The COVID-19 outbreak has forced many organizations to change the way they carry out their day-to-day operations. Many have implemented a remote workforce strategy with varying degrees of success. Few have transitioned smoothly, others have gone about it suboptimally, and yet some others are still struggling to make it happen.
Even highly sophisticated organizations have been caught off guard by these unusual and unforeseen circumstances — circumstances normally not accounted for in standard business continuity planning. Why? Because in many cases, it’s not as simple as just asking staff to take their laptops home. And it’s hard to keep track of the myriad things to consider when you’re busy in the trenches.
Shifting to a remote workforce, either temporarily or long term, requires a strategy that includes IT infrastructure and operations aspects. Follow these guidelines as validation for what you’ve already done or as a playbook to get started. Note that IT solutions come in many forms, and the language we use here is vendor-agnostic.
Access to applications
The use of cloud technology is very prevalent today. Many business-line applications (including CRM, newer ERP releases, etc.), as well as collaboration and communication tools (voice, email, instant messaging, etc.) are offered under a cloud-first model, meaning a cloud-based deployment is the default scenario.
If all your applications and data are available via a cloud-based software as a service (SaaS) model, as is the case for Salesforce, O365, or G-suite, any staff member with an internet connection at home will be able to access them.
However, most organizations have at least a few applications or data still residing in their on-premise environment, that is, in their own data center or equipment room, or in a private cloud or hosted environment (a data center owned by somebody else). These are normally accessed from the “corporate” network at the organization’s facilities, and thus some measures need to be taken to allow remote access.
Remote access to on-premise and private clouds is usually accomplished with virtual private network (VPN) technologies, which connect the user’s device to a physical or virtual VPN concentrator or firewall instance in the organization’s network. For this, consider whether your VPN solution has the necessary licenses and bandwidth to support the number of remote users and the quantity of concurrent connections required.
Consider whether your VPN solution has the necessary licenses and bandwidth to support the number of remote users and the quantity of concurrent connections required.
End users need a computing device to access the applications and data. The device can be the organization-provided laptop or desktop (yes, some organizations have flexed their policies to allow users to take home their desktop computers to continue working during the COVID-19 crisis). In some instances, it can be a provided mobile device, such as a tablet or smartphone.
Regardless of the type, these devices need connectivity (internet access) to communicate with the applications and data. If your employees have an organization-provided device and a home Wi-Fi network, you can skip to the next point.
However, if staff don’t have access to an organization-provided computing device at home, it may be possible to implement a bring-your-own-device (BYOD) policy to allow staff to use their personal devices for certain work purposes. Such a policy requires the security controls described below to be even more strictly enforced.
If staff lack adequate internet access at home, consider providing them with wireless modems or hotspots. Alternatively, data allowances can be added to mobile phones, which can then be used as hotspots, providing Wi-Fi access to other devices (such as laptops and tablets).
Note that employees working remotely will still need IT support. Service desk (help desk) staff can use a remote access tool (RAT) to remotely access the staff member’s device and aid in resolving issues.
Verifying user identity
Organizations need to safeguard their applications and data from unauthorized access. External attacks from hackers can hold the organization hostage for ransom (ransomware attack), and internal attacks can also affect your organization, like staff performing tasks they aren’t allowed to or accessing information they shouldn’t see, for personal benefit or with malicious intentions.
It’s essential that you allow access only to authorized individuals (authentication), and that such individuals have limited privileges (authorization) to perform only functions specified in their roles and responsibilities. There are many solutions available, like identity and access management (IAM) and mobile device management (MDM) solutions, that are tied to the organization’s on-premise or cloud-based directory service (e.g., Microsoft’s Active Directory or Azure AD).
It’s essential that you allow access only to authorized individuals, and that such individuals have limited privileges.
Some of the functionality you should consider in these solutions includes single-sign-on (SSO) and multifactor authentication (MFA):
- SSO allows users to use the same password to access all organization-provided resources, which streamlines user operations and minimizes risks (e.g., employees writing down passwords because there are too many to remember).
- MFA provides an additional layer of security by requiring the employee to validate their identity by another means in addition to their username and password. Common forms of MFA include sending a PIN via text message, which they need to input during login or a mobile application that provides a validation code.
Verifying device readiness
“Social distancing” applies to devices, too — if a device’s security is compromised, it can’t be allowed into the network where your applications and data reside. Devices must be quarantined until they’re cured, which normally involves running antivirus software on them (severe cases may require additional actions). Also, much like individuals that have a weak immune system, devices can’t be allowed into the network until they have all the necessary protections, usually in the form of security updates and patches.
Validating security posture before granting any device access to the corporate network is necessary. Do they have the latest anti-virus installed? Do they have the latest operating system security updates? Are there any unresolved security alerts? Have any nonallowed or potentially risky applications been installed? Only after verifying and resolving those conditions should the devices be trusted to access the organization’s applications and data.
Solutions to accomplish this can be tied to the user identity verification or standalone appliances, commonly referred to as network access control (NAC) solutions. They allow the configuration of context-aware security rules that can not only restrict access based on the staff member’s identity, but also based on the location from where they’re trying to access the network, the type of device, the time of day, etc. Such granular control allows enforcement of more strict security policies and facilitates detection of abnormal behavior.
Remote staff present additional challenges to safeguarding sensitive information. It’s important to monitor actions to confirm that staff are only accessing applications and data that they’re authorized to use. Note that we’re not suggesting violations to staff privacy — the goal is just to confirm appropriate use of the company’s resources and information.
Monitoring should be conducted in real-time with automated alerts when someone tries to access restricted information and incident response actions if the information is successfully accessed. The one responsible for monitoring should also log events to trace actions for audit or data privacy compliance purposes.
Many different tools can accomplish this functionality, and are most commonly referred to as security information and event management (SIEM) solutions. The most sophisticated of these solutions use machine learning (ML) to automatically define a baseline of normal user-level and network-level behavior, and artificial intelligence (AI) to detect deviations that can be associated to conditions of risk that require intervention.
Additional functionality includes the possibility to do periodic audits of user privileges, especially in dynamic environments where staff members frequently change roles and employment status. It’s a best practice for audits to be carried out by a person other than the one who administers privileges in the tools.
Data loss prevention (DLP) solutions can aid in providing reasonable levels of precaution against data exfiltration, both intentional and unintentional. For instance, these systems can prevent users from saving organizational information to external USB drives, printing it on personal printing devices, uploading it to unauthorized cloud storage websites, and more.
In response to the COVID-19 outbreak, multiple vendors are providing time trials (up to 90 days) of their cloud-based solutions for remote workforce enablement. This can help organizations not only validate the functionality before they commit to it, but potentially prioritize investments into other critical business areas that require them more urgently.
Also, many malicious hackers are trying to take advantage of the COVID -19 crisis with phishing attacks and social engineering exploits. Instances of falsified corporate communication emails have been reported, as well as fake websites that offer to sell vaccines or respirators. Staff should be regularly trained to identify these attacks and not fall victim to them as the whole organization could be at risk without the appropriate training and knowledge passed down.
Many malicious hackers are trying to take advantage of the COVID -19 crisis with phishing attacks and social engineering exploits.
Finally, these guidelines aren’t intended to be fully comprehensive or adaptable to all business scenarios. Each organization’s IT environment is unique, and this guide is only a starting point for addressing remote work requirements following generally accepted best practices.