So, your company is implementing a hybrid work model where your staff works from home a few days a week. Or maybe your company is going fully remote and closing the office. By this time, your company has probably updated their Information Security Policy to say that all remote workers must keep their computers updated, and endpoint protection (aka anti-virus) current.
However, this still leaves the security of your data at considerable risk. Now, instead of few key people remotely accessing the office or your cloud resources, there can be tens of or even hundreds of people doing that; all from networks that the company has no control over. This makes all those remote computers a tempting attack vector for cyber criminals.
Here are some methods you can use to harden your security for remote workers.
- MFA Everywhere: By far the most effective protection again credential attacks is enabling Multifactor Authentication (MFA) wherever you can. MFA can reduce successful credential attacks by more than 99.9% according to a Microsoft study. This is especially true for those with administrative access. Most likely you have MFA on your email account. That is a great start. But extend it to your VPN access, and any cloud services you have. You should also enforce MFA for all users who can remotely access workstations that are directly accessible from the internet.
- Setup Remote Compute Points: Rather than have people work on their home-based computer, establish remote compute points. Remote compute points include technologies like terminal servers, Virtual Desktops (VID) or Cloud PCs (e.g., Microsoft Azure Virtual Desktops, or AVD). When using one of these, the home computer can be very light weight, as all the computing will be done remotely. You can even use inexpensive thin clients instead of PCs. Besides the potential economic savings, these remote compute points can be also much more secure. By configuring the firewall rules to essentially only allow video, keyboard, mouse and maybe printer communications, you can harden the connection against most malware attack vectors. This can also be used as a very effective way to reduce the potential for intellectual property theft, as you can make it impossible to download or copy documents from the remote compute point to the home computer.
- Require Virtual Private Network (VPN) for all access: Another way to help secure your cloud services is to limit access to a defined set of source locations, such as your physical office or an established VPN connection. That will prevent any outsider from accessing your cloud resources directly. If mixed with remote compute points, you can make all your data confined to just your infrastructure, while also allowing access from anywhere.
- Limit Access to company or cloud resources from only company owned computers: If you are going to have computing done on the home-based computer (e.g., working on documents, spreadsheets, email, etc.) the risk to the organization from the home-based computer goes way up. One of the ways to combat that is to have an enforced policy that only company computers can connect to the corporate infrastructure or cloud resources. That way, you can apply policies and software agents to the computer that will assure that it meets your security requirements, and establish monitoring so you get alerted when anything is askew. This will also allow you to remotely install updates and provide rapid remote desktop support when needed.
- Setup Health Checks for any computer that tries to connect to the company resources: If you don’t limit access to your company resources (internal infrastructure and/or cloud resources), then it is important that you verify any computer trying to access your network meets minimum requirements – such as being up to date with patches and current endpoint protection software. This is most often done when connecting to the company VPN. To be able to connect to the VPN, the remote user must install a health agent first (usually done by the VPN software) that verifies that all security requirements are met before it allows the connection to succeed. When combined with accessing cloud resources through VPN, that means that all computers accessing any company resources meet the company’s security requirements.
- Adopt a Zero-Trust Network Architecture: Zero Trust Architecture is a design where all users and resources authenticate with each other throughout a transaction. The theory and promise of Zero-Trust Networking, or ZTN, is that any person or resource anywhere can connect to any other ZTN user or resource, with both ends having confidence who’s on the other side, and only giving the permissions to the other end that the authorization allows. When mixed with all devices having security software and policies enforced, it can provide a very secure environment without some of the overhead that is present in other technologies like VPN and firewalling. ZTN is still an evolving concept but thinking along those lines when you design your network can make it easier to implement when it meets your company’s goals.
At SpotLink, we not only use these technologies ourselves, but also help our clients implement those that best fit their businesses
If you are interested in improving the security of your company assets and providing flexible access for your remote users, just reach out to us and we can review what makes sense for your specific business.
Robert Hood
CEO & Founder
SpotLink