If you have ever attended an executive conference, you have probably seen a session titled “Birds of a Feather.” The full cliché is actually “Birds of a feather flock together,” because similar or like-minded people generally coalesce based on ideas, interests or beliefs.
For CISOs, like myself, we generally run in herds, flocks and sometimes even gaggles. All joking aside, we do share war stories, ask each other for advice and trust nearly implicitly recommendations for strategies and vendors based on our own collective experiences. Unfortunately, the truth is any one of us could be breached at any time, and for any animal that could be the target of a predator, there is safety in numbers. This is why we run in herds.
With all the news and development around the coronavirus (COVID-19), many of my peers have begun exploring their disaster recovery plans to allow workers to operate remotely and access their environments. Their goal is to keep their organizations productive and ensure we do not create any unacceptable security risks.
While most disaster recovery plans focus on a single catastrophic event, the coronavirus represents a long-term threat that might stretch a disaster recovery model to its brink of coverage. With this in mind, I have compiled four considerations for how to expand a remote workforce and deal with this threat — potentially for the long haul:
1. Sensitive Data And Privacy
When enabling large numbers of employees to work remotely, CISOs need to consider the exposure of sensitive data and privacy of information flowing to the remote end user’s environment. There are many tasks and transactions that are performed by office employees, and the data should never leave the traditional corporate perimeter.
For these situations, consider how you are protecting the data and the transaction itself. As a simple example, are you allowing for the data to be downloaded to a local spreadsheet via VPN technology, rendering a sensitive spreadsheet in a browser via Office 365 OneDrive documents, or remotely rendering a desktop directly via browser or bastion host? The latter is the most secure since the data is only visibly available, not rendered locally, and not downloaded potentially to the end user’s device. While this might be a low risk for web applications, Win32 applications operating over protocol tunneling can expose data outside of any pre-authorized network zone. Therefore, we need to consider how we enable remote employees and what datasets they are working with.
2. Shadow IT With Free Tools
For some organizations, employees have been asked to work remotely but have not been given the proper tools for a variety of reasons. These include cost, lack of authority by geographic region or simply lack of process.
This leaves employees, or even local IT staff, to download free remote access solutions to solve the problem. These free tools lack the monitoring, authentication and security modeling necessary to protect against an incident. In addition, if employees pick their own tools, you could be facing a plethora of remote access solutions and a mountain of shadow IT problems that are simply unmanageable.
If remote access is being requested for your organization, find a single scalable and secure tool for the entire organization. Many vendors are offering multiple months free to manage this crisis, and if the solution works well, it might be a permanent solution to a growing problem. This is especially true for any privileged access performed by remote employees or even vendors.
3. Bring Your Own Device (BYOD)
Many information technology organizations just do not have enough assets to ramp up all the remote employees that now need access. Unfortunately, the resolution is to allow employees to use their own devices with corporate-issued VPN or secure-remote-access technology to solve the problem.
For many CISOs, this is just an unacceptable risk. With no traditional security controls like antivirus or vulnerability assessment on these devices, there is no way to mitigate the threats when they are connected and unmanaged. And if these devices are shared among family members, the risk of malware from a simple online game increases exceptionally when the same device is used to connect to potentially sensitive data.
If BYOD is your only recourse, ensure your remote access technology does not use a VPN or any local clients, does not do any protocol tunneling, and renders all remote sessions in a browser. This is true for even remote web applications. This minimizes the exposure of the device to the corporate network and has no network path to compromise additional assets.
4. Privileged Remote Access
There is a strong chance that if the coronavirus has affected your organization, then some of the employees being asked to work remotely will need privileged access to resources. This means that once they establish a remote session, the credentials they need to access and operate a resource are either administrative, root or power user. If they are entering them remotely, then they are exposed to the local computer, and any malware or attack can sniff them out.
Consider using a remote access solution that performs credential injection from a password safe or password vault. The session itself is automatically detected by the remote access solution, and attribute-based access will automatically inject the proper privileged credentials into the session remotely in order for the user to continue. No credentials, especially the password, leave the organization, nor are they typed in. They are managed and potentially even changed after every session, so the threat of an exposed privileged credential remotely is mitigated.
As we ramp up users’ access, we should consider the risks. A few simple steps will ensure these changes do not become an unacceptable liability. They are not hard to implement and will ensure the herd does not become a victim of the changes we need to make in order to manage the threats of this pandemic.