Working from Home – The New Normal
Businesses are scrambling to set up their IT environments for working from home. There are a few different varieties that businesses are choosing, they are:
- Connectivity via VPN to corporate network
- Access via Virtual Desktop (VDI)
- Placing Applications in Cloud
Each one of these options has an impact on both operational delivery and the related security requirements in these areas. There are changes that are needed at each level of these with the proactive controls that are in place, although this does create a higher reliance on the reactive (monitoring) tools that the business uses.
To assist in these areas, we will try to address the related security concerns for each of the different delivery methods.
VPN Connectivity:
Providing VPN connectivity is probably the easiest option for businesses to allow users to work from home. Often the infrastructure is partially in place and parts of the business are already using this to perform their work.
The main concerns with the use of VPN Connectivity are User Identity and Data Exfiltration. These can be resolved, although there are some prefaces that need to be established.
- Use of Corporate devices rather than BYO/Personal
- Multi-Factor Authentication (MFA)
We all understand the MFA market, so we will skip over this, although the use of corporate devices over BYO/Personal devices is a major consideration for business. The core focus with VPN connectivity Is to ensure that there are minimum requirements for the VPN connectivity to be established and that (once connected), access to applications and data are managed to minimize data loss and/or impersonation.
In a hacker’s world, a personal/BYO device is the easiest to breach as it often does not have the same number of security controls and mechanisms that a corporate device has. EG: Antivirus/Firewall, Agents for DLP, USB scanning etc so, there are 2 options to resolve this:
- Provide a corporate laptop for users to VPN in with the corporate image
- Place security controls that mandate minimum requirements on personal/BYO devices (Agents to allow for the corporate to manage the device)
The fist option is easier than the second option as the second option requires the user to allow the business to dive into their personal lives… if I was an employee at a business, would I want them accessing all my personal stuff?… hell no!! I do not need them to know that I enjoy fishing!!!
As to the related costs, providing a corporate device is going to incur costs for both the infrastructure investment as well as the set up. For the mandatory security controls, there are the user access licenses for some of the technology products as well as the related costs for support when people can’t connect.
Virtual Desktop (VDI)
When it comes to VDI solutions, this is probably the most effective option from a cyber security perspective. This offers a way for users to access corporate resources in a desktop environment that is fully managed by the business.
VDI is expensive and does take a lot to set up, although when paired with an IDAM solution, has the strongest footprint of the options.
Applications in Cloud:
With the ever-increasing cloud presence, businesses now can provide the same user experience and range of applications via a Cloud platform. From a security perspective, this is typically the least secure option, although when paired with IDAM and VPN solutions, it may be viable.
Acronyms used in this article:
VPN – Virtual Private Network
VDI – Virtual Desktop Interface
BYO – Bring your own (device)
DLP – Data Loss Prevention
USB – Universal Serial Bus
IDAM – Identity and Access Management
