Top Security Concerns Around Remote Access and Business Continuity Planning
How you react today will determine how well your organization adapts to the demand for remote workers; more importantly, it will dictate how efficiently employees can get their job done without increasing risk.
In addition and just as important, all IT, security and risk management professionals must consistently and accurately evaluate the strengths and weaknesses of recovery plans to ensure the organization's ability to survive disruptions in how they normally do business. Having a documented exercise management strategy provides a comprehensive approach to assessing the effectiveness and efficiency of the incident response and continuity plans.
What we often see is that organizations fail to conduct comprehensive exercising of incident response and continuity plans, thereby severely limiting the organization's knowledge of their ability to respond, recover and restore operations after a disruption.
As we've stated before, exercising is important, but many of us don't make it a habit. Often the problem is that establishing a routine can seem daunting. But when you do get into the swing of it, it's amazing how a little regular exercise can contribute to your overall health. The same is true of incident response and continuity plans.
Similarly, some organizations turn to chaos engineering as part of their regular testing so they can prevent outages and test disaster recovery mechanisms to prevent a false sense of security. We're finding that very few business continuity plans (BCP) include a scenario like the one we're facing today, a global crisis that's forcing organizations to put projects and profits aside.
To summarize: you're not alone.
What is top of mind for leaders today?
How do we provide a positive end-user experience while maintaining our security posture and ensuring data privacy with a remote workforce? There are three key areas you should consider when deploying a secure and scalable remote access solution for your workforce.
1. Security, visibility and data privacy
Many organizations have resources deployed onsite, in the cloud, or are using Software-as-a-Service (SaaS). The more organizations rely on SaaS products like Box, Salesforce, Office 365 or G-Suite, the more you will want to ensure that the data stored there is properly secured and protected. Don't assume it is. Take a few minutes and be sure to examine the service agreement each vendor provides to see what, if any, backup and recovery services they provide.
Have you done a security posture assessment comparing on-prem vs. remote workers in the last 12 months? When is the last time a remote access assessment was done to ensure your organization had a scalable, secure and reliable remote access solution in place?
Many times, remote workers are accessing the same applications, data and intellectual property, yet they don't have the same security posture as they would with the on-site corporate network. It doesn't make sense, but there's usually a reason for everything, and we're not here to point fingers or blame anyone. We just want to help.
Here are some things to think about when securing remote access to your network and applications:
- Are you comfortable with the level of visibility you have into encrypted traffic?
- Is full network access really needed?
- What are we doing for Single Sign-On (SSO) and Multi-Factor Authentication (MFA)?
- Are we using network-based or endpoint-based DLP technologies? Maybe both?
- Are we protecting remote and local internet traffic with a secure web proxy?
- How will we continue patching endpoints with a remote workforce?
- How are we handling identity and access management and AAA?
Having an inconsistent security across the enterprise will increase risk and operational burden.
Organizations are modernizing their applications and as part of that process, they're either refreshing the underlying hardware or moving to software. The number of organizations moving to software is on the rise, with most doing it to take advantage of the discounts found in an enterprise license agreement (ELA). More importantly, they're finding that software makes their business more agile, allowing IT to keep up with the pace of business.
Another change we're seeing regarding remote access is that some organizations use solutions like F5 Networks Access Policy Manager (APM) to present users with a secure web portal. This allows centralized access to applications—regardless of where the application lives—where they can protect the portal with MFA, role-based access control and also utilize SSO to ensure a great user experience. This gives organization an added layer of visibility and control over who, what, when and where a user is accessing their applications, but it also makes them more agile.
There are several things that can help you ensure data privacy, for both on-prem and remote workers:
- create/update the cybersecurity policy and enforce annual training;
- use and enforce strong passwords;
- use Multi-Factor Authentication and Single Sign-On;
- use encryption software;
- require firewalls, anti-virus and anti-malware software on devices accessing data;
- implement mobile device management solutions;
- gain visibility into encrypted internet traffic;
- secure wireless and home networks;
- enable auditing (user and data);
- perform data classification (helps identify risk); and
- define data visibility and context (user, device, directory or file, time).
There are a lot of security products on the market today, especially when it comes to identity and access management, SSO and MFA. "Which product is best for [insert consideration here]?" is one of the most common questions we get asked.
Unfortunately, there's no crystal ball in advanced enterprise security. In many cases, it's hard to know which product is best without understanding the use case and challenges. We do know one thing for sure: nearly every OEM will tell you their solution is the best. This is why our customers typically come to us first, because we're able to provide an unbiased opinion that's usually based on test findings in our Advanced Technology Center.
Unfortunately, security challenges are typically overcome by tools that are purchased tactically and not part of an overall security strategy. This leads to tool sprawl, which creates operational and management challenges for everyone. WWT's Security Tools Rationalization Workshop is one of our most valuable security workshops we offer, as it targets this specific issue.
2. Scalability, resiliency and overall performance
Creating a responsive, secure technology infrastructure to enable effective secure remote access is not as easy as buying a SKU. In the past, the most common remote access solution is an active/standby VPN deployment; however, the way we use and deploy applications today is different than it was in the past.
Digital transformation and application modernization are driving organizations to deploy apps and supporting services in a public cloud, multicloud or even SaaS. But many times, core business operations are still run on-prem or in colocation facilities, which raises the question: is a VPN the right solution for today's modern workforce?
The concept of designing a VPN solution around an average workload worked well—until it didn't. In many cases IT, security and application teams fail to fully appreciate the breadth and depth of the infrastructure changes and security requirements needed to support effective remote work at a large scale.
Your organization's remote work technology infrastructure should enable effective and secure performance by all types of remote workers. The specific artifacts of this infrastructure will depend on the type of work for a given role. Security and infrastructure decisions must account for employee training, ongoing support and internal SLAs so that all employees are enabled to work well and securely from multiple disparate locations.
Many large organizations today have at least some form of constant remote workers. IT, security and application teams should stress-test and pen test the existing technology infrastructure to ensure it has the scale and security to support remote work. They also need to determine whether the infrastructure has the necessary capabilities for accelerating digital business transformation and increasing employee engagement.
Your technology decisions can also change the nature of responsibilities and tasks, enabling them to be done remotely. Application leadership should assess the different ingredients in the technology mix to optimize the experience of all remote workers, regardless of workload and geography. Which raises the question: can your current infrastructure and licensing support the entire workforce from home, at once?
The fact is that many cannot, and the unforeseen events of today are driving emergency orders across the globe. Unfortunately, some OEMs are dealing with supply chain issues or sourcing from other countries. How do you plan for all of this?
Is your remote access solution running on outdated hardware? Perhaps the last refresh cycle was skipped, because it wasn't deemed necessary at the time.
When executive leaders demand are forced to demand all employees to work from home and IT becomes the roadblock to the entire operation, things will start to go downhill quickly. There are many risks associated with having an outdated remote access solution or policy in place.
Speaking of policy, now is a good time to work with the executive team to establish or modify your remote work policy. Take some time to review your findings with them on how to mitigate concerns and drive benefits of remote work. A further goal of the updated policy should be to help prepare employees for remote work and to clarify what demands will be made of them. The policy will also help enable supportive interactions between workers.
What's keeping you up at night? Can your remote access solution do the following:
- handle the increased number of connections;
- withstand multiple hardware failures;
- provide consistent throughput with the increased load; and
- be load balanced, or distributed across multiple sites?
As you can see, there are many things to consider when designing a scalable, resilient and high-performing remote access solution.
We have received numerous reports of connection limits being hit, users being disconnected or CPU/memory being pegged. In the past, we did some testing between numerous NGFW manufacturers and found throughput numbers were significantly impacted as CPU/memory utilization went up. In one case, we saw a 95 percent decrease in performance when CPU and memory approached 100 percent utilization.
We all know that performance plays heavily into the user experience for your secure remote workers. But more importantly, depending on your secure remote access architecture, it could also impact customer experience and availability. Poor customer experience can hurt revenue short-term, but consider the long-term impact the experience might have on brand loyalty, trust and preparedness. Don't let your support for remote workers cannibalize your customer experience.
Our goal should be to minimize customer impact, while providing a resilient architecture that has the right-sized infrastructure to ensure a positive experience for the remote workforce. Organizations should consider:
- logging;
- eliminating unnecessary firewall rules;
- disabling unused modules and capabilities that are no longer used; and
- creating threshold for informative alerting.
3. Remote end-user experience and lack of control
What are the risks associated with engineering and architecture in chaos-mode? Deploying solutions in a tactical manner exposes your organization to unnecessary risk due to things like:
- human error;
- poor architecture;
- oversight;
- lack of control;
- overcoming technical challenges with bubble gum & tape; and
- inconsistent security services (email, web, DLP, etc.).
As the size of your remote workforce increases, so does the value of having centralized controls and visibility over your infrastructure. Many times, remote workers are more productive and operate with fewer interruptions than they do when at the office. Think about what you can do to evangelize and support that.
How important do you feel a consistent experience is for your remote workforce? Think about the experience as it relates to operations, access and performance. If issues arise in any of those categories, they need to be addressed through different processes, technologies or features.
Here are some things to consider around user experience:
- connectivity/Internet access;
- voice quality;
- Help Desk staffing (increase in troubleshooting tickets with little to no control);
- log-on process changes;
- O365 performance; and
- different services vs. on-prem.
Many organizations are experiencing an increase in the number of malicious emails containing malicious links or attachments, which are tied to news, HR updates, etc. Having a secure web proxy service in place for the remote workforce is of the utmost importance.
Ultimately, there are a lot of things to consider around remote access, especially at the scale many organizations are looking to support. There is one key question you can ask your IT staff: how do we provide productivity for our remote workforce while maintaining the same level of security we have on-prem?
A holistic approach
At WWT, we take a consultative and architectural approach to remote access solutions, rather than focusing on point solutions. This helps us align business goals and objectives to technical solutions, providing more effective outcomes and solutions that further the development of an enterprise remote access security architecture.
Our goal is to streamline the design, implementation, management and evolution of remote access architecture to establish security awareness, optimize defense capabilities, improve threat response, mitigate breaches and close compliance gaps for all of our customers. Learn more about how we can integrate and deploy remote access securely to help reduce vulnerabilities. Our experts can help you better understand your organization's current remote access security posture.