Quite suddenly, hundreds, if not thousands, of organizations in areas around the globe affected by Covid-19 (coronavirus) are suspending office work and mandating that their employees work remotely. In the Seattle area alone, Amazon, Microsoft, Facebook, and many other tech companies mandated remote work throughout the rest of the month or indefinitely, thrusting hundreds of thousands of employees, contractors, and vendors into telecommute situations.
While some companies may have solid disaster recovery plans in place, few are likely equipped for a large-scale shift to telecommuting that could extend well beyond weeks. It’s an enormous, unplanned stress test for remote access. This situation has created an immense, rapid demand for secure remote access tools due to the need to protect employee health and network security, as well as ensuring business continuity.
Except for a small sliver of companies that are either 100% telecommuting or have at least embraced remote work options for a significant part of their workforce, most organizations lack the infrastructure to effectively and securely “go remote” en masse. This model shift strains the networks, applications, and services structure.
Then, there are the cybersecurity implications. Do these newly telecommuting employees have the right remote tools for remote work, or are they compelled to quickly stitch together shadow IT applications to maintain productivity? Do they have work-provisioned laptops, or are they forced to use personal laptops/devices for work-related activities?
Shadow IT has long been a mixed blessing, but the move en masse to so many applications and devices outside IT control creates considerable risk. In most organizations, personal laptops probably lack the security software safeguards and policies that protect hardened, company-provisioned devices. Many employees are now forced to use their own devices with corporate issued VPN or other remote access technology. This situation poses a threat when they are connected to the corporate network.
Of course, as organizations and localities are grappling with how to maintain normalcy while taking precautions, cyber threat actors have not skipped a beat in exploiting the crisis. The World Health Organization (WHO) has issued multiple reports of hackers leveraging exploits as part of coronavirus-related scams. Sometimes, they pose as business partners or public institutions in an effort to phish users when they open messages infected with malware.
How can organizations and their workforces remain as productive as possible during this crisis without creating unacceptable security risks in the process? Unprepared organizations forced to “go remote” may feel compelled to broadly loosen security policies to enable productivity. Obviously, this is not an ideal situation, particular for global enterprises. Loosening the standards for just one user or device could jeopardize data privacy and security across the entire global network.
How Secure is your Remote Access?
One of the most pressing of these security issues involves the technology to enable telework in the first place. If organizations are unprepared to roll-out a secure remote access technology, employees, including even IT staff, may feel forced to download free tools to get their work done. However, these tools will almost invariably have a combination of monitoring, authentication, and security deficiencies that can put the entire organization at-risk of a breach, as well as failed compliance audits.
In haste, many organizations may have remote workers and vendors VPN into the corporate network, but VPNs are not ideal. First, they lack the scalability needed to accommodate a surge of remote workers. And, perhaps more concerning, is that the VPN technology, while providing some protections (such as against man-in-the-middle attacks), itself suffers many security shortcomings.
VPN security concerns are particular heightened when they’re used for privileged users and third-party vendors. For instance, VPNs typically lack granular permission setting options, firewall settings are weakened, visibility and reporting options are poor, and the principle of least privilege (PoLP) may be unattainable.
If, in the short-term, BYOD is the only feasible option to allow remote work, it’s advisable that you ensure your remote access technology absolutely does not use a VPN, does not use any local clients, does not perform any protocol tunneling, and renders all remote sessions in a browser.
While vendor access has long been a weak security link, typical office staff are now essentially forced into working as pseudo-vendors, coming from off-network devices and networks, and potentially BYOD. Of course, true vendor access itself may be expected to increase in the coming months as organizations turn to IT service providers and other third-parties to help them manage the growing IT workload and new challenges in the face of the coronavirus. And, it’s particularly important that the vendor access is not as simple as “on” or “off”, it needs to be tightly controlled and audited.
Here’s a challenge exercise to evaluate your current remote or vendor access system and policies:
Challenge 1 - Can you set granular access? Most of your employees or vendors only need access to very specific systems, and specific actions on those systems. Organizations should be able to enforce a policy of least privilege by giving users just the right level of access needed for their roles with individual accountability for shared accounts.
Challenge 2 - Do you have one single path for approvals and notifications? Administrators and IT teams should be able to consolidate the tracking, approval, and auditing of privileged accounts in one place.
Challenge 3 - Do you know when your network is being accessed, by whom, and for what purpose? You should have the ability to receive automated notification for when privileged remote access sessions are initiated, and the ability to layer on access approval workflows for particularly sensitive sessions.
Challenge 4 - Do you securely manage privileged credentials for employees and vendors that are used for privileged remote access? Enterprise-class secure remote access solutions should eliminate the need for privileged users—whether internal or third-party--to remember or share credentials for the systems they need to access. The credentials should be centrally managed, and potentially even changed after every session or use. Frequent privileged credential rotation reduces the threat of password reuse attacks.
Challenge 5 - Are you able to capture detailed session data (for all remote access sessions—whether remote employee or vendor) for real-time or post-session for review and compliance? IT/auditing should be able to get a detailed log of exactly what individuals did when connected to your network. If you don’t have that, you don’t have security, you don’t have accountability, and you don’t have compliance.
Ensuring a Secure, Productive Remote Access Experience for Your Employees & Vendors
BeyondTrust Privileged Remote Access is the leading enterprise-class secure remote access technology. With the BeyondTrust solution, you can manage and audit vendor and internal remote privileged access without the need for a dedicated VPN solution. Every remote session is tightly controlled, monitored, managed, and audited. In addition, with Privileged Remote Access, organizations can extend access to important assets in the cloud, or deep within an organization, using Jump Points and adhere to security best practices by limiting network traffic and ports to only authorized sources and applications.
Here's how the BeyondTrust solution addresses your remote access challenges:
- Granularly control the access: Enforce least privilege by giving users just the right level of access needed for their roles. This also includes defining which endpoints users can access, and when they can access them.
- Consolidate access pathways: Administrators and IT teams can consolidate the tracking, approval, and auditing of privileged remote access. You can require all connections to be brokered through a single access pathway, reducing the attack surface. while providing a single list of authorized endpoints available for each user.
- Track the access: Set authorization and notification preferences to be alerted when a vendor/privileged user is accessing your network/systems, or a remote access-initiated session is occurring. Administrators should have the ability to use their mobile devices to approve requests and monitor access usage from anywhere.
- Protect the credentials: Credentials (including for vendors) can be securely stored and managed in the solution’s centralized vault and injected into remote access sessions as needed, never exposing credentials to the end user.
- Record and audit the access: Satisfy internal and external compliance requirements with comprehensive audit trails, session forensics, and other reporting features. Capture detailed session data for real-time or post-session review. Administrators can review and monitor the use of privileged accounts, and easily provide attestation reports to prove compliance. Control and monitor sessions via a secure agent or using standard protocols for RDP, VNC, Web, and SSH connections.
To help keep workers safe and productive, while ensuring the corporate network and users are protected, contact BeyondTrust today.
You may also learn more about our secure remote access solutions here: