Tech and Techniques to Protect the New WFH Workforce

There may be some light at the end of this pandemic tunnel… oh wait, no. That’s just a guy on a bicycle with a flashlight coming this way to tell us it ain’t over yet. Nevermind.  ...but it is clear that many companies will never go back to demanding employees come to the office once this thing is finally over. The thought of not coming back to the office at all has crossed the minds of some owners, founders, and executives, leaving the open question “do we still need to pay all that money for all that space?”

We can no longer assume the current environment is temporary and we must start planning and investing accordingly. The systems and tools that once supported the occasional road-warrior workforce and coincidentally served companies so well during the initial season of COVID now need to be revisited, rethought, and revised. 

The glorious benefits and ability to work from anywhere has been in the vernacular of tech company sales teams for ages now. I remember, just a few years ago, being required to chant “anytime, anywhere, any device” in every sales meeting I had back when I was pedaling phone systems. Even if it was just for a 50 site gas station franchise. 

Once relegated to traveling executives and sales teams, now the anytime, anywhere, any device mantra is the prevailing, and often only, option for many people. But enterprise tech needs to go much further than a decent cloud phone system and a VPN connection if companies want to pivot and make real and lasting changes.

Digital transformation is the promise of fundamentally changing how businesses operate and deliver value to customers by integrating “digital” into all areas of the business. It is no longer a distant pipe dream to keep pushing to the back burner. It is real, it is important, and it is necessary for change. Of the many categories, parts, and tactics to an overall digital transformation strategy, a solid security foundation might be the most important and therefore the best place to start. 

Those systems and tools that once served so well in the beginning of the pandemic now need closer inspection. Creating an extended and enhanced secure foundation is critical. One that is nimble and flexible, able to support the “new normal” hybrid/remote workforce, able to provide access to all the company’s workflows, and enhance collaboration for dispersed teams.

The following sections are elements and excerpts from the article “6 top security technologies to protect remote workers” from our friends at www.CSOonline.com and written by Peter Wayner, Contributing Editor. We’ve embellished, elaborated, added, and removed some to fit here better. They illustrate a few basic security tools and technologies to support the new age of full-time and hybrid remote workers.

Multi-factor authentication (MFA)

One of the first challenges will be identifying the users. The old-fashioned password may be sufficient within the confines of a trusted office but adding a layer of assurance is better. The simplest solution is to require a second level of authentication such as the employees’ mobile phones. Some service providers like 8x8, GoTo, Vonage, Ooma, and RingCentral offer a wide range of communications channels to users including business SMS text messaging.

More sophisticated solutions use apps running locally on the mobile device that can generate single-use passwords based upon the time. Tools like Google Authenticator, DuoLingo, FreeOTP, and LinOTP store a shared secret when the user first initializes them and then uses this to generate a new password each time the user wants to log in.

For the hyper-secure, there is increased interest in dedicated hardware tokens that apply all encryption and authentication algorithms inside a special piece of hardware. Tools like the RSA SecurID, Yubikey, or Onlykey aren’t susceptible to attacks that are able to infiltrate the desktop or mobile operating systems. They offer increased security but at the cost of requiring users to juggle one more device.

Identity and access management

The tools for multi-factor authentication (MFA) need to work closely with enterprise applications, and this is a challenge for in-house developers who will need to adjust the local codebase. Some teams are turning to identity and access management (IAM) services. They are often referred to as Identity as a Service (IDaaS) or authentication as a service (but AaaS is not really a thing)  IAM is  designed to be easily integrated into any codebase. Software from companies like Auth0 or Okta handles identity and access management with the best algorithms, allowing the in-house developers to concentrate on the business logic.

Auth0, for instance, offers a collection of quick-start examples that let a developer cut and paste a few lines of code and secure everything inside the application. The code from Auth0 adds a login dialog box and then the Auth0 servers check the password and enforce any stronger rules like a requirement for two-factor authentication. If you need to trigger a mobile app or send an SMS, Auth0’s servers do the work. When it is satisfied, it passes control back to your application.

Okta offers a similar set of services and likes to call its approach an “identity engine” for testing anyone who wants access. It rolls together a collection of authentication and management tools into a flexible pipeline that simplifies creating accounts and granting the owners correct access. The steps can be configured to include a variety of options like tracking the user’s specific laptop or phone to reduce the focus on the password alone.

The companies also simplify the work of juggling all the accounts by providing a dashboard for tracking users, adding new accounts and adjusting access roles. The developer can add a sophisticated layer that organizes both identity and authentication with the pre-tested code. 

Zero Trust Network Access (ZTNA)

If you use a virtual private network (VPN), you already know that you must be able to trust the endpoint. Keep in mind that just because the company bought the asset three years ago doesn’t necessarily mean that it is still a trusted endpoint.

While still widely used, VPN itself leaves much to be desired and is beginning to show its age. Today, VPN is not the best model for a world where there are no clear lines that mark where the office begins and where it ends. Growing in popularity as an alternative, some organizations are adopting a zero-trust model, which assumes that all employees are logging in from a dangerous place like, say, a coffee shop whose WiFi is compromised by an evil hacker collective. ZTNA always assumes that all packets are flowing through enemy territory. 

This wary attitude is not just for bits and bytes traveling over the network. Many inward-facing applications are constructed with the assumption that they will live in a secure network because some firewall or other tool has filtered out dangerous packets. The old paradigm of a strong perimeter made it possible for application developers to ignore security concerns.

Moving to zero trust means shifting attitudes. Todd Thiemann, vice president of marketing at threat intelligence firm HYAS, says, “The perimeter is thoroughly dead. If you are relying on gateway security, you are not watching all the traffic flowing in and out of the work-from-home [and other remote] endpoints.”

Secure Access Service Edge (SASE)

Another way to rework existing applications for staff on the open internet is to add a special gatekeeper where users and their requests for data will be stopped to check for correct identity and access. One growing architectural model for this kind of smart, pan-enterprise filter is a process that some vendors call “Secure Access Service Edge” or SASE (pronounced “sassy”). This gatekeeper is much smarter than a typical firewall and can deploy stateful filtering by examining the data inside the requests and make intelligent decisions based upon these values. SASE aims to remove the outdated idea of a site-centric network to a more user-centric approach. 

This new layer can be added to protect any of the various cloud and web services including many that might even be hosted outside the company. The user’s computer talks only to the SASE gatekeeper and the other services only answer to requests that have been checked by the SASE gatekeeper.

Solutions from companies like CATO Networks, Cloud Genix (Palo Alto), Open Systems, and others not only combine all the benefits of SDWAN and Next-Gen Firewall technologies but also track users over time and make decisions about access to all services even if they aren’t hosted in the same location or the same cloud.

Software-Defined Perimeter (SDP)

If it isn’t evident by now, allow me to reiterate. Networks operate far differently than in the past and especially so these days. Considering the dramatic increase in and changing patterns of traffic; both internal and external, the traditional “fixed” perimeter is severely limited. The traditional perimeter usually and simply deemed the internal network as trustworthy and the external network as hostile. Visibility and accessibility were the basis of that traditional approach. 

SDP is an extension of an overall zero-trust methodology and effectively creates a new flexible network perimeter. Rather than a fixed, static perimeter, SDP functionality deploys multiple dynamic perimeters to account for cloud, multi-cloud, hybrid environments, and on-premise and heavily relies on two important things; authentication and authorization. SDP can also be especially useful for the required dynamic access of today’s (and tomorrow’s) mostly permanent remote workforce.

Cloud applications and storage

Employees’ remote computers can’t become regular storage locations for sensitive documents and data. Employees should not be able to work with sensitive information with unencrypted thumb drives or other hardware and leave the data in locations where thieves could prey upon them. Ransomware continues to be a serious threat for destroying remote data.

Many companies are shifting to web-based office tools like Google Workspace (formerly G Suite) or Microsoft Teams where cloud storage with encryption is available. These platforms are very flexible, perfect for dispersed teams, and relatively easy to deploy to a large workforce, but the security details are still not completely understood. While the major companies employ large security teams, the model of shipping code to people’s browsers is still evolving. Google, for example, suffered an embarrassing leak of private documents. And Microsoft has had its share of awkward moments and outages. 

On the other hand, from a security perspective, these two giants have cleared several strict Federal cloud security programs like FedRAMP and others. FedRAMPs mission is to “promote the adoption of secure cloud services across the Federal Government by providing a standardized approach to security and risk assessment.” Ultra-security conscience agencies and contractors often rely on FedRAMP approved vendors and service providers because of the strict minimum standards required. 

TLS certificates

When employees log in remotely, they should use encrypted connections. Make sure websites have updated TLS certificates and the sites use HTTPS for all communications. Installing certificates to enable encrypted web connections couldn’t be easier thanks to the efforts of projects like Let’s Encrypt. Certificates offering more elaborate guarantees like organization are found with other certificate authorities like DigiCert, GeoTrust and Comodo. Many cloud providers and colocation services will resell certificates.

Review assumptions about remote security

Some of the most important steps are not technical; they’re emotional and personal. “Everybody went home very rapidly and now I think we're in an era where we have to formalize procedures,” says Greg Conti, a co-founder of cybersecurity research firm Kopidlon. “We can’t assume it's temporary, then we need to develop policies for the long haul." 

One important premise behind digital transformation is user and customer accessibility. The best foundation for digital transformation is “distributed” security. The best strategy for security is a layered approach. Combining a few, or in some cases all, of the technologies and techniques here may be the right approach for your organization. For example ZTNA and SDP work well together, when done right. In many instances, these technologies can completely replace existing legacy solutions and methodologies. Caution should be taken so that things don’t get unnecessarily complicated and undermine goals and objectives.. 

Everyone should pause and revisit all decisions made in haste. The pandemic forced everyone to act quickly and in some cases rashly. It’s no longer a matter of holding on until this thing is over. Even if it’s all ends tomorrow it has changed everything and those changes aren’t going away.