotoMeeting, Skype, Webex or other tools, you will need to ensure that you are using the latest security-patched versions. Zoom in particular received some adverse publicity in the early stages of the current crisis, but was quick to respond with fixes to address the issues identified.
The common message for all of these platforms though, is to be sure that you know who is joining your call – use strong authentication where possible for your own employees and ensure that every meeting is set up with sensible options such as generating a new ID for every meeting and requiring a password to enter. Limit the capabilities of less trusted attendees to minimise the risk of unwanted uploads and shares.
Within these cloud collaboration portals, most communication is channelled through instant messaging, chat rooms, shared documents, whiteboard apps and other convenient tools, all of which are more convenient than email for the majority of personal interactions. They also encourage the broader social communication that is of such importance to maintaining the mental health of your workforce.
This COVID-19 event has been seismic in so many ways. It has caused tremendous loss and hardship for many and forced all of us to adapt rapidly to new challenges and a radically different view of what it means to ‘go to work’. When this is over though, it is very clear that most organisations will have implemented the necessary infrastructure and procedures to sustain many of the advantages that secure remote working can bring in terms of work-life balance, reduced commuting and pollution and greater responsiveness and flexibility in working practices.
I have been highly impressed by the ingenuity and capabilities of our IT technicians and service providers in delivering outstanding levels of business continuity in the most extreme of situations. As we now transition into a more balanced operational phase however, it is absolutely vital that the security of the rather rushed deployments that have been necessary is reviewed. We can then implement the deeper layers of security that we will need to apply in order to continue to benefit from these new working practices without exposing every enterprise to greater risk from the activities of cyber criminals.