By Morey Haber, CTO & CISO, BeyondTrust
Driven in large part by the globalization of technology, focus on a healthier work-life balance, and an uptick in the number of millennials entering the workforce, we are increasingly seeing companies in the region, and across the globe, offer their employees the option to work remotely. Not surprisingly, a recent survey from Bayt.com, found that 79% of professionals in the Middle East & North Africa (MENA) region would actually prefer to work for companies that offer a remote working option. Offering employees the option to work remotely can actually work to the advantage of the organization―according to Gartner, “by 2020, organizations that support a “choose-your-own-work-style” culture will boost employee retention rates by more than 10%.”
So, while there is no disputing the many benefits of remote working, it does add a layer of complexity that creates security challenges. As such, the onus is on organizations’ IT teams to ensure that their remote workers are empowered with the tools they need to be productive, without exposing the organization to excessive cyber risk. In most cases, this will mean addressing risks in three key areas.
Remote Security Access
In most cases, remote employees connect to corporate resources directly via a VPN or via hosted cloud resources. These employees are often behind their own home routers that employ techniques like Network Address Translator (NAT) to isolate the network. However, this poses a network routing challenge for traditional IT management and security solutions.
For one, corporate cybersecurity solutions cannot push updates directly to remote employees or directly query their systems. As a consequence, the only way for these remote employees to get cybersecurity updates or submit data is to poll (initiate an outbound connection) into the corporate cybersecurity resources. This often requires a persistent outbound connection to determine state—regardless of using a VPN or cloud resources—and is susceptible to trivial network anomalies commonly found in home-based wireless networks or cellular technology.
Additionally, as a result of name resolution and limitations in routing, processes such as discovery and pushing of policy updates all become batch-driven, as opposed to near real-time. Even remote support technologies require an agent with a persistent connection to facilitate screen sharing since a routable connection inbound to SSH, VNC, RDP, etc. is not normally possible for remote employees.
Thus, the number one hurdle to securing remote employees is around managing devices that are no longer routable, reachable, or resolvable from a traditional corporate network for analysis and support, as they are not on the traditional corporate network.
Bring Your Own Device (BYOD)
Remote employees’ technology can come in two forms―corporate supplied IT resources and Bring Your Own Device (BYOD). While corporate-issued devices and resources can be strongly hardened and controlled, personal devices are frequently shared and may not undergo the same level of security attention. Organizations struggle in controlling end-user devices with mobile device management (MDM) tools and technology that can only isolate applications and user data on a device.
For obvious reasons, corporate IT teams cannot harden employee-owned devices and govern the device operations as tightly as they could corporate-owned and deployed devices and systems. The methodology your organization chooses to support BYOD is ultimately a balance between cost, risk, and usability.
Finally, there is the challenge of deploying basic cybersecurity controls like vulnerability management and anti-virus. Traditionally, solutions such as these were performed using network scanners, agents, and services to execute various functions and require connectivity to on-premise servers.
The good news is that cloud technologies have simplified management of these security basics. With the inability for cellular and other mobile technologies to maintain a persistent and routable connection, it is imperative that organizations embrace the cloud for managing basic cybersecurity disciplines. The cloud offers universal resources—outside of a traditional datacenter—to which remote devices can securely connect and take advantage of methodologies like geolocation and two-factor authentication, for additional layers of security.
Best Practices for Securing a Remote Workforce
The best advice for CISOs that need to secure the remote workforce involves keeping an open mind and being accepting of new technologies, methodologies, and workflows to accomplish security best practices.
This includes using MDM solutions, leveraging the cloud, and monitoring data and workflows to prevent a breach. CISOs need to think out of the box regarding connectivity. We can expect a bandwidth evolution with 5G. Large-scale data theft can transpire within minutes using wireless technology. This can happen via a remote employee copying the data from corporate resources, or from threat actors exploiting a compromised remote employee account.
With all the above taken into account, CISOs need to understand their business models, the roles remote employees play, and the data and system risks they represent. Only then, a defensive strategy can be built using modern security technology and practices.
About the Author
With more than 20 years of IT industry experience and author of Privileged Attack Vectors and Asset Attack Vectors, Mr. Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. He currently oversees the vision for BeyondTrust technology encompassing privileged access management, remote access, and vulnerability management solutions, and BeyondTrust’s own internal information security strategies. In 2004, Mr. Haber joined eEye as the Director of Security Engineering and was responsible for strategic business discussions and vulnerability management architectures in Fortune 500 clients. Prior to eEye, he was a Development Manager for Computer Associates, Inc. (CA), responsible for new product beta cycles and named customer accounts. Mr. Haber began his career as a Reliability and Maintainability Engineer for a government contractor building flight and training simulators. He earned a Bachelors of Science in Electrical Engineering from the State University of New York at Stony Brook.