agcreativelab -

Manage Learn to apply best practices and optimize your operations.

How to secure remote access for WFH employees

The global pandemic caused mayhem on network security environments. Enterprises need to bring rigor back to their systems and tighten security for remote workers.

The COVID-19 crisis has resulted in millions of people working and learning from home. In addition to the rapid expansion of corporate VPNs, significant corporate work also occurs on insecure home networks built with consumer electronics.

Enterprises quickly expanded their VPN capacity in response to the pandemic, and many were forced to relax security standards. In addition, key employee information is available on company websites or LinkedIn, resulting in more exposure points. Further, many countries now have digital property records, which makes it relatively easy to find out where someone lives.

It's enough to give network security teams nightmares.

Bring rigor back to network security

So, how can enterprises secure remote access for their employees and ensure a safe network environment? First and foremost, enterprises need to start adding the rigor back into their systems and processes.

Enterprises need to start adding the rigor back into their systems and processes.

An important step is to reestablish VPN standards. Enterprises must replace the temporary changes they made to increase capacity with permanent designs that fully support security standards. The standards themselves need to be reevaluated based on the company's new normal. This will include implementing or reimplementing basic protections, such as the following:

Secure home networks

Home network systems use personal equipment or systems provided by a broadband provider. Network security teams must work with employees to bolster security for home networks by using the following steps:

  1. catalog the broadband providers in use;
  2. catalog the equipment being used; and
  3. research and establish configuration guidelines.

Establish endpoint protection

To manage the network security environments, teams must reestablish endpoint protection, which requires the following steps:

  1. update malware and virus protection;
  2. enforce minimum software update standards; and
  3. establish access for security operations (SecOps) personnel.

This process can include asking for access to employees' home networking kits. The intent is to establish software levels and develop standard configurations for broadband providers and home networks being used by employees.

This sounds like a complex and difficult process, but most regions in the country will have more than 90% of users on just two providers. For example, in my region, well over 90% of our employees are on either Fios or Xfinity. While some employees might view this as an invasion of privacy -- as most employees are not network and security engineers -- they might welcome support for these systems.

If it's a step too far to get access to employees' home routers, teams can provide suggested configurations and request employee attestation.

Teams can scan and review these networks either with SecOps or using suggested configurations. Some questions to consider include the following:

The answers to these questions are important because guest accounts and weak passwords can lead to adjacent homes or apartments using the home network systems.

Consider new and innovative alternatives

Once upon a time, it was common for employers to provide work-from-home systems with traditional security, but this disappeared with the emergence of BYOD and widespread broadband. Enterprises might find it useful to revive this practice for key employees and company officers, based on the risk profile associated with the employees' access and capabilities.

Of course, newer technologies are always under development. At one end of the spectrum, ultra-secure systems are available, such as Attila Security, which provides hardware-based security options certified for U.S. Department of Defense use. Other choices include new software options that replace VPN technologies altogether, such as Elisity with its Cognitive Access Service, which provides nanosegmentation of endpoints.

This was last published in September 2020

Dig Deeper on Network Security