How do companies maintain network security when their people are all over the place?
It’s the million-dollar question right now, as executives and tech leaders strive to lockdown remote networks across an organization.
Some people ask about device compliance – how businesses can know that their employees are tapping away remotely on secure channels and that their endpoint devices aren’t leaking information to unauthorized parties. Others have specialized concerns about industry standard compliance. Either way, having a better idea of how to set a security policy can help.
Types of Remote Security Policies
On a fundamental level, the best way to handle this type of business continuity is to put the right security policies in place. But this has some complexity to it – it’s more than just ordering up a few vendor services and calling it a day. Let’s look at three types of security policies that are important to facilitate safe remote work.
The first is multifactor authentication or some other high standard for authenticating user traffic. Typically, this takes the form of using a smartphone for a multifactor authentication device. These types of systems are pretty strong – in other words, the chances that the unauthorized user (read: black hat) is going to have someone else’s smartphone when signing in are pretty small – but you can consider additional controls or augmenting tools elsewhere in the system. SSH-key authentication is also an option.
The second kind of cybersecurity has to do with database controls, and here’s where you can talk about hashing encryption, where algorithms can help to shield sensitive data from prying eyes. A lot of this database work assumes that even with strong network security, some hacker will be able to somehow get their hands on a table or two, maybe due to vulnerabilities in remote SQL queries.
The third kind of cybersecurity-related to remote work is particularly relevant where people are accessing a corporate network from outside of headquarters. We hear a lot about VPN as the magic bullet for remote work cybersecurity, but that doesn’t mean it’s the only option around. You have things like zero trust systems and remote desktop systems vying for operability as executives try to put safeguards in place. Remote desktop systems, for example, have become somewhat of a gold standard at some companies, and their comprehensive platforms can add a lot of functionality. You have to watch out for things like vulnerable remote desktop ports, but with the right fit, these can become a common means of securing remote work systems.
The Two-Faced Coin of Remote Work Cybersecurity
In assessing company systems, some analysts warn about avoiding ‘death by auditing’ – the idea that your system cybersecurity is mainly composed of audits and monitoring tools and threat detection equipment, and that exhaustive auditing will do ALL of the heavy lifting. Some talk about auditing as one half of the “dao” of networking security, where the other half or fulfilling concept is around the initial design of systems.
To be sure, there is a place for auditing and logging and keeping track of network activity – that’s not to be missed. But focusing too much on auditing obscures the responsibility of the system to handle remote work security on a proactive basis – in other words, with good design, auditing won’t catch as many failures or threats. Of course, there’s the need to deal with the eventuality: dwell time in threat management and all the rest. But initial design is critically important, too.
Identity and Access Management
In the end, to build a good initial design, one of the common recommendations of security pros is to tightly control end-user permissions.
When user permissions are locked down, end-user devices won’t be able to easily access different types of sensitive files or folders when doing so could be dangerous to the company. There’s an abstraction that favors network protections over the individual’s ability to just do whatever they want inside of the system, from wherever they happen to be. It’s like when people talk about revealing things on a “need to know” basis – this is a “need to use” basis, and if the end user’s permission level doesn’t require the access for him or her to do the job, that range of access stays off-limits.
This has largely taken over from some aspects of the prior trend called BYOD, where people were using their personal devices to work at home. Nowadays, people will be more likely to be using a company device, but the cybersecurity requirements remain somewhat the same, although with notable differences.
To the extent that companies can isolate remote work users while still connecting them to the functionality that they need to do their jobs, these policies will protect the network as a whole. As with any kind of system, though, the right fit is important. Look at the training requirements – will staff know how to use these things? Look at how these systems will guarantee uptime. All of this is a part of evaluating what you’ll be using to make sure the company’s policy is sound.
In addition to all of the above, there’s that issue that managers have to talk to employees about, cybersecurity hygiene.
It’s important to be able to have basic assurances that employee networks are sound and won’t leave a corporate device crawling with malware, or enable the kinds of drive-by hacks we hear about with unsecured hotspots. Maybe the encryption will prevent these, but being able to instill a sense of personal responsibility in remote end-users helps, too.
Then there’s the need for critical software versioning, patches, and updates, as well as licensing management. Some vendor tools allow CTOs and other top brass to see into their networks to figure out these things with a glance. End-of-life support for vendor applications and systems can leave a client in bad shape.
Keep all of this in mind to put together an operational model that really circles the wagons.