Forever a Remote Workforce
Image from Microsoft Remote Workforce Aticle

Forever a Remote Workforce

Jerry Craft Jerry Craft

Jerry Craft

Published May 28, 2020
+ Follow

As I write this article, I just finished two video calls with vCISO customers. Each customer has been tasked with the same business problem: "The company wants to go XX% remote forever."

Being their CISO, I have several confidentiality, integrity, and availability questions. With that, I am going to start examining their current security architecture and begin asking hard security questions.

Considerations for the business goal:

  1. Is this security architecture sufficient in maintaining a remote workforce?
  2. Do our current security toolsets make sense now that we're staying remote?
  3. Where are our bottlenecks, hardware, network, security?
  4. What does our Internet bandwidth look like, and do we need to make changes?
  5. Is cloud an answer to problems now that we have adopted remote on a more permanent basis?
  6. Where do our VPNs terminate, and is that a bad idea now that we are xx% remote?
  7. Are we still hosting our email on-prem, and should we go cloud? Do we need more cloud services to remain remote?
  8. How do we make sure our remote workers are getting their security patch updates, security AV updates, and all CIS top 20 controls aligned?
  9. How do we manage this new distributed model?
  10. How do we manage these forensic logs and get forensic detail of a breach?
  11. What do backups look like now?
  12. What does Disaster Recovery and BCP look like now?

It is clear that business is becoming agile and adopting this remote business strategy, but is IT ready to move and maintain confidentiality, integrity, and availability? Have you thought through what maintaining a significant number of remote workers entails? Here are some pitfalls to consider.

Pitfalls:

  1. That one VPN system is it failing, and does business remain available if that one VPN IP address goes offline? (DDoS?)
  2. Where is the data, and how is it being secured under this new distributed paradigm?
  3. How is that new data being managed, and can it be backed up and restored?
  4. If a Nation-State does successfully take down a core internet provider, how will the company stay online when the workforce's internet is offline?
  5. What type of shadow IT is being used to fill a gap your company isn't satisfying, and how deep does that rabbit hole go with remote workers?
  6. What attacks are your remote worker's home networks dealing with, and is the Information Technology Department now responsible for understanding that security landscape too?
  7. Does your security perimeter need a new definition of termination points?
  8. How do you deploy new employee resources? Do they come to the corporate office, or do you FedEx, and can you support that new hire deployment?
  9. Should we write policies to address these various new concerns?
  10. Remote cultural responsibilities are different from in-person responsibilities. Do we need more training to elevate our team's ability to meet the new remote challenges?

These are some of the conversations I am having with my customers, and some of the questions I am bringing up to my executives. Now that your employees are working from remote the "emergency" conditions you have built may not be sufficient enough to run a company for the long term. Nor are these emergency configurations adequate to be "secure forever."

Here are some things to consider to secure your emergency deployment of a remote workforce.

  • Do a penetration test. You opened up some security holes to enable the remote workforce. What do those holes look like to an attacker? (CIS #20)
  • What does that inventory look like (software/hardware), and what is being used for shadow IT? (CIS #1 & #2)
  • Are your remote workers secure? (CIS #5, #16)
  • If someone is breached, will we know? (CIS #6 & #19)
  • Can our remote workers defend themselves? (CIS #7, #8, #9, #14)
  • Can our remote workforce back up their data, and restore it? (CIS #10)
  • What is our boundary we need to protect now that we are remote? (CIS #12)
  • Where is our data? (CIS #13)
  • What Wireless risks do we have now? (CIS #15)
  • Do our remote workers know what to do for security? (CIS #17)
  • What are our developers doing? We know that the group is still making software. (CIS #18)
  • Jimmy has been breached at his home, and his laptop, company VPN, and data were accessed, what do we do? (CIS #19 Incident Response)

Its a "New Normal" thing right?





Joe Erle, MBA, CIC, CRM, TRA, CCIC 2y

👍

Like
Reply
Julie León 5y

You are wise, a great leader and writer Jerry Craft! Thank you for taking time to capture and share your insights.

Like
Reply
See more comments

To view or add a comment, sign in

More articles by Jerry Craft

  • My Privacy Choices
    May 25, 2020

    My Privacy Choices

    Gone are the days when conspiracy theories said everyone was watching you. Every day I read about another app tracker…

    3 Comments
  • Benefits of VPN - Split-Tunnel vs. Full Tunnel
    May 15, 2020

    Benefits of VPN - Split-Tunnel vs. Full Tunnel

    Split Tunneling Your Laptop VPN to the Corporate Network I often hear VPN Security Engineers talk about the dangers of…

    5 Comments

Others also viewed

Similar topics

Explore content categories