The Office...

...and How to Take it Home With You

Nirvana

In the office, all employees have a “desk” on the corporate network where they can get on with their day job. But beyond the boundary of the corporate network lies the big bad Internet, where dragons lie in wait to catch the unwary. Since the day job inevitably means accessing the Internet in some way, some magical security gateway device is used to keep the dragons out. Nothing bad can get in. Nothing sensitive can leak out. Everyone can work in perfect safety.

The Home Workers

But then your employees want to work at home. They want to take move their “desks” out of the corporate network and into their home office. This sounds dangerous. What’s to be done to keep them happy?

Instead of taking the desk out of the corporate environment, why not extend the corporate network out to their home environment, so even though they are physically at home, their “desk” is within the logical confines of the corporate network. This can be done, using virtual private network (VPN) technology. The employee is at home, but their “desk” is on the corporate network, where it can access all the line-of-business applications they need during the day. 

But there’s a potential snag. The employee’s home network is connected to the Internet, so their desk can be attacked by the dragons. If this happens, then the dragons are effectively on the corporate network and so have access to all the line-of-business applications and the desktops of all other employees.  This is called “split tunnelling” and gives better performance and more flexibility, but significantly weakens the corporate boundary.

The fix is to arrange that the employee’s desktop computer is connected to the home network in such a way that it appears an isolated outpost of the corporate network. This means the computer has no access to the Internet, even though the Internet is being used to give it access to the corporate network. With this in place, the employee working at home can only access the Internet through the corporate security gateway, just as they would if they were in the office. That all sounds great, but the picture doesn’t quite show how it works and there are a number of issues to be addressed, with the result there are a lot of maintenance costs and overheads.

In practice, another security device, the VPN server, is needed at the office boundary to allow the remote workers to get in. The workers at home connect their desktop computer to their home network, and their VPN client software makes a connection to the VPN server. This connection is then used to give the computer a virtual network interface that is joined to the corporate network. The computer’s operating system hides the connection from all the applications, so they can only see the virtual interface that puts them on the corporate network (all traffic passes down the tunnel into the corporate network). 

With this setup, the dragons ought not be able to get in, but they are stubborn beasts who don’t give up easily. First off, they might try to get into the employee’s computer through the connection it has to make to the Internet, though this is difficult because the computer is not listening for incoming traffic. Instead, they might go for the VPN server that lets employees access the corporate network, perhaps by stealing the credentials used by a legitimate employee to gain access. Another trick they might try is to steal an employee’s computer and then use it to access the corporate network, so measures such as disk encryption and biometrics are needed to prevent a lost machine being misused in this way.

Now things have got a lot more complicated than the original simple idea of extending the corporate network out to the employee’s home. There’s lots to go wrong, and in practice it does. The dragons win too often, so now organisations are adding yet more security defences around their line-of-business applications, to check that accesses are legitimate even when they come from the corporate network. This is “zero trust networking”, which means not trusting the network edge defences to keep the dragons out. But it still relies on authenticating the users, and if the dragons have taken control of the desktops there’s a good chance that they also control the credentials used to authenticate. That means yet more security measures are needed, like two-factor authentication, whenever line-of-business applications are used. Complexity is being piled on top of complexity, and if nothing else, support costs are rocketing as all those mechanisms need care and maintenance. 

A Simplified Approach

Does it have to be so difficult, expensive and inefficient? Maybe not, because we can now exploit the power of the cloud. Rather than take the employee’s desk into their home, we can take it into the cloud, in a separate bubble that’s an offshoot of the corporate environment. The employees sit at home with a simple device that gives them remote access to their virtual desktop in the cloud. This could be a cheap corporate laptop or the employee’s own machine, as it never holds any corporate data. 

Good strong authentication can be provided to access the cloud environment, but even so access to the virtual desktop is not as well controlled as access to the desktops back in the office. To compensate, the security gateway can be used to control access to both the Internet and corporate network. Nothing gets into, or out of, the main corporate network without passing through the gateway, so it and the critical line-of-business applications remain protected. The virtual desktops are accessed remotely, but their network is not exposed to the Internet and all data is exchange through the security gateway.

 If all your employees already have a corporate laptop with VPN access, and you have the necessary support infrastructure in place, you are in a good position. Otherwise VPN technology is not the smart choice. Virtual desktops in the cloud are easier to deploy, provide better security and the management overheads that do exist are largely carried by the cloud service provider. They are ideal for users with lightweight or occasional access needs and perfect for collaborative environments where users from different organisations must come together on neutral ground. To check if it’s the right approach for you, call Deep Secure to arrange a trial.

Finally, if you’re concerned your security gateway is not sufficiently magical to keep dragons out, talk to us about our advanced Threat Removal technology because, as Arthur C. Clarke’s 3rd law states, any sufficiently advanced technology is indistinguishable from magic, so you won’t be disappointed.