As a method of prevention in the current COVID-19 climate many Australian businesses where possible are moving towards a remote workforce solution. This will lead to employees working from home or another low-density low-exposure location.
This can raise several challenges. Not all businesses maintain the resources to enable a mobile workforce on-demand. Employees may be required to access workplace resources from a non-managed personal device. Employees may be connecting to workplace resources from public or home networks with limited security in place.To maintain productivity, while ensuring a security-first approach is taken, workplaces will need to consider the following:
How can I ensure that users are accessing company data from a secure device?
How can our organisation enable collaboration, while maintaining security?
What steps can ensure that only valid identities are allowed remote access?
How can remote access be enabled? What does this mean for non-managed devices?
How am I able to support the volume of remote access traffic?
When considering any change to environment or architecture including remote access, always consider a standard or guideline to adhere to. The Essential Eight Maturity Model from the Australian Cyber Security Centre (ACSC) provides mitigation strategies at different maturity levels, which can correspond to the level of security posture required for your business.
If you want help with any of the below, or with understanding what maturity level you are at and what would be involved in increasing your maturity please contact us and we will assist you or help you get in touch with others who can assist you.
How Can I Ensure That Users Are Accessing Company Data From A Secure Device?
Most online productivity tools (such as email, or word-processing tools) will allow access for a user externally and from any device as part of their default configuration. This is a concern as content can only be managed on an onboarded device, or through applications published by the organisation. Organisations need to consider how to restrict access to company data from devices that are un-managed or used externally while still enabling a user to complete their business-as-usual tasks.
When utilizing the Microsoft 365 stack, conditional access policies can be enforced to ensure that users are accessing company data exclusively from a workplace managed/secure device. Controls can also be applied to manage use of business applications and data on personally owned devices. Login can be denied to users on devices that do not adhere to a set of minimum requirements. This can enable a restricted set of resources to be available to users on lightly managed/non-managed devices, such as access to productivity tools in the browser only.
For G Suite users, fundamental desktop management can be leveraged to limit user access to a corporate Google Drive location based on IP address/user identity/corporate owned device status.
How Can Our Organization Enable Collaboration, While Maintaining Security?
Teams used to high levels of communication throughout the working day can struggle to maintain this connection with each other when working from home. There are collaboration tools in the market that aim to provide solutions to maintaining this sense of connection with your team. When embarking on a journey with these tools it’s critical to understand where your organisations data is going and how you can ensure you aren’t creating a new attack surface for cyber criminals to exploit.
For organisations with an investment in the Microsoft stack we highly recommend Microsoft Teams. Microsoft Teams provides chat, document storage, conferencing, and scheduling, and is compliant to many international standards, including ISO 27001/27018 with data encryption at rest, and in transit. With your Teams tenancy hosted within the Australia East and South East Microsoft datacentre regions the service is also IRAP certified for up to PROTECTED classification data by the ACSC. Teams supports up to 250 users per call and provides the ability to lock-down ingress/egress of data with the use of conditional access policies. Access can be restricted to internal-only or restricted by domain/individual email address to include only specific external users.
For workplaces that do not use the Microsoft stack, Slack is an alternative product for collaboration that provides compliance to ISO 27001, and encryption of data in transit/at rest. When implementing hardening of your Slack channel, consider enforcing 2-factor authentication for user access.
Stay on target with frequent team summaries or stand-ups to ensure that all team members are on-track, and that there are no blockers inhibiting progress for an individual/project. This may be a Teams call (5 minutes, depending on team size), or a shared chat with a task summary for each member – consider using Tasks, which can be pinned to a channel in Teams. If using Slack, consider adding a Trello board to your channel.
What Steps Can Ensure That Only Valid Identities Are Allowed Remote Access?
When allowing remote access, it is important to remember that you’re permitting external access to a protected internal network that may intentionally have reduced security due to other controls such as physical security or hardened user workstations/network devices. It is critical to control, monitor, and review which users are enabled for remote access and implement additional controls where necessary.
Assign roles/groups to users that will require remote access. Their requirements will vary including the devices that they will need to access company data from. There is not a single policy that will apply to all remote access users, for most solutions this can be restricted by application or service.
For all remote access, use a multi-factor authentication solution unique to each user (if not already implemented), this may be a software token such as Microsoft/Google Authenticator, or a hardware token such as an RSA/U2F key. In reference to the guidelines provided by the ACSC, maturity level 1 of the multi-factor authentication mitigation strategy requires that: Multi-factor authentication is used to authenticate all users of remote access solutions.(ACSC 2019).
How Can Remote Access Be Enabled? What Does This Mean For Non-Managed Devices?
A remote access solution enables a user to access existing secure work resources from a less-secure location. This means providing the user with a secure method of reaching on-premise company resources, without the need to completely lock-down a non-work device.
For users on a workplace-managed device, providing a secure tunnel back to managed infrastructure may be the only requirement, a Virtual Private Network (VPN) can be used in this scenario.
For users on a non-managed device that cannot be secured using the same methods as a workplace managed device, a remote session to a secured workplace desktop using Virtual Desktop Infrastructure (VDI), can enable a user to securely access applications/resources on-premise from a home desktop/mobile workstation on-the-go.
How Am I Able To Support The Volume Of Remote Access Traffic?
For organisations that do not practice a mobile-forward workforce, a remote access solution may be implemented but not configured to handle the concurrent access of all users. Rather than increasing resources on existing infrastructure, map user requirements to resources and find secure but alternative approaches to a traditional remote access solution where possible.
Determine if all users require full access to company resources to sustain full productivity, not all users will require a VPN/virtual desktop to complete business-as-usual. For the users that will require direct remote access to company resources, determine peak traffic times during the day, and implement scalable infrastructure as required.
For cloud-hosted applications, securing traffic from the internet can reduce the load on your on-premise network. Consider an application gateway that implements a web application firewall for external access.