This article is based on a panel discussion at ChannelPro’s 2020 Cybersecurity Online Summit.
“”DUMPSTER FIRE”” is how cybersecurity expert Ian Thornton-Trump describes the state of post-perimeter security as businesses of all sizes cope with how best to secure remote employees in what could be a permanently altered workplace in the wake of the coronavirus pandemic.
Consider the obstacles: An August 2020 Netskope report found a 148% rise in remote workers due to COVID-19—and a 161% increase in visits to high-risk apps and websites, as personal use of managed devices nearly doubled. Moreover, according to a December 2020 Qualtrics and PwC study, over 65% of all IT executives say at least a quarter of their companies will continue to work remotely permanently.
The traditional perimeter was already shifting pre-COVID as more businesses moved to the cloud, but now it has “”disintegrated”” as IT departments and managed service providers are supporting personal computers and home networks that are in various states of security (or lack thereof), says Thornton-Trump, chief information security officer for Cyjax in the U.K. and CTO of Octopi Managed Services in Canada. “”Their jobs have tripled or quadrupled overnight in terms of the security requirements,”” he notes.
Michael O’Hara, owner and principal consultant of MEDSEC Privacy Consulting, uses this analogy: The “”perimeter”” used to be contained, like a glass of water. “”It was something that I could easily control. … I could see if any contaminants were coming in or out of it. And it’s something that I could manage with not a lot of effort.”” Flash forward to today, he says: “”You’re trying to manage 10,000 glasses of water.””
Clearly, securing users in the age of work from home (WFH) requires rethinking security as well as adopting some new tools and techniques.
New Challenges
Today security risk is everywhere. “”It’s at Starbucks. It’s at that Cox Cable home internet connection. It’s at your Wi-Fi connection. It’s at your cell phone acting as a hotspot connection. And let’s not forget the tried-and-true social engineering,”” O’Hara says.
Add to that your business partners and “”every IP address and every endpoint that possibly is connecting to us,”” says Thornton-Trump.
One challenge is that with data so distributed and dynamic, businesses may not be able to collect and monitor all suspicious activity from end-user devices, cloud services, on-premises services, etc. Another is lack of risk models for WFH computing.
“”Nobody thought for an instant that an entire business function would now be dependent on residential-grade internet,”” says Thornton-Trump
In addition, businesses must balance their security posture with privacy issues. “”What tools can an enterprise put on that personal network and on that personal PC to monitor it?”” O’Hara asks. “”The home network is an asset that does not belong to the enterprise.””
Compliance is yet another challenge. Any network that is collecting or processing credit card information, for instance, falls within the scope of PCI DSS requirements. “”If you were tasked with having to run somebody’s credit card to handle an outstanding invoice, and you were doing it from your home personal network, even over remote desktop, we don’t take that into account in terms of the hard and fast PCI DSS standard,”” Thornton-Trump notes. “”That whole network now has to be PCI DSS compliant.””
Create Policies and Procedures
Given all these new challenges, it will be incumbent upon businesses to create a security model with policies and procedures for WFH employees.
Ideally, businesses would have had these in place before sending employees home, but given the unexpected rush due to the pandemic, many don’t. O’Hara recommends downloading policy templates from groups such as the SANS Institute to get started.
You may need special terms and conditions to protect privacy, Thornton-Trump adds. “”This is a real problem because when I put those home networks online, I’ve got access to baby monitors. I’ve got access to a DVR, so I can see potentially all of the shows that you’ve recorded. I will have access to your security systems. So we need to, as a company, say there are red lines [about] data that we will not consume, use, or abuse. This is [an] issue that we’ve never had to face before.””
Once policies are in place, O’Hara suggests organizations do a baseline scan of home networks. “”We have to at least see where you’re strong and where you’re weak, so that we can advise you on how to meet the milestones of security so that we can be comfortable allowing you in.””
If a scan detects an Internet of Things device that has been compromised, for instance, the organization needs to be able to convey that to the home user and get it addressed so it doesn’t “”bleed over into your corporate VPN connection,”” Thornton-Trump says. A business or its MSP can start by extending endpoint detection and response or anti-virus solutions to all the endpoints in a home network for free, and then keeping them up to date, he suggests.
A Need to Shift the Focus
The shift to WFH also requires a shift in focus from securing the organization to securing the individual as well, both Thornton-Trump and O’Hara stress. This requires creating an identity- and access-control-focused organization. They recommend implementing the following:
- Multifactor/two-factor authentication
- Single signon
- Password management
- Intrusion detection and response tools
- User education
Build the desired requirements into security policies and procedures, O’Hara says. “”Insist in your policy … you have to have two-factor authentication in order to work from home. You have to have anti-virus at this minimum level. You have to make sure that these ports are disabled on your home router. And those are just three really high-level things you can look at just to start off.””
With WFH, user education is more critical than ever, he adds. “”You’re going to have to educate your end users as to what those threats really are out there and how they can start recognizing them. And it’s got to go beyond that obligatory once every six months or once every quarter ‘infomercial’ video that gets sent to your email.””
Going Forward
With WFH potentially the new normal for the foreseeable future, businesses are going to have to take on the responsibility of security beyond the perimeter for the long term. Some options, O’Hara says, would be to identify key personnel and pay for their internet access or implement and pay for a parallel network in the home that is just for corporate use.
Businesses will have to have the same debate about home networks that they had around bring your own device, O’Hara adds. “”Do we have to support it? Do they support it? The same question with the network.””
Managed service providers, in the meantime, can start implementing tools and services to perform threat assessments of their customers’ WFH computing environments, O’Hara says.
He notes one caveat: “”If the MSP starts poking around on people’s [home] networks, there is a liability that if they bring that network down, they’re going to have to fix it. There’s just no ands, ifs, or buts about that.””
Image: iStock