agcreativelab - stock.adobe.com
The COVID-19 crisis has resulted in millions of people working and learning from home. In addition to the rapid expansion of corporate VPNs, significant corporate work also occurs on insecure home networks built with consumer electronics.
Enterprises quickly expanded their VPN capacity in response to the pandemic, and many were forced to relax security standards. In addition, key employee information is available on company websites or LinkedIn, resulting in more exposure points. Further, many countries now have digital property records, which makes it relatively easy to find out where someone lives.
It's enough to give network security teams nightmares.
Bring rigor back to network security
So, how can enterprises secure remote access for their employees and ensure a safe network environment? First and foremost, enterprises need to start adding the rigor back into their systems and processes.
An important step is to reestablish VPN standards. Enterprises must replace the temporary changes they made to increase capacity with permanent designs that fully support security standards. The standards themselves need to be reevaluated based on the company's new normal. This will include implementing or reimplementing basic protections, such as the following:
- strong passwords
- multifactor authentication
- role-based access
Secure home networks
Home network systems use personal equipment or systems provided by a broadband provider. Network security teams must work with employees to bolster security for home networks by using the following steps:
- catalog the broadband providers in use;
- catalog the equipment being used; and
- research and establish configuration guidelines.
Establish endpoint protection
To manage the network security environments, teams must reestablish endpoint protection, which requires the following steps:
- update malware and virus protection;
- enforce minimum software update standards; and
- establish access for security operations (SecOps) personnel.
This process can include asking for access to employees' home networking kits. The intent is to establish software levels and develop standard configurations for broadband providers and home networks being used by employees.
This sounds like a complex and difficult process, but most regions in the country will have more than 90% of users on just two providers. For example, in my region, well over 90% of our employees are on either Fios or Xfinity. While some employees might view this as an invasion of privacy -- as most employees are not network and security engineers -- they might welcome support for these systems.
If it's a step too far to get access to employees' home routers, teams can provide suggested configurations and request employee attestation.
Teams can scan and review these networks either with SecOps or using suggested configurations. Some questions to consider include the following:
- Does the Wi-Fi service set identifier have sufficient security?
- Is there a guest account?
- Are all the systems registered with the router known to employees and their families?
The answers to these questions are important because guest accounts and weak passwords can lead to adjacent homes or apartments using the home network systems.
Consider new and innovative alternatives
Once upon a time, it was common for employers to provide work-from-home systems with traditional security, but this disappeared with the emergence of BYOD and widespread broadband. Enterprises might find it useful to revive this practice for key employees and company officers, based on the risk profile associated with the employees' access and capabilities.
Of course, newer technologies are always under development. At one end of the spectrum, ultra-secure systems are available, such as Attila Security, which provides hardware-based security options certified for U.S. Department of Defense use. Other choices include new software options that replace VPN technologies altogether, such as Elisity with its Cognitive Access Service, which provides nanosegmentation of endpoints.