On Friday we wrote a blog post that talked about remote work and security from a workers perspective. We included a checklist. In this post, we want to develop that idea and talk about it more generally from a company and IT strategy perspective. We’ll start with some pictures to illustrate some of the issues.

The content of this post is also in this google slides presentation.

A Basic Network

Consider a basic network for a classic “small” company.

Network

When the laptop or phone at the bottom come out (as when work is not on premise), everything falls apart. Identity won’t work. Access to files won’t work. Access to internal systems won’t work. In short, in a classic pre-cloud IT model without an explicit VPN strategy, many things don’t work.

A More Realistic Company Network

Most companies have more of a hybrid network.

HybridNetwork

In this network:

  1. The Apps / Servicse in the lower right are still accessible (presumably SaaS based services)
  2. The work in the cloud (AWS) is still accessible. Developers and IT admins can reach it. Though the VPN based “peering” is no longer very useful.
  3. HQ is basically hard to reach without VPN
  4. Corp Data is hard to reach without VPN
  5. Security tools running in HQ or CorpData don’t see regular user traffic

Tools That May Not Work

Some tools we put in place for security, simply will not work the same way without adaptation.

  • Identity (Active Directory)
  • Intrusion Detection (IDS)
  • Data Loss Prevention (DLP)
  • Patching
  • Group Policy
  • Antivirus
  • Enterprise Hosted Anything

Strategy

Building a VPN now to restore connectivity to specific internal systems may solve certain problems. It will come with oversight and will not get you back to where you started in terms of the corp network and full connectivity.

Its a little late to start talking about business continuity strategy, but anywhere that it is possible to leverage cloud based services using a shared identify (SSO) system is going to be the most resilient to specific cloud or network issues.

Therefore, we advocate that companies bite the bullet and use cloud based resources wherever possible.

Near Term

  • VPN - If you can, offer this as widely as possible
  • Immediate Security Guide - Write down what you expect (See checklist)
  • Support Channel - Your users will need help
  • Communications (Standardize on Zoom/Slack, etc.)
  • File Sharing (Standardize on OneDrive/Dropbox/etc.)
  • Identify business processes

Medium Term

  • Prioritize business processes
  • Cloud alternatives
  • Start & adapt monitoring
  • Nail down patching (Auto updates)
  • Review investments
  • Is support working?

Long Term

  • Cloud based services
  • Operationalize monitoring
  • Playbook for support

Conclusion

It is time to quickly embrace the cloud and SaaS based services.

Use a risk based approach to prioritize.

Resources

Matt Konda

Matt is a software engineer. He's our CEO and former Chair & OWASP Board Member.

Want to stay up to date with the lastest from Jemurai?

Sign up for our monthly newsletter!