Not only has there been a significant increase in the demand for toilet paper, hand sanitizer, disinfectants, and other items associated with efforts to prevent and/or contain the spread of COVID-19, but the demand for remote access equipment, software, and services including, but not limited to, laptops, hard multi-factor authentication tokens, VPN setup, bandwidth upgrades, and more are on the rise. Individuals who have never worked remotely are being provided with laptops and told to work from home. For some organizations and individuals, this is unchartered territory.
While there have been many organizations that have had employees work remotely in practice for years and a part of their everyday work program and business continuity plan, there have been many that have not had remote users. If this is something new for your organization then you more than likely have not implemented policies that are needed to implement this new segment of your business. You’ll need policies, educational programs, technology, and support services for the remote workforce you are building. Organizations that are planning on engaging in the telecommuting or working remotely for the first time have got some work to do in order to get policies and procedures together that address remote access, roles and responsibilities, eligibility to work remotely (not all jobs can), work hours and paid time-off, safety concerns and requirements, equipment and supplies, operating costs and expenses, and the requirements for physical and information (data) security.
Let’s start with Remote Access.
Remote access enables users to access files and other system resources on any devices or servers that are connected to the network at any time from a remote site. What’s required is a combination of software, hardware and network connectivity. Remote access is more commonly accomplished using a secure software solution like a VPN (Virtual Private Network) which is software that connects through a hard-wired network interface or Wi-Fi network interface or by connecting via the internet network. Remote access VPNs are used to connect individual users to private networks. With a remote access VPN, each user needs a VPN client capable of connecting to the private network's VPN server.
When a user is connected to the network via a VPN client, the software encrypts the traffic before it delivers it over the internet. The VPN server is located at the edge of the targeted network and decrypts the data and sends it to the appropriate host inside the private network. To do this, the computer must have software that enables it to connect and communicate with a system or resource hosted by the organization's remote access service. Once the user's computer is connected to the remote host, it can display a window with the target computer's desktop. Regardless of which remote access method you offer, multi-factor authentication (MFA) should be mandatory and if remote devices are allowed to connect to your internal network, consider implementing a Network Access Control (NAC) solution to ensure only authorized devices are permitted to connect.
Organization-Owned vs Personal Devices, what’s the big deal?
Security issues are a big concern when it comes to allowing employees to use their own personal devices to connect to your business network. Certain security controls should be in place and a policy should be implemented. For example, Multi-Factor Authentication (MFA) should be mandatory for remote access to any application, network, or service your organization provides to teleworkers. In addition, organizations must implement controls to ensure sensitive files and information are not downloaded or stored on personal devices or personal cloud storage services. Sensitive data should only be stored on organizationally controlled devices or authorized cloud storage services.
Even when a device is personally owned or organizationally owned, they are exposed to numerous risks when connecting to networks not controlled by the organization. Therefore, implementing strong security controls is key. Policies that enforce controls such as strong authentication, hardening the operating system, and applying the principle of least functionality to limit services, ports, and protocols to only those that are necessary should be implemented. Other concerns of importance are the use of anti-virus/anti-malware software, endpoint detection and response software, web content filtering software, host-based firewalls, device and file encryption, and the latest security patches. With a remote workforce, IT departments face a myriad of challenges in providing support, pushing security updates, and providing continuous monitoring and incident reporting and response services for remote devices and users.
Your IT Department or Managed Services Provider should be able to answer and setup remote users for your organization. Just remember policies and procedures need to be in place mainly to protect your business.