Remote Worker Security: The Risks, Challenges, and Solutions

by Nick Hunter on October 20, 2020

The concept of working remotely, or granting remote access, isn’t anything new for most IT professionals. Most organizations have embraced a remote workforce, be it their own employees, contractors, consumers, business partners, and managed service providers.

What does “working remotely” mean today?

For IT professionals, remote access had been thought of as performing your job functions and tasks from wherever the user was temporarily stationed. The term “working remotely” meant something rather different before the COVID-19 crisis, especially for IT professionals and organizations. Now “working remotely” has transformed in meaning and refers to working from a remote physical location on a semi-permanent basis.

ITOps and SecOps must rapidly adjust and implement mitigation solutions and strategies

Because of the pandemic, the workforce is no longer working from within an office. The term also now encompasses the entire organization, and not just IT users and contractors. COVID-19 forces ITOps and SecOps groups to rapidly adjust and implement mitigation solutions and strategies. ITOps teams need to quickly provide remote access to all internal applications for both IT and non-IT business users. Doing this requires them to quickly review and update security policies to allow traffic through the perimeter to internal applications and resources.

Sponsorships Available

They must then ensure that all remote access to applications and resources is reliable, with useable security. Many remote users are new to working remotely and will need to learn how to connect and perform their job from a remote location. All of this means that existing security risks are magnified, and many new attack vectors are introduced.

Aren’t cloud-based applications designed to address this problem?

At a glance, one could quickly conclude that SaaS, IaaS, and other cloud-based applications were already designed precisely to address this problem. However, it’s not that simple because granular access controls were implemented to govern users’ permissions inside a corporate network. In other words, there wasn’t as much security risk because the majority of users would access apps from within a workplace.

This enabled traditional perimeter security controls to be effective and simplified identity management. Most internal application authentication was integrated with directory services and an SSO provider, while others were still protected by the perimeter where they wouldn’t have direct exposure to the internet.

The workforce moved outside the border of layered security, and now the scramble is on…

But the problem now is that the workforce moved outside the border of layered security, and the scramble is on to find a way to provide a balanced approach of applied security with business continuity.

A recent Gallup poll found that “Sixty-two percent of employed Americans currently say they have worked from home during the crisis, a number that has doubled since mid-March.“

It takes a tremendous amount of time and resources to deploy and support VPN’s connectivity under normal circumstances. If VPN’s were easy to deploy and maintain, cost-efficient, and reliable, organizations would have always required all remote workers to use them. However, they aren’t, and while nearly every organization has them, they were only needed for users to access highly secure applications and resources.

What if this shift to a remote workforce isn’t temporary?

Is there a solution that can be put in place, that embraces a remote workforce, and continues to be a scalable, adaptable solution? The long-term problem isn’t how to get remote workers to applications and resources, it’s still how to reduce the risk of compromised credentials and the ability for a cyber-criminal to exploit them.

This is the problem that will always exist, regardless of the location of a workforce. The temporary problem is how to provide access to internal applications and resources outside the perimeter. To solve that means creating gaps in security layers, but when you do that, the level of risk is multiplied.

To address remote worker security effectively, start with zero-trust

The first step is establishing a zero-trust methodology of granting access. Prevent credential compromise by increasing authentication security and identity validation. Zero-trust solutions will become long-term risk reduction solutions that can be applied across the organization. From there, any access granted must follow the least privilege model, which reduces the effectiveness of any compromised account.

Remote workers should only have the privileges required to do their job, again, regardless of location. Remote access has been, and always will be, a requirement for most organizations. With an investment in the least privilege model, it can be implemented as a staple security policy for every account across all applications and resources.