Security Advice for 'Work-From-Home' Enterprises

When stay-at-home orders hit businesses across the world, many IT groups were understandably challenged to handle the incremental load presented by the massive influx of remote workers on virtual private network (VPN) based remote access systems.

According to Owl Labs only 16% of companies had employees working remotely full-time in 2018. Then suddenly in mid-March, 45% of companies found themselves asking workers to do their jobs from home. The impact of the sudden shift is difficult at this point to quantify, but one thing is clear: Many companies are struggling to quickly adapt to the deluge of remote access.

Traditional remote access VPN implementations often backhaul all remote worker traffic to corporate data centers to provide access to internal applications and to ensure internet access security policies are applied. Apart from the inherent security risks of operating a full-access Layer 4 VPN that has open-port backdoors attackers can exploit, this model works reasonably well under normal circumstances - which for most organizations translates into low double-digit percentages of concurrent remote users. But when suddenly faced with near 100% usage, many of these implementations became oversubscribed.

Even more challenging is the situation faced by businesses without a pre-existing remote access contingency plan. In these scenarios, user-owned devices, with questionable-at-best security postures, can be compromised and used by attackers to gain a foothold in the corporate network where they can move laterally, steal credentials, elevate their privilege, and install malicious payloads or exfiltrate sensitive data from critical systems. The loss in visibility for the security team is alarming.

Companies need to optimize their remote access strategy for security, performance, flexibility and cost, and they need to enforce policy beyond the traditional perimeter - no matter where the user resides.

Many companies have tried to meet the increased demand by scaling out the traditional VPN and associated network infrastructure, but are running into bottlenecks acquiring the necessary hardware or carrier circuit upgrades. Others are throwing in the towel and opening their corporate resources, hosted in the datacenter to be accessed directly from the internet, as well as letting the user connect directly to the internet, putting the user and company data at risk. So both choices pose significant challenges, not just in terms of speed of deployment, but the long-term impact of such policies.

What to do in the short term: Use cloud security services to keep users connected and protected

As companies shift to remote work, cloud security can be implemented quickly to augment and breathe new life into VPN infrastructure. Rather than backhauling internet traffic, you can leverage the power of cloud-based web filtering and remote access solutions: 

• Cloud based secure web gateway solutions can enforce your browsing policies and protect users and devices from malicious content and downloads without requiring to backhaul internet traffic via on-premises controls. 
• Software-defined perimeters (SDP), also known as Zero Trust Network Access solutions, provide remote access to your corporate resources, while enforcing security policies on the users and devices. 

The VPN can still be used to access internal applications, but web filtering is moved to the cloud, relieving the VPN of the burden of transiting internet traffic through the corporate network. Some cautions: Filtering remote worker web traffic needs to be done right. Some cloud web filters, that at first seem attractive from a rapid deployment perspective, rely heavily on the limited metadata visible in DNS queries. These solutions leave too many security gaps to be desired. To properly secure remote users, a strong filtering solution should be implemented that scans all content, regardless of the reputation of the domain in question.

To further relieve the burden on the VPN, remote workers can be provided with secure access to sensitive data and applications with a cloud-based SDP which acts as a trust broker between users and corporate resources. Unlike traditional network security systems which rely on IP addresses, SDP relies on identity, context and trustworthiness to verify every user and device trying to connect to resources before granting least-privilege access. This approach completely removes the need of exposing your corporate resources to the internet and significantly reduces the network level attack surface, allowing secure access of personal, unmanaged devices while still maintaining data security.

Either way, the business can get to work remotely with policies that keep the business secure.

What to do in the long term: Companies should think beyond traditional VPNs

A better approach to remote access security is needed to overcome the scalability and security flaws of VPNs.   A more agile and granular security model rooted in Zero Trust, the concept that organizations must trust nothing and verify everything, can provide secure access to the internet and critical internal applications without the risk of an unrestricted VPN connection to the corporate network.

Implementing a Zero Trust architecture is a gradual process and companies should focus on leveraging the  short term wins discussed here and outline a roadmap for improving  with essential capabilities such as data loss prevention (DLP), a cloud access security broker (CASB) as things settle down.

The current pandemic could continue to threaten business continuity for the foreseeable future. While almost no one could have predicted this flood of remote workers, what we can now predict is that future iterations of nearly every business continuity plan will mandate supporting a secure remote workforce on a moment’s notice.

What next: We are here to help

Symantec can help your organization stay connected and productive without increasing security risks. Learn how to augment VPN capacity to scale to your current remote workforce needs with Symantec Web Security Service and Secure Access Cloud.