Working from the Home Front Securely

by Tal Zamir on March 12, 2020

It is said that home is where the heart is, but with the coronavirus (COVID-19) forcing a large part of the workforce to work from home to help contain its spread, home could be where the headache is.

Increasingly, companies are employing work-from-home policies, with travel restrictions, quarantining, “social distancing” and other isolation techniques becoming the new normal. While the transition to a remote workforce can be accomplished, there are a few pitfalls that companies will need to navigate in terms of technology and access. The Achilles’ heel for many IT teams will be securing endpoints that remote workers use to connect to the corporate network, endpoints that now will be fair game for cybercriminals.

As we prevent viruses from infecting our bodies through isolation, so, too, do we look to prevent viruses from infecting our computers. Isolation is the key to prevention. It ensures separation between healthy and ill. For the health of our corporate infrastructure, we leverage isolation to separate sensitive data from anything that could potentially cause it harm, including the wild internet.

Home Security Challenges

Enabling a large number of employees to work from home in an effective, secure and manageable manner is challenging:

User expectations: Some companies resort to giving employees laptops that are already locked-down. The “lockdown” model typically proves to be frustrating for end-users who will not be able to simultaneously work with corporate-related apps and personal apps. Users prefer to use a single device with a single set of peripherals, without switching between devices. They would like to have direct connectivity to their apps and data, without any added network latency, both in the corporate network, in the cloud, and in their personal home network. They expect to always work natively and locally and have fast responsive applications. They want to be able to print with their home printers and to be able to use their WiFi networks at home or at the coffee shop.
Security needs: There is a greater security risk of using potentially malicious WiFi networks and infected personal devices to access corporate assets. Security teams want to ensure that access to corporate resources is always done from a safe, trusted, operating system (in some cases, this is a hard compliance requirement). A work-from-home solution must protect against a variety of endpoint-related attack vectors, such as OS vulnerabilities, app vulnerabilities (both corporate and 3rd party apps), network vulnerabilities, browser/mail vulnerabilities, USB/external device vulnerabilities, insider threats, etc. It should be hard for malware to simultaneously access corporate network resources and have direct unfiltered access to the internet.
IT needs: With the coronavirus outbreak, IT teams now need to cope with a huge number of employees working remotely. VPN or VDI solutions might not be ready to operate at such a scale without impacting the user experience or increasing cost dramatically (e.g. data center/cloud/network costs). IT must also be ready to support remote user devices and be able to recover in case of endpoint failure. In some cases, enterprises aren’t allowing access from personal laptops/desktops and need to find a work-from-home solution they can roll out immediately.

Resolutions Can Present Roadblocks

An always-on VPN can trip up users when it comes in conflict with WiFi networks that require authentication or present a captive portal. With a couple of bumps in the road, such as a faulty Windows update, users might need IT to step in and re-image their laptop or operating system remotely. This is a challenge for IT teams and users alike, at best.

Sponsorships Available

If split tunneling, where users can simultaneously connect to the corporate networks through a VPN and their home networks, is not allowed, then users cannot access cloud resources directly. If it is allowed, it also opens up another door for attackers to more easily walk through.

If companies allow employees to use their own personal equipment, a cloud-based zero trust architecture can be implemented that is much more convenient to employees to access applications such as Microsoft Office 365, Google G Suite or Salesforce. Additional verification, such as two-factor authentication, can be used to connect. However, this is a riskier proposition as personal devices, user-installed apps, home networks and more can all become infected with malware far more easily. Once a device is compromised, a cybercriminal could impersonate an employee to infiltrate the corporate network and exfiltrate data.

Finding the Way Home

Balancing productivity and securing access at the same time is a delicate scenario that companies must consider. They also will need to employ best practices and procedures. A key measure will be for organizations to thoroughly train their workforce.

Enabling end users to use a single device with a single set of peripherals for both personal and corporate access facilitates productivity at a faster, more efficient pace. However, this could introduce an even larger threat landscape if access is granted for both from the same operating system.