2020 is perhaps the most significant year in the last two decades for many countries and the world as a whole. During the pandemic, the transfer of employees to a remote mode of operation, without protecting remote connections, has gained unprecedented proportions. It has even impacted industries that previously did not welcome remote work, such as banks. Given the fact that security is a key aspect of distant communications, the choice of corporate information security tactics in the new conditions is becoming particularly important.
Temporary Measures for Protecting Remote connections – Not an Option
The shift to remote work, which is often insecure, presents attackers with more significant opportunities than before. Life demonstrates that many organizations are not prepared for the scale of these threats. The immediate measures taken in the present are unlikely to remain viable in the long term.
Many organizations, even contrary to their internal standards, began to widely use information security products based on the Try & Buy scheme. For the most part, IT managers are hoping to protect their organizations using software that is offered with a free license during the COVID-19 outbreak. And then abandon it and continue to work as before. Meanwhile, there is a reason to believe that after the first wave of COVID-19 and associated social restrictions, the second and third may well follow. And actually-they are already here. Accordingly, all temporary solutions will have to be converted into integrated systems.
When protecting the remote sections of the infrastructure that are most vulnerable to external attacks, prioritize monitoring devices, connections, and user auditing.
Of course, the most favorable situation occurs when the organization can provide employees with work laptops for official duties from home. This workflow is known as COBO (Corporate-Owned, Business Only). This approach enables the IT staff to ensure maximum security for systems and communication channels, considering the geographically distributed arrangement of corporate devices and nodes.
However, this option is not always possible to implement. At a minimum, the organization must first model the relevant information security threats, configure security policies, and implement mechanisms for automatically applying these policies.
Securing BYOD: Mitigating Risks and Protecting Remote Connections
Accordingly, today, in many organizations, another well-known concept is implemented. It is called BYOD (Bring Your Own Device), which implies that employees use their own devices for remote work that involves connection to corporate information systems. And this creates additional risks since IT security officers in many cases have little idea what kind of devices people use, who have access to them, and what things can penetrate the internal network through them.
Obviously, the minimum necessary measure to ensure a secure user session within BYOD should be to protect the device’s connection to the corporate network using a VPN. However, the VPN does not solve the original problem of connecting an unverified and potentially rogue device to the network. For instance, such a device could be a child’s gaming PC. The antivirus database on this PC might not have been updated, or there might be no antivirus software installed at all because there’s no valuable information on the device. Consequently, this computer could already harbor several pieces of malicious software, even if it’s a relatively secure Apple device. This situation makes it a potential entry point for hackers.
Smart Protection for BYOD
In order to correctly minimize various BYOD risks, Network Access Control (NAC) can be used in the organization’s information security infrastructure. Such software is now offered by all major manufacturers: Cisco, Microsoft, Symantec, etc. These systems were created specifically to facilitate the transfer of business processes to the BYOD scheme. At some point, customers began to redesign them for new tasks, such as the Internet of Things. As a result, although the majority of companies have implemented the so-called AAA processes (authentication, authorization, and audit) related to information security, not many organizations still use proper tools to monitor devices’ security profiles.
In the current situation, IT security employees should make the most of their network access control systems in accordance with their original purpose. NAC provides mechanisms for monitoring and verifying any device that is trying to access the corporate network for compliance with security policies. In case of non-compliance, the system will automatically start certain procedures for normalizing access parameters in accordance with information security requirements. If such a procedure is not possible, then NAC will block access to the corporate network for this device.
Protecting Remote Connections: Leveraging Access Control Solutions and Integration Strategies for Enhanced Network Security
Another option is also possible: a device that does not fully comply with information security policies will receive limited access to the network. For example, to isolated areas that do not contain critical information. Indeed, to achieve this, you must segment the corporate network by departments or access levels. This can be done using traditional approaches such as virtual networks (VLANs) and data from the Active Directory, or by utilizing software-defined methods, like Cisco TrustSec technology.
It is worth noting that, choosing a NAC solution, it is necessary, among other things, to be sure of the possibility of its full integration with the existing IT environment. Such a check is a rather laborious process, and if it is carried out incorrectly, then you may not get the required efficiency from the NAC due to functional limitations. Therefore, to implement intelligent network access control systems, it is better to attract specialized companies that have the necessary qualifications and experience in the field of information security.
In addition to NAC, organizations may also pay attention to other solutions aimed at controlling user actions. These are Mobile Device Management (MDM) and Data Leak Prevention (DLP) systems. MDM allows you to ensure the safety and security of portable devices of remote users. For example, by preventing data loss during the theft of a smartphone, tablet, or laptop. In turn, DLP systems enable organizations to analyze the behavior of their employees. You can use them to track where confidential information is sent and whether users are violating information exchange rules. They also enable you to analyze how employees spend their working time. While these measures may not be the top priority, they can be considered as a second layer of protection that supplements a robust security framework safeguarding remote employees and their devices.
Alongside NAC, a new domain has risen Hardware Access Control (HAC-1). The ability to have ultimate visibility, policy enforcement capabilities and Rogue Device Mitigation with regards to the Enterprises Hardware assets. This new domain complements the NAC functionality on the Network domain and EPS on the device domain.
And, of course, technical procedures will be most effective only when organizations support them with specific actions. Managers should consider:
- Introducing internal corporate regulations and instructions for working remotely.
- Signing up additional agreements with employees on the use of confidential information.
- Carrying out general measures to clarify responsibility when working with corporate networks, services, and data outside the office.
- Conducting security awareness training.
Thus, it is the integrated approach and the meticulous consideration of all the details that allow organizations to optimally build a model of a safe remote work not only for the short term but also for a longer period.
Contributed by: David Balaban
See every known and shadow asset. Prioritize and mitigate risks.
Talk to an expert. It will help you understand how to use Sepio’s patented technology to gain control of your asset risks.