For close to two decades, organizations have allowed privileged employees to work remotely by offering remote access solutions as a part of the daily work environment. But until recently, working remotely was more of a luxury than a necessity. With the rise of COVID-19, many organizations moved their entire workforces home overnight.
That emergency shift could remain the norm now that many organizations have discovered how seamless the transition was — on paper. They point to benefits like employee productivity combined with lower overhead.
Yet, working from home is having an underestimated impact on network shape and traffic. Organizations are recognizing the severe security implications from a sudden reliance on the cloud, mobile devices and unfamiliar Wi-Fi network connections.
This has been a cataclysm on networks worldwide, but it is hardly going noticed. Access to corporate resources is occurring from a greater number of endpoints and from further away than ever, and the visibility of corporate networks is at an all-time low. Hackers have taken advantage, and smart CISOs know that now is the time to rethink and possibly reinvent remote-access policy.
Updating Remote Access Policies
The first step in understanding whether your access policy is geared for a remote-reliant workforce is by auditing it against your organization’s security objectives. One common mistake that security teams make when designing and updating their security and remote-access policy is not fully understanding the current contours of their network — or accounting for employees’ changing locations and access habits.
It’s important to revise policies designed for on-premises work. Bring your IT team into the fold and get them to diagnose how users are connecting and where gaps appear. Too often we see security teams stuck using the template they previously relied upon. It’s crucial that they understand that the audit is less about erasing the old template, and more about making it flex around individual users. A user-centric policy best fits the needs of a remote workforce.
Focus on Users: Who, What and How
It’s not a new idea that supporting remote workers increases the number of security risks facing your organization. However, with a massive increase in successful ransomware and phishing attacks since the pandemic started, it’s become more obvious that remote employees are opening entry points for attackers.
To address remote-work security, custom-access controls are more critical than ever. A key fundamental of remote-access policy is the identification of users and groups with similar access needs. That allows you to assign them rules and enforce those rules automatically. IT and security teams should enforce the use of Identity Providers before access is granted, and then define the teams of employees that need a similar access type to do their jobs.
Next, you need to segment your network based on resource sensitivity, then decide which of your user groups should and should not have access to individual segments.
The final step in access control in a remote work environment is to enforce encryption processes for remote network access. This will allow you to mandate secure access to corporate resources for remote employees while verifying each user.
Don’t Forget Authentication and Authorization
Strong password practices and multi-factor authentication (MFA) are the capstones to your remote access policies.
Every policy worth its salt will require all remote employees to use a company-approved password manager. While most employees know they should be using unique and long passwords for each account, it’s a challenge for anyone to remember which password is for what — so the default is laziness. Many times, people will use the same password for many different accounts, which widens the attack surface in a way that IT can’t directly fight.
Instead of relying on every individual employee’s password hygiene, it’s best to implement a password manager or Single Sign-On (SSO) solution into your organization’s policy. These generate a unique password for each account and simplify the sign-in process.
Additionally, MFA should be mandatory for a more complete authentication process. Also great for adding an extra layer of protection for contractors and freelance employees, MFA is best when it’s from multiple providers and more advanced than simple SMS-based authentication. Done right, MFA protects resources before access occurs.
Remote Workforces of Tomorrow
Reducing the risks of remote work starts with updating the access policies of yesterday. This is the biggest and most crucial effort, and the first step involves throwing away the old perimeter-focused access model and adopting a user-centric approach. It’s not a matter of simply integrating new technologies and tools, but also encouraging a new school of thought within the IT department itself.
Involving zero-trust components like micro-segmentation, SSO, logging all traffic and more, the move to fortify networks against new remote-access trends is multi-faceted and has untold benefits. Companies that get the recipe right will gain a lot more than just security – they can finally align IT and its goals with executive priorities and the business’s bottom line.
Amit Bareket is the CEO and co-founder of Perimeter 81.
Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting our microsite.