In "The Business Continuity Shift: Ensuring Telework Security" we explained that, at the beginning of the COVID-19 crisis, many organizations were scrambling to get the infrastructure in place to support a fully remote workforce. At the time, telework security took second place to the ability to continue business operations.

Next, we explored "The Importance of Identity Management and Governance for Telework Security" to explain how to secure remote employees' access to sensitive data.

Now, as organizations grow accustomed to supporting employees working remotely - and many consider permanently adopting this model - it is necessary to consider the security implications and privacy concerns of remote work.

Information security teams should now assess their remote workforce security by asking themselves the question, “Beyond a virtual private network (VPN), what additional security tools, processes, and procedures do we need for a secure remote workforce?”.

Implementing Risk-Based Security Controls

An organization can take a number of different approaches to remote workforce security. At one extreme, companies can allow teleworkers to operate with only a company-owned VPN for security. On the other, companies may decide to deploy cybersecurity appliances (such as routers and firewalls) in employees’ home offices.

The choice of approach to follow should be based upon a company’s cyber risk tolerance. Determining your risk tolerance is one of the foundations of risk management and all organizations should have a clear understanding of their appetite for various types of risk.

An organization with high-risk tolerance may accept the potential that types of a cybersecurity incident may occur along with its associated consequences and therefore tends to invest less in cybersecurity. Companies with medium or no risk tolerance, on the other hand, must deploy additional cybersecurity solutions to mitigate some of their cyber risks.

Risk tolerance should also be determined against the various types of risk the organization could face. For example, an organization like Wikipedia - whose business is to host a website that does not serve, store or process sensitive information - may have a higher tolerance to risks affecting confidentiality, than it does to risks affecting the availability of the platform.

Understanding this helps an organization make strategic decisions on investments into remote workforce security controls and countermeasures.

High-Risk Tolerance

Organizations with a high-risk tolerance, those that do not process highly sensitive or protected data, tend to focus on ensuring the productivity of their remote workforce, however, minimum security standards should still be defined and enforced. A telework security policy, mandating basic security controls that should be in place, is required even for those organizations that can accept higher levels of risk. Whenever an organization decides to accept a certain category of risk, it should also deploy compensating controls to help minimize the potential of exposure to that risk.

An organization in this category may view the risks associated with bring-your-own-device (BYOD) as acceptable given the investment that would be required to deploy corporate-owned devices to all employees.   In these cases, the organization’s BYOD policy should mandate the compensating controls required to safely operate in a BYOD environment.   

Common compensating controls include ant-virus software, automatic updates, the use of VPNs, and host-based firewalls. On the server-side, organizations can likely make heavy use of cloud-based SaaS offerings for daily business practices, and secure data and workflows using the tools the cloud service provider (CSP) provides.

Highly risk-tolerant organizations may also consider using a split-tunnel VPN for teleworkers. With split-tunneling, any traffic bound for the public Internet goes there directly, rather than passing through the enterprise network for security screening. This model sacrifices visibility into how the users are interacting with the Internet for greater scalability and usability of the corporate VPN infrastructure.

Privacy is always a concern, and even more so when allowing teleworkers to work from personal devices. On these devices, business and personal data are intermingled, and devices may be used for multiple purposes and by non-employees. This increases the probability that business data will be accessed by unauthorized parties or that an employee’s personal data will be inappropriately monitored by the organization.

Organizations who may be tolerant to the risk of a potential disruption in service may be much less tolerant of a compromise affecting personally identifiable information (PII).

In all cases, when an organization deploys a network or security monitoring technology or service, it is important to include in policy and employee handbooks the explicit consent to monitor, which the organization should ensure all users read and acknowledge.

Related Reading: The Business Continuity Shift: Ensuring Telework Security

Medium Risk Tolerance

Some organizations may have a medium risk tolerance to the risks associated with employees working from home. Their employees may process some sensitive information, but it is unnecessary or infeasible to invest the resources required to implement controls that reduce risk to zero. Similar to a high tolerance organization, they must define a minimum security standard alongside compensating controls that reduce risk to an acceptable level.

An organization with medium risk tolerance requires more control over the devices that employees are using when working remotely than BYOD can reasonably provide. Employees should be using only company-owned devices for work, which are running the corporate antivirus solution and are compliant with corporate configuration, patch management, and security monitoring policies.

The company should also exercise more control at the network level, with company policy regarding how home networks should be configured and secured. This includes strong wireless network encryption and password policy. This must be communicated to the employees and should require their acknowledgment.   It is difficult to monitor and enforce these controls which the employee must implement themselves, but they still should be explicitly spelled out in the policy.

While split-tunnel VPN support may be acceptable in some cases, the use of full-tunnel VPNs and zero-trust networking (ZTN) is advisable. Under a zero-trust model, access to corporate data and resources is only provided when a user’s identity can be authenticated through multi-dimensional analytics.   Once authenticated, access is dynamically provisioned to needed resources, reinforcing the critical access control concepts of least privilege and need-to-know.

Implementing zero-trust networking requires a re-think of the organization’s IAM program from end to end, including network segmentation.   In some cases, modifications to the corporate infrastructure may be required, however, certain ZTN technology approaches are surprisingly lightweight in terms of impact on the existing architecture. Regardless, the company must have a strong authentication solution, using multi-factor authentication, and the ability to enforce access controls throughout the network. This includes both on-premises servers and any SaaS infrastructure the organization uses.

The use of company-owned devices and a zero-trust network infrastructure also provide privacy benefits to an organization. Company policy can define acceptable levels of personal use of businesses devices and require employees to acknowledge and consent to the fact that all use of a device will be monitored by the organization. With zero-trust networking, an organization can also put policies in place that limit the accidental collection of protected information, such as forgoing deep packet inspection of traffic bound for whitelisted personal domains (such as banks or healthcare organizations).

Related Reading: The Importance of Identity Management and Governance for Telework Security

No-Risk Tolerance

While it is impossible to eliminate cyber risk, organizations with no or extremely low tolerance to a given risk attempt to remove as much potential risk as possible. To accomplish this feat, the organization must bring the infrastructure and all endpoints teleworkers use under the oversight and control of the organization.

Instead of permitting employees to configure and use their own home networks for business purposes, these organizations may actually consider deploying centrally-managed network gear like approved wireless access points and/or firewalls to its employees. This enables the enforcement of strict network security controls, including the use of full-tunnel VPN or ZTN for network security.

At the corporate end, an organization like this may view the usage of SaaS-based cloud offerings, and the inherent loss of control associated thereto, as a higher risk than they can accept, and maybe mostly or wholly using on-site servers for sensitive data storage and processing. Access to these devices should be controlled based upon a zero-trust access model to minimize the probability and potential impact of a data breach.

With a security policy based upon zero risk tolerance, an organization achieves the highest level of personal and business privacy but invests the most in doing so. Since the organization has complete control over employees’ devices and the networks that are used for telework, it can put in place policies that limit the potential for accidental disclosure of sensitive information.

Supporting Secure Telework

When designing and implementing security controls for teleworkers, a number of considerations exist, and should always start from a clear understanding of an organization's risks. In some cases, an organization may decide to classify and secure employees at different levels - based on job duties - rather than taking a “one size fits all” approach.

In general, less risk-tolerant security strategies, which separate personal and business use of devices and networks, are more effective at protecting employee and company privacy. These approaches also improve a company’s security posture and limit the potential of a data breach or regulatory non-compliance by a teleworker.

Check out our webinar-on-demand, “Key Shifts in Identity Management and Governance”, to learn more about identity management and governance for telework security so you can Show No Weakness.

Paul Caiazzo, Senior VP of Security and Compliance

Paul brings his wealth of cybersecurity experience to guide Avertium customers through challenging security problems while keeping business goals and objectives at the forefront. His primary focus is on business development, partner and client engagement, and other strategic initiatives.