2020 is perhaps the most significant year in the last two decades for many countries and the world as a whole. During the pandemic, the transfer of employees to a remote mode of operation has gained unprecedented proportions. It has even affected industries where work outside the office has not previously been welcomed, such as banks. Given the fact that security is a key aspect of distant communications, the choice of corporate information security tactics in the new conditions is becoming particularly important.
Temporary measures – not an option
A massive transition to work in a remote and often insecure mode opens much richer opportunities for attackers than it has been so far. And, as life shows, not all organizations are ready for the huge scale of these threats. The urgent measures that are taken in the “here and now” mode, most likely cannot be viable in the long run.
Many organizations, even contrary to their internal standards, began to widely use information security products based on the Try & Buy scheme. For the most part, IT managers are hoping to protect their organizations using software that is offered with a free license during the COVID-19 outbreak, and then abandon it and continue to work as before. Meanwhile, there is a reason to believe that after the first wave of COVID-19 and associated social restrictions, the second and third may well follow, and actually-they are already here. Accordingly, all temporary solutions will have to be converted into integrated systems.
In protecting the remote sections of the infrastructure that are most vulnerable to external attacks, priority should be given to monitoring devices, connections, and user auditing.
Of course, the most favorable situation can be considered when the organization has the opportunity to provide work laptops to employees to perform official duties from home. This workflow is called COBO (Corporate-Owned, Business Only). This approach allows the IT staff to provide maximum security for systems and communication channels, taking into account geographically distributed arrangement of corporate devices/nodes.
However, this option is not always possible to implement. At a minimum, the organization must first model the relevant information security threats, configure security policies, and implement mechanisms for automatically applying these policies.
Accordingly, today, in many organizations, another well-known concept is implemented. It is called BYOD (Bring Your Own Device), which implies that employees use their own devices for remote work that involves connection to corporate information systems. And this creates additional risks since IT security officers in many cases have little idea what kind of devices people use, who have access to them, and what things can penetrate the internal network through them.
Obviously, the minimum necessary measure to ensure a secure user session within BYOD should be to protect the device’s connection to the corporate network using a VPN. However, the VPN does not solve the original problem of connecting an unverified and potentially rogue device to the network. And such a device, for example, can be a child’s gaming PC, on which the antivirus database was not updated or simply there is no antivirus at all due to the fact that there is no valuable information on this device. As a result, such a computer may already be infected with several pieces of malicious software (even if it is a relatively secure Apple device), which makes it a potential entry point for hackers.
Smart protection for BYOD
In order to correctly minimize various BYOD risks, Network Access Control (NAC) can be used in the organization’s information security infrastructure. Such software is now offered by all major manufacturers: Cisco, Microsoft, Symantec, etc. These systems were created specifically to facilitate the transfer of business processes to the BYOD scheme. At some point, customers began to redesign them for new tasks, such as the Internet of Things. As a result, although the majority of companies have implemented the so-called AAA processes (authentication, authorization, and audit) related to information security, not many organizations still use proper tools to monitor devices’ security profiles.
In the current situation, IT security employees should make the most of their network access control systems in accordance with their original purpose. NAC provides mechanisms for monitoring and verifying any device that is trying to access the corporate network for compliance with security policies. In case of non-compliance, the system will automatically start certain procedures for normalizing access parameters in accordance with information security requirements. If such a procedure is not possible, then NAC will block access to the corporate network for this device.
Another option is also possible: a device that does not fully comply with information security policies will receive limited access to the network, for example, to isolated areas that do not contain critical information. True, for this, the corporate network must be segmented by departments or access levels, either within the traditional approaches using virtual networks (VLANs) and data from the Active Directory, or using software-defined methods, for example, based on Cisco TrustSec technology.
It is worth noting that, choosing a NAC solution, it is necessary, among other things, to be sure of the possibility of its full integration with the existing IT environment. Such a check is a rather laborious process, and if it is carried out incorrectly, then you may not get the required efficiency from the NAC due to functional limitations. Therefore, to implement intelligent network access control systems, it is better to attract specialized companies that have the necessary qualifications and experience in the field of information security.
In addition to NAC, organizations may also pay attention to other solutions aimed at controlling user actions. These are Mobile Device Management (MDM) and Data Leak Prevention (DLP) systems. MDM allows you to ensure the safety and security of portable devices of remote users, for example, by preventing data loss during the theft of a smartphone, tablet, or laptop. In turn, DLP systems enable organizations to analyze the behavior of their employees: where confidential information gets sent, whether the user violates the rules of information exchange, etc. With their help, you can even analyze what the working time of employees is spent on. Of course, these measures are unlikely to be paramount. Still, they can be considered as the second layer of protection that complements a solidly built safety cage that protects remote employees and their devices.
Alongside NAC, a new domain has risen Hardware Access Control (HAC) – the ability to have ultimate visibility, policy enforcement capabilities and Rogue Device Mitigation with regards to the Enterprises Hardware assets. This new domain complements the NAC functionality on the Network domain and EPS on the device domain.
And of course, technical procedures will be most effective only if they are supported by organizational actions. Managers should consider:
· Introducing internal corporate regulations and instructions for working remotely
· Signing up additional agreements with employees on the use of confidential information
· Carrying out general measures to clarify responsibility when working with corporate networks, services, and data outside the office.
· Conducting security awareness training.
Thus, it is the integrated approach and the meticulous consideration of all the details that allow organizations to optimally build a model of a safe remote work not only for the short term but also for a longer period.
Contributed by: David Balaban