Businesses are scrambling to set up their IT environments for working from home.
There are a few different varieties that businesses are choosing:
Applications in Cloud
Connectivity via VPN to corporate network
Access via Virtual Desktop (VDI)
Each one of these options has an impact on both operational delivery and the related security requirements in these areas. There are changes that are needed at each level of these with the proactive controls that are in place, although this does create a higher reliance on the reactive (monitoring) tools that the business uses.
To assist in these areas, we will try to address the related security concerns for each of the different delivery methods.
Applications in Cloud:
With the ever-increasing cloud presence, businesses now can provide the same user experience and range of applications via a Cloud platform. From a security perspective, this is typically the least secure option, although when paired with IDAM and VPN solutions, it may be viable.
VPN Connectivity:
Providing VPN connectivity is probably the easiest option for businesses to allow users to work from home. Often the infrastructure is partially in place and parts of the business are already using this to perform their work.
The main concerns with the use of VPN Connectivity are User Identity and Data Exfiltration. These can be resolved, although there are some prefaces that need to be established.
- Use of Corporate devices rather than BYO/Personal
- Multi-Factor Authentication (MFA)
We all understand the MFA market, so we will skip over this, although the use of corporate devices over BYO/Personal devices is a major consideration for business. The core focus with VPN connectivity Is to ensure that there are minimum requirements for the VPN connectivity to be established and that (once connected), access to applications and data are managed to minimize data loss and/or impersonation.
In a hacker’s world, a personal/BYO device is the easiest to breach as it often does not have the same number of security controls and mechanisms that a corporate device has. EG: Antivirus/Firewall, Agents for DLP, USB scanning etc so, there are 2 options to resolve this:
- Provide a corporate laptop for users to VPN in with the corporate image
- Place security controls that mandate minimum requirements on personal/BYO devices (Agents to allow for the corporate to manage the device)
The fist option is easier than the second option as the second option requires the user to allow the business to dive into their personal lives… if I was an employee at a business, would I want them accessing all my personal stuff?… hell no!! I do not need them to know that I enjoy fishing!!!
As to the related costs, providing a corporate device is going to incur costs for both the infrastructure investment as well as the set up. For the mandatory security controls, there are the user access licenses for some of the technology products as well as the related costs for support when people can’t connect.
Virtual Desktop (VDI)
When it comes to VDI solutions, this is a fully controlled solution as the user is part of the corporate environment (just like being in the office) and is highly secure from a cyber security perspective. When it comes to applications and systems access, some users will have issues as the VDI instance needs to be appropriately setup mirroring as much as possible the laptop/desktop environment they use in the corporate environment.
There are some draw backs with VDI. It is expensive and does take a lot to set up and due to the varying users accessing the systems, the greater or broader your VDI profiles become. This becomes a balancing act in security as there is a balance between access and security that needs to be maintained.
Many of the cloud providers are offering VDI solutions on the market. These are an easy way of getting your VDI instances up and running quickly, although ensure you perform extensive testing from various levels of connectivity (NBN, ASDL, FTTB and 4/5g) as the mechanisms they use to present the VDI can place a high load limit on users home internet connections.
When paired with an IDAM solution and succinct profiles, VDI has the strongest footprint of the options due to the ability to manage a users access to systems and applications.
