Securing the new normal of Remote Work
If remote work is here to stay what what does that mean for your organization’s cybersecurity? Here are some broad areas you should consider to secure your
Remote Work is now just “Work”
I wrote the following back in March 17,
1) Remote work, obviously. I think companies will make a significant move to sustaining increased levels of remote work. Also many employees that get a taste of life with no commute and reduced walk-ups may find they prefer remote work. This should have momentous ramifications to hiring pools, recruiting, and even traffic planning.
Then Daniel Miessler (@danielmiessler) shared this video clip from a CNBC Interview with Jason Calcanis (@jason). Skip to the 4:48 minute mark.
My current experience is bearing this out. Personally, my employer had all of these tools and technology in place but it was still inconvenient to do some functions of work from home.
We’d forget to add a conference call number or web meeting link to a meeting invite so you’d have a last minute scramble trying to connect. It also felt odd, in our cultural context, to host a client or prospect conversation virtually.
Then due to COVID-19 we overcame those issues immediately. A transition, fraught with doubt, that would have taken 18-24 months happened overnight.
Obviously our in-person interactions will increase and some of you are itching to get back into an office. However, physical presence is now relegated to a luxury, not a necessity for knowledge based work.
As organizations realize they can expand their talent pool beyond geography and simultaneously reduce their spend on walls and cubicles… well the proverbial ship has sailed.
So what does this “the future is now” remote work mean for Cybersecurity? A lot! Here are some major themes I’m talking about with clients.
Accelerated Cloud Adoption
The cloud brings amazing flexibility and features for SMBs at an attainable price point. However, the risks change. (Note that I did not say increase as that would be a blank statement without doing a Risk Assessment. Some risks will increase, others will likely decrease). What I can guarantee you is that without a strong understanding of features, licensing, and proper configuration the cloud can vastly increase your risk. Your monitoring and management of the cloud likely needs some serious investment, both financially and in expertise.
The traditional approach for deploying patches, monitoring device health/security, and even filtering the web has been dependent on computers being “in” the office. (In being defined as physically present or connected via VPN.)
Now you are faced with managing endpoint security without ever having these devices connect to an internal network. To be clear, I’m using Endpoint Security in the broad context, not just what anti-virus you use, that includes:
- Operating System Patches
- 3rd Party Patches
- Web Filtering
- Health Monitoring
- Security Event Monitoring
- and yes anti-virus as well
It’s tempting for advocates of the traditional approach to default to the perspective that people should just periodically connect via VPN. Don’t default to this short-sighted approach. While VPN might be a key part of your operational and security posture it shouldn’t be a prerequisite for securing your endpoints.
Keep in mind that as your cloud adoption increases your users have a decreasing need to connect to VPN. Even more critically, if you can’t force every login and connection via VPN automatically then any security control dependent on VPN is immediately undermined and likely insufficient.
Questions you should be considering:
- How do we deploy patches to workstations off network? How do we maintain near-real time visibility to vulnerabilities or patches that are needed?
- Can you make a policy change in your endpoint security solution (i.e., antivirus) and see it pushed to all endpoints?
- How will you help protect your users from phishing sites or websites known to distribute malicious software?
This is to say nothing of Help Desk support of your distributed workforce or Asset Provisioning/Management.
These may be seismic changes and your Risk Management process should identify and prioritize these gaps immediately.
Zero Trust Architecture
Let’s be clear: there really isn’t a perimeter around your valuable data where everything is protected by hardened wall at the edge. This is known as “castle and moat” architecture and asserts that if you are inside the castle you are trusted.
This construct has been bankrupt for years but many SMB, and SMB IT vendors, couldn’t see beyond spending on AV & Firewalls. (Stepping off soapbox).
Now, more so than ever, your data and people assets are far beyond your premises and any notion of perimeter. Organizations must move to a Zero Trust design.
Never Trust, Always Verify
What is Zero Trust?
“Zero trust” is a phrase first coined by John Kindervag of Forrester in 2010 to describe the need to move security leaders away from a failed perimeter-centric approach and guide them to a model that relies on continuous verification of trust across every device, user and application. It does this by pivoting from a “trust but verify” to “never trust/,always verify” approach. In practice, this model considers all resources to be external and continuously verifies trust before granting only the required access.–Threatpost: A Practical Guide to Zero-Trust Security
I dare not be reductionist about adopting Zero Trust. This is not a 3 step, 30 day plan. This is a monumental shift that will impact your users, devices, applications, and data. It’s impossible for me to give you an accurate picture of what this means for your organization though I will hint at areas that you’ll probably be considering
- Multi-factor Authentication (MFA)
- Single Sign-On (SSO)
- Device Management
- Data Classification / Loss Prevention
- Conditional Access
For further insight in Zero Trust here are some great starting points:
- Threatpost: A Practical Guide to Zero-Trust Security – A concise but excellent overview.
- Microsoft: Implementing a Zero Trust Security Model – A good strategic overview
- Microsoft: Building Zero Trust Networks in 365 – Published in 2018 by their Security team, shows how the pieces fit together.
PS: The best time to implement Zero Trust? When you move to the cloud.
Enhancing Home Networks
Remote work has not abolished your need to invest in a productive and secure work environment. Instead of spending on cubes and network port density you should be looking at how you can further enable your associates at home. Specifically, procuring and provisioning enhanced equipment to help your employees have strong connections and better security.
I’m an old network guy so my home network has 2 WAPs, a PoE Switch, CAT6 cabling, and a decent firewall all configured with multiple SSIDs and VLAN segmentation. (That being said I’ve already identified a need to upgrade my switch and firewall and as soon as my COO approves I’ll be upgrading my network.)
However, most of your workforce is running on equipment they got from AT&T/Comcast and every PC, phone, and TV is running on a single wireless network. That is not ideal for quality secured connections.
Don’t shift the burden of this problem solely to your employee’s knowledge and pocket-book.
How to help:
- Define a reference architecture, an ideal setup, for common ISPs. Purchase, provision, and ship equipment to your employees.
- Create a purchasing program that allows employees more choice for laptops and desktops at home. This helps you cull the less desirable consumer options.
- Extend your IT support desk to cover employee home networks. (Yes your IT folks will groan. Most IT folks loathe home networks and printers, for good reason, but you still print right?)
- Talk to your firewall / SD WAN vendors about deploying devices at home networks if needed.
- and please update your policies and employee agreements to define privacy and ownership.
I, for one, am excited about the future this has ushered in for knowledge based workers and businesses. This may well go down in history as one of the watermarks of how business changed forever. Industrial Revolution, Computing, COVID-19. This future has been on its way for awhile. As Jason said, some organizations have been pointing the way already. Things just sped up significantly.
Are you ready?
Most of us have some work to do… remotely.