At the start of lockdown, I had a conversation with an associate about how his remote team deployment was going. ‘We have to respond fast,’ he said. ‘For now, we’re just punching holes in our firewalls, literally violating security policies, so that people can access what they need to keep the business running.’ My heart sank.
That time has long passed. Time now to equalise security with efficiency if you want to avoid a serious breach. Securing remote access to your corporate systems, data and apps is not complicated. I’m going to show you why it matters, how to do it and how to create records that can even help lower insurance premiums.
The challenges: devices, data and network visibility
Your teams are conferencing away on their devices with unfettered access to every critical app. But what security measures have you compromised in the name of business continuity?
Your critical data is no longer secured in your corporate environment. It’s out there, on those devices. Standard security on devices and home networks is an illusion. Trust it at your peril.
Endpoints, out of the box, are unsecured. Configuration is a simple procedure and should be your most basic step every time a new laptop, phone or tablet is unpacked.
Next: the problem of unsecured networks. Home networks are about as secure as Starbucks! They are generally designed to allow more traffic than they block, to minimise frustrated calls to ISP help desks. Good configuration is the first line of defence as home and public networks are open highways, by default.
What about data encryption? At work, your Local Area Network (LAN) should be designed to allow permitted traffic only, and data is often encrypted. You penetration-test religiously or use continuous vulnerability management. Yet during lockdown, it was suddenly fine to let data run through unsecured networks.
Finally, how many devices have access to your home network? A neighbour’s phone might have logged on at that BBQ, your kids’ tablet, smart cameras, smart assistants or gaming consoles… These offer multiple new attack vectors that you can’t control.
Secure remote access requires layers of ‘zero-trust’ security
When you trust a device, how it’s accessed or the network it’s on, you create a weakness. Security requires layers and documented, zero-trust processes.
Endpoint configuration significantly improves security but alone, it’s not enough. The Zerologon bug that allowed anybody to take over a Windows network in 30 seconds couldn’t be stopped by configuration.
Documented evidence of processes is vital. Humans are fallible so a record reminds them of anything that’s been overlooked. Insurance companies too, require evidence for reduction in premiums.
Seeing evidence of IT security measures should be as natural as checking your accounts with the CFO. There’s nothing wrong with asking for proof of financial health. IT security should be treated the same.
Here are three simple steps to help secure remote access.
Step 1: Securely configure your endpoint devices
The Centre for Internet Security benchmarks – www.cisecurity.org/cis-benchmarks is a US-government sponsored site that provides handy guides to securely configure almost anything.
Download checklists for current versions of every operating system and follow
the recommended steps. The benchmarks are free and there are many tools available that automate the process if time is a concern.
Questions for IT:
• How do we harden endpoints for security?
• How do we ensure the process is repeatable and uniform?
• How do we record each configuration?
Step 2: Encrypt your data | VPN or SASE?
Any data, emails, files etc sent over a public network could be sent as plain text.
A virtual private network (VPN) is a common solution. Encrypted data is routed via the office to enforce policies. However, this ‘hairpinning’ creates a data bottleneck, a single point of failure and, often, requires additional licensing.
Secure Application Service Edge (SASE – pronounced sassy) changes the concept of a network from site-centric to user-centric. SASE combines firewalls, secure gateways and zero-trust access from each endpoint.
The platform connects you directly to the cloud and masks your data and IP address wherever you are. All traffic is logged. You can block access to certain websites, see who is accessing what and prevent data loss.
Questions for IT:
• How do we control cloud application access?
• How is our data encrypted?
• How do we know if someone has downloaded something?
• How do we know if someone has copied or shared something?
Step 3: Extend your LAN
If long-term remote working is on your roadmap, you should look at treating home networks like branch offices by extending the corporate LAN.
Network Access Control (NAC) ensures you know about every device on your network. ‘Zero touch’, cloud-managed wireless access points can be deployed. Plug them into the home network and they can automatically extend the LAN, ensure only registered devices can log on and put your endpoint behind an enterprise grade firewall. For a few hundred quid, you can expect massive ROI from these over their five to seven-year lifetime.
Questions for IT:
• How do we know which devices are logged onto our network?
For more information, feel free to get in touch with me at firstname.lastname@example.org