Supporting Remote Work Securely

On Friday we wrote a blog post that talked about remote work and security from a workers perspective. We included a checklist. In this post, we want to develop that idea and talk about it more generally from a company and IT strategy perspective. We’ll start with some pictures to illustrate some of the issues.

The content of this post is also in this google slides presentation.

A Basic Network

Consider a basic network for a classic “small” company.

When the laptop or phone at the bottom come out (as when work is not on premise), everything falls apart. Identity won’t work. Access to files won’t work. Access to internal systems won’t work. In short, in a classic pre-cloud IT model without an explicit VPN strategy, many things don’t work.

A More Realistic Company Network

Most companies have more of a hybrid network.

In this network:

• The Apps / Servicse in the lower right are still accessible (presumably SaaSSaaS stands for Software as a Service, which is a cloud computing model that delivers software applications over the internet as a subscription-based service. With SaaS, users can access software applications and data from anywhere with an internet connection, without the need for on-premise installation or maintenance. SaaS providers manage the infrastructure, security, and maintenance of the software application, freeing users from the burden of software updates, patches, and backups. based services)
• The work in the cloud (AWS) is still accessible. Developers and IT admins can reach it. Though the VPN based “peering” is no longer very useful.
• HQ is basically hard to reach without VPN
• Corp Data is hard to reach without VPN
• Security tools running in HQ or CorpData don’t see regular user traffic

Tools That May Not Work

Some tools we put in place for security, simply will not work the same way without adaptation.

• Identity (Active Directory)
• Intrusion Detection (IDSIDS (Intrusion Detection System) is a cybersecurity technology that monitors network traffic and systems for signs of malicious activity. IDS solutions use various techniques such as signature-based detection, anomaly detection, and behavioral analysis to identify patterns of unauthorized or unusual behavior.)
• Data Loss Prevention (DLP)
• Patching
• Group Policy
• Antivirus
• Enterprise Hosted Anything

Strategy

Building a VPN now to restore connectivity to specific internal systems may solve certain problems. It will come with oversight and will not get you back to where you started in terms of the corp network and full connectivity.

Its a little late to start talking about business continuity strategy, but anywhere that it is possible to leverage cloud based services using a shared identify (SSO) system is going to be the most resilient to specific cloud or network issues.

Therefore, we advocate that companies bite the bullet and use cloud based resources wherever possible.

Near Term

• VPN - If you can, offer this as widely as possible
• Immediate Security Guide - Write down what you expect (See checklist)
• Support Channel - Your users will need help
• Communications (Standardize on Zoom/Slack, etc.)
• File Sharing (Standardize on OneDrive/Dropbox/etc.)
• Identify business processes

Medium Term

• Prioritize business processes
• Cloud alternatives
• Start & adapt monitoring
• Nail down patching (Auto updates)
• Review investments
• Is support working?

Long Term

• Cloud based services
• Operationalize monitoring
• Playbook for support

Conclusion

It is time to quickly embrace the cloud and SaaS based services.

Use a risk based approach to prioritize.

Resources

• Slides
• Previous Blog
• Checklist