Authoured By: Morey Haber—CTO & CISO at BeyondTrust
In a matter of days, hundreds, if not thousands, of organisations in areas around the globe affected by COVID-19 (coronavirus) are suspending office work and mandating that their employees work remotely. Many companies have mandated remote work throughout the rest of the month or indefinitely, thrusting hundreds of thousands of employees, contractors, and vendors into telecommute situations.
While some companies may have solid disaster recovery plans in place, few are likely equipped for a large-scale shift to telecommuting that could extend well beyond weeks. It’s an enormous, unplanned stress test for remote access. This situation has created an immense, rapid demand for secure remote access tools due to the need to protect employee health and network security, as well as ensuring business continuity.
Except for a small sliver of companies that are either 100% telecommuting or have at least embraced remote work options for a significant part of their workforce, most organisations lack the infrastructure to effectively and securely “go remote” en masse. This model shift strains the networks, applications, and services structure.
Then, there are the cybersecurity implications. Do these newly telecommuting employees have the right remote tools for remote work, or are they compelled to quickly stitch together shadow IT applications to maintain productivity? Do they have work-provisioned laptops, or are they forced to use personal laptops/devices for work-related activities?
Shadow IT has long been a mixed blessing, but the move en masse to so many applications and devices outside IT control creates considerable risk. In most organisations, personal laptops probably lack the security software safeguards and policies that protect hardened, company-provisioned devices. Many employees are now forced to use their own devices with corporate issued VPN or other remote access technology. This situation poses a threat when they are connected to the corporate network.
Of course, as organisations and localities are grappling with how to maintain normalcy while taking precautions, cyber threat actors have not skipped a beat in exploiting the crisis. The World Health Organisation (WHO) has issued multiple reports of hackers leveraging exploits as part of coronavirus-related scams. Sometimes, they pose as business partners or public institutions in an effort to phish users when they open messages infected with malware.
How can organisations and their workforces remain as productive as possible during this crisis without creating unacceptable security risks in the process? Unprepared organisations forced to “go remote” may feel compelled to broadly loosen security policies to enable productivity. Obviously, this is not an ideal situation, particular for global enterprises. Loosening the standards for just one user or device could jeopardise data privacy and security across the entire global network.
How Secure is your Remote Access?
One of the most pressing of these security issues involves the technology to enable telework in the first place. If organisations are unprepared to roll-out a secure remote access technology, employees, including even IT staff, may feel forced to download free tools to get their work done. However, these tools will almost invariably have a combination of monitoring, authentication, and security deficiencies that can put the entire organisation at-risk of a breach, as well as failed compliance audits.
In haste, many organisations may have remote workers and vendors VPN into the corporate network, but VPNs are not ideal. First, they lack the scalability needed to accommodate a surge of remote workers. And, perhaps more concerning, is that the VPN technology, while providing some protections (such as against man-in-the-middle attacks), itself suffers many security shortcomings.
VPN security concerns are particular heightened when they’re used for privileged users and third-party vendors. For instance, VPNs typically lack granular permission setting options, firewall settings are weakened, visibility and reporting options are poor, and the principle of least privilege (PoLP) may be unattainable.
If, in the short-term, BYOD is the only feasible option to allow remote work, it’s advisable that you ensure your remote access technology absolutely does not use a VPN, does not use any local clients, does not perform any protocol tunneling, and renders all remote sessions in a browser.
While vendor access has long been a weak security link, typical office staff are now essentially forced into working as pseudo-vendors, coming from off-network devices and networks, and potentially BYOD. Of course, true vendor access itself may be expected to increase in the coming months as organisations turn to IT service providers and other third-parties to help them manage the growing IT workload and new challenges in the face of the coronavirus. And, it’s particularly important that the vendor access is not as simple as “on” or “off”, it needs to be tightly controlled and audited.
Here’s a series of questions to evaluate your current remote or vendor access system and policies:
Question 1 - Can you set granular access? Most of your employees or vendors only need access to very specific systems, and specific actions on those systems. Organisations should be able to enforce a policy of least privilege by giving users just the right level of access needed for their roles with individual accountability for shared accounts.
Question 2 - Do you have one single path for approvals and notifications? Administrators and IT teams should be able to consolidate the tracking, approval, and auditing of privileged accounts in one place.
Question 3 - Do you know when your network is being accessed, by whom, and for what purpose? You should have the ability to receive automated notification for when privileged remote access sessions are initiated, and the ability to layer on access approval workflows for particularly sensitive sessions.
Question 4 - Do you securely manage privileged credentials for employees and vendors that are used for privileged remote access? Enterprise-class secure remote access solutions should eliminate the need for privileged users—whether internal or third-party--to remember or share credentials for the systems they need to access. The credentials should be centrally managed, and potentially even changed after every session or use. Frequent privileged credential rotation reduces the threat of password reuse attacks.
Question 5 - Are you able to capture detailed session data (for all remote access sessions—whether remote employee or vendor) for real-time or post-session for review and compliance? IT/auditing should be able to get a detailed log of exactly what individuals did when connected to your network. If you don’t have that, you don’t have security, you don’t have accountability, and you don’t have compliance.
Examining your environment, and examining these questions will help ensure a secure, productive remote access experience for your employees and vendors. Good luck in your planning and execution.