In “The Business Continuity Shift: Ensuring Telework Security” we explained that, at the beginning of the COVID-19 crisis, many organizations were scrambling to get the infrastructure in place to support a fully remote workforce. At the time, telework security took second place to the ability to continue business operations.
Next, we explored “The Importance of Identity Management and Governance for Telework Security” to explain how to secure remote employees’ access to sensitive data.
Now, as organizations grow accustomed to supporting employees working remotely – and many consider permanently adopting this model – it is necessary to consider the security implications and privacy concerns of remote work.
Information security teams should now assess their remote workforce security by asking themselves the question, “Beyond a virtual private network (VPN), what additional security tools, processes, and procedures do we need for a secure remote workforce?”.
Implementing Risk-Based Security Controls
An organization can take a number of different approaches to remote workforce security. At one extreme, companies can allow teleworkers to operate with only a company-owned VPN for security. At the other, companies may decide to deploy cybersecurity appliances (such as routers and firewalls) in employees’ home offices.
The choice of approach to follow should be based upon a company’s cyber risk tolerance. Determining your risk tolerance is one of the foundations of risk management and all organizations should have a clear understanding of their appetite for various types of risk.
An organization with high risk tolerance may accept the potential that types of cybersecurity incident may occur along with its associated consequences, and therefore tends to invest less in cybersecurity. Companies with medium or no risk tolerance, on the other hand, must deploy additional cybersecurity solutions to mitigate some of its cyber risk.
Risk tolerance should also be determined against the various types of risk the organization could face. For example, an organization like Wikipedia – whose business is to host a website which does not serve, store or process sensitive information – may have a higher tolerance to risks affecting confidentiality, than it does to risks affecting availability of the platform.
Understanding this helps an organization make strategic decisions on investments into remote workforce security controls and countermeasures.
High Risk Tolerance
Organizations with a high risk tolerance, those that do not process highly sensitive or protected data, tend to focus on ensuring the productivity of their remote workforce, however minimum security standards should still be defined and enforced. A telework security policy, mandating basic security controls that should be in place, is required even for those organizations who can accept higher levels of risk. Whenever an organization decides to accept a certain category of risk, they should also deploy compensating controls to help minimize the potential of exposure to that risk.
An organization in this category may view the risks associated with bring-your-own-device (BYOD) as acceptable given the investment that would be required to deploy corporate-owned devices to all employees.
Common compensating controls include ant-virus software, automatic updates, the use of VPNs, and host-based firewalls. On the server side, organizations can likely make heavy use of cloud-based SaaS offerings for daily business practices, and secure data and workflows using the tools the cloud service provider (CSP) provides.
Highly risk-tolerant organizations may also consider using a split-tunnel VPN for teleworkers. With split-tunneling, any traffic bound for the public Internet goes there directly, rather than passing through the enterprise network for security screening. This model sacrifices visibility into how the users are interacting with the Internet for greater scalability and usability of the corporate VPN infrastructure.
Privacy is always a concern, and even more so when allowing teleworkers to work from personal devices. On these devices, business and personal data is intermingled, and devices may be used for multiple purposes and by non-employees. This increases the probability that business data will be accessed by unauthorized parties or that an employee’s personal data will be inappropriately monitored by the organization.
Organizations who may be tolerant to risk of a potential disruption in service may be much less tolerant of a compromise affecting personally identifiable information (PII).
In all cases, when an organization deploys a network or security monitoring technology or service, it is important to include in policy and employee handbooks the explicit consent to monitor, which the organization should ensure all users read and acknowledge.
Related Reading: The Business Continuity Shift: Ensuring Telework Security
Medium Risk Tolerance
Some organizations may have a medium risk tolerance to the risks associated with employees working from home. Their employees may process some sensitive information, but it is unnecessary or infeasible to invest the resources required to implement controls which reduce risk to zero. Similarly to a high tolerance organization, they must define a minimum security standard alongside compensating controls which reduce risk to an acceptable level.
An organization with medium risk tolerance requires more control over the devices that employees are using when working remotely than BYOD can reasonably provide. Employees should be using only company-owned devices for work, which are running the corporate antivirus solution and are compliant with corporate configuration, patch management, and security monitoring policies.
The company should also exercise more control at the network level, with company policy regarding how home networks should be configured and secured. This includes a strong wireless network encryption and password policy. This must be communicated to the employees and should require their acknowledgement.
While split-tunnel VPN support may be acceptable in some cases, the use of full-tunnel VPNs and zero-trust networking (ZTN) is advisable. Under a zero-trust model, access to corporate data and resources is only provided when a user’s identity can be authenticated through multi-dimensional analytics.
Implementing zero-trust networking requires a re-think of the organization’s IAM program from end to end, including network segmentation.
The use of company-owned devices and a zero-trust network infrastructure also provide privacy benefits to an organization. Company policy can define acceptable levels of personal use of businesses devices and require employees to acknowledge and consent to the fact that all use of a device will be monitored by the organization. With zero-trust networking, an organization can also put policies in place that limit the accidental collection of protected information, such as forgoing deep packet inspection of traffic bound for whitelisted personal domains (such as banks or healthcare organizations).
No Risk Tolerance
While it is impossible to eliminate cyber risk, organizations with no or extremely low tolerance to a given risk attempt to remove as much potential risk as possible. To accomplish this feat, the organization must bring the infrastructure and all endpoints teleworkers use under the oversight and control of the organization.
Instead of permitting employees to configure and use their own home networks for business purposes, these organizations may actually consider deploying centrally-managed network gear like approved wireless access points and/or firewalls to its employees. This enables enforcement of strict network security controls, including the use of full-tunnel VPN or ZTN for network security.
At the corporate end, and organization like this may view the usage of SaaS-based cloud offerings, and the inherent loss of control associated thereto, as a higher risk than they can accept, and may be mostly or wholly using on-site servers for sensitive data storage and processing. Access to these devices should be controlled based upon a zero-trust access model to minimize the probability and potential impact of a data breach.
With a security policy based upon zero risk tolerance, an organization achieves the highest level of personal and business privacy, but invests the most in doing so. Since the organization has complete control over employees’ devices and the networks that are used for telework, it can put in place policies that limit the potential for accidental disclosure of sensitive information.
Supporting Secure Telework
When designing and implementing security controls for teleworkers, a number of considerations exist, and should always start from a clear understanding of an organizations risks. In some cases, an organization may decide to classify and secure employees at different levels – based on job duties – rather than taking a “one size fits all” approach.
In general, less risk-tolerant security strategies, which separate personal and business use of devices and networks, are more effective at protecting employee and company privacy. These approaches also improve a company’s security posture and limit the potential of a data breach or regulatory non-compliance by a teleworker.
Check out our webinar-on-demand, “Key Shifts in Identity Management and Governance”, to learn more about identity management and governance for telework security so you can Show No Weakness.
Paul Caiazzo, Senior VP of Security and Compliance
Paul brings his wealth of cybersecurity experience to guide Avertium customers through challenging security problems while keeping business goals and objectives at the forefront. His primary focus is on business development, partner and client engagement and other strategic initiatives.