By Greg Kent
Many organizations leverage control points specifically architected into their on-premise infrastructure to enforce security policies. When employees work from home, their computers may not access the corporate IT infrastructure, which bypasses these on-prem controls. Consider, for example, an organization that controls the websites that employee laptops can access by routing outbound web traffic through a web proxy that is hosted within the corporate data center. When working from home, employees will be accessing the Internet directly. Since that traffic bypasses the web proxy in the corporate network, employees are able to access any website on the Internet and download any content they desire. This likely presents unacceptable risk to the corporate laptop and any data that might be stored on it. Organizations with corporate infrastructure-centric controls have options for approaching this problem. Below are three popular choices that offer varying degrees of policy enforcement and risk management.
Endpoint Firewall Policies
Install an endpoint firewall policy that severely restricts network traffic when the laptop is connected to any network besides the corporate network such that only the corporate VPN is accessible. By closing down access to Internet traffic, a restrictive firewall policy will force users to connect to the corporate VPN whenever access to the Internet is required. Once on the VPN, employee laptops now have access to the corporate infrastructure that enforces controls and mitigates risk.
Security Control Points
Re-architect controls so that laptops can access control points from the Internet. There are many variations of actions that organizations can take. Some changes may be rather simple, such as reconfiguring laptops to access vendor sites directly for updates like Windows patches, malware signature updates, etc. Alternatively, organizations can relocate servers supporting security services to the DMZ to make them accessible from the Internet. Or, organizations can leverage cloud-based security as a service solutions like Zscaler to provide universally accessible security services to corporate endpoints.
Virtual desktop (VDI) is another potential option for remote workers. With VDI, the user’s entire desktop is running on central server and delivered to end users over a network. Since VDI eliminates the complexities of managing remote workstations, it may be an ideal solution for many use cases of remote work. One important question is the degree to which local resources, including the clipboard, hard drive, and USB devices, are accessible to the virtual desktop. The level of accessibility is generally highly configurable such that access can be granted to a specified folder instead of all drives or to only particular USB device rather than all USB devices. Access to local resources presents two kinds of risk: data exfiltration risk in which sensitive data could be copied from the secured VDI environment onto potentially insecure computers or USB devices and malware risk in which malicious files from insecure computers or USB devices could be copied into the secured VDI environment. For usability concerns, organizations may have historically allowed some access to local resources. However, now that the VDI systems are used more extensively, it may be appropriate to tighten access restrictions for local resources.
SecureIT performs security assessments and provides expert advisory so you can manage risk in a practical and efficient manner. Next month, we’ll have a follow-up blog where we will offer tips for remote access security configuration. In the meantime, if you are planning enhancements to improve remote work options for your enterprise but want to do so with security as a priority
please contact us
. We’d love to learn more about your situation and share our thoughts on a path forward.