Understanding the Complexities of Securing a Remote Workforce

By Sean Gray, Sr. Director InfoSec at Paypal and Co-Chair of the CSA Financial Services Working Group

We have all witnessed sudden and stunning changes in how companies – big and small – operate in response to the challenges necessitated by COVID-19. Many have pivoted successfully, however there are companies and industries that are struggling to adapt quickly to an increasingly contact-less society. The business challenges are many and complex, but one of particular interest is how an employee workforce can be managed and businesses kept secure in this new paradigm.

With offices and shops closing their doors to customers and adopting a heavy focus on online interaction, those same closed doors have created a workforce that is quite suddenly “working from home”. It would be too simplistic for leaders to say, “We’ve got a Corporate VPN service, so we’re all set” the situation is far more complex and calls for much deeper analysis and decision making.

Most companies have already spent time and effort adapting to this new world – and did so with limited advance notice and limited knowledge on how long it would last. With several months of experience in this new paradigm and understanding that in many cases it won’t be short-term, a review of lessons learned and re-evaluation of long-term solutions with technology leaders is important. What worked, what didn’t work, and perhaps reframe the problem and solutions if needed.

To set expectations, the intention is not to lay out a step-by-step approach for securing a remote workforce. Each business is unique – even within the same industry – and an attempt to do something so all-encompassing would not appropriately address the question nor solve the problem for any specific business. The goal of this writing is to help provide a strategy for understanding and articulating the problem for security leaders: what are the considerations that should be taken into account, how can technology help (or introduce additional challenges), and what role does Public Cloud play?

While developing or evolving a strategy for remote work, there are two fundamental priorities that I believe should drive the strategy:

1. Ensuring a safe, secure and productive work environment for employees.
2. Maintaining the security, availability, and continuity of services for customers.

As with any problem, the first step to solving it is understanding it. Since we’re discussing a workforce that is now working from home (WFH), clearly categorizing the types of work being done and the risks associated with each is a good place to start. Each category is defined by a combination of factors: level of technical sophistication in tooling and sensitivity of the data and resources required to perform the job function. I chose these two factors because they speak to how easily the employees can manage and access the technology required for remote work and also address how difficult or risky it is to expose those technologies.

1. Technical Staff (e.g. developers, engineers, system and network administrators),

This group is least likely to be significantly impacted by the new WFH situation. In my experience, they already use VPNs, bastion/jump hosts, local and remote tools, and due to their job function are set up with such tools in a secure manner. While this demographic regularly accesses sensitive systems, the surrounding controls and mechanisms to support secure remote access are usually in place and that access typically does not include direct access to sensitive customer data.

Worth mentioning specifically here is Technical Support Staff (i.e. Corporate IT Support). One of the results of supporting a remote workforce with varying levels of technical experience or who is using older tooling is that the IT teams see a significant increase in support requests – “my VPN isn’t connecting”, “I can’t see my file share”, “how do I enroll in MFA”. This creates a situation where these personnel are seeing their own work methods changes at the same time as a potentially huge spike in amount of work. While not specifically a security issue, it is one that businesses would do well to understand and get ahead of.

2. Business Management Personnel (e.g. finance, sales, marketing, HR)

Frequently the tools used by these groups are more “corporate LAN” focused: network files hares, spreadsheets, etc. with some SaaS elements thrown in (e.g. WorkDay, ADP) and while the data they interact with can be sensitive and confidential, it is typically NOT sensitive customer data.

3. Customer Support Operations Staff

Properly managing customer support teams is where the remote work problem becomes really interesting. This group needs to interact with customer data of varying sensitivity levels on a DAILY BASIS. Call centers, as a result, have a significant number of physical security controls built in to prevent data exfiltration, internal fraud, etc., however these controls don’t easily transfer to a remote work environment.

4. Fraud & Risk Operations Personnel

Depending on how your business operates – and what your regulatory obligations are – this group of employees presents the most interesting challenge. The technical sophistication of their tooling can vary greatly, however employees in fraud and risk organizations are usually the ones who require access to the most sensitive datasets to perform their jobs.

The next step in analyzing the problem is to focus on the company technology: what is the current level of technical capability and how many critical services need to be modified for remote accessibility. How “SaaS” are you? Are your critical services and tools hosted primarily in data centers? Or are you leveraging public-cloud infrastructure and/or SaaS products and tools? The answer to these questions will have a substantial impact on both how easy it is to adopt fully remote work, and how risky that adoption will be to the business.

If your business strategy for technology has been focused on data center hosting, the leap to remote work is more challenging. The network and systems teams will need to figure out how best to expose tooling to the employees – and there are numerous risks associated with this process. Do your internal applications have role-based authentication baked in? Multi-factor authentication? Logging of activity performed by the users of the platform? Have you performed vulnerability assessments, static or dynamic code testing, or penetration testing of the apps? Are these apps communicating via secure channels (e.g. HTTPS/SSL/TLS)? Are you running scans against public-facing infrastructure to discover rogue assets or ports open on the hosts/services? All of these questions and many more come into play during the transition to working remotely, and each one carries a level of risk if the answer is ‘no’.

An inevitable question is: “How does Public Cloud matter here?” And the answer is that it can matter A LOT. Potentially it comes into play as both an enabling technology AND a vector for additional risk.

The beauty of public cloud (whether it’s IaaS, PaaS, or SaaS) is that it enables companies to quickly establish and manage capabilities – either for customers or employees. Additionally, most of the big Cloud Service Providers (CSPs) have invested heavily in building native services to solve a myriad of the problems mentioned earlier in this post. Identity and Access Management, Logging and Alerting, defensive capabilities such as ACLs, and web application firewalls are well-defined and for the most part easily deployed by the users.

SaaS-based service are everywhere and relatively easy to adopt and use. Whether they are tools for Customer Relationship Management (CRM), Teleconferencing, Collaboration, monitoring and alerting, or any other of the myriad services available in a SaaS model - the providers have put a lot of time and money into building ready-to-use services that make life substantially easier - which is great! The drawback is that sometimes you do not have line of sight into the security controls that may or may not exist to protect them.

For example, what type of data is captured in these services? Where is the data stored? How is that data protected? Is it encrypted in transit? How do you manage or control access to these tools and the data they contain? All of these key questions – and more – need to be asked and answered during adoption and deployment of these services.

Technology Used to Enable Remote Access

One last important question is specifically around the technology used to enable remote access itself– whether it’s an enterprise VPN service, a virtual desktop (VDI) tool, or you’ve built a mature zero-trust capability. The earlier question about whether your technology platforms are housed in data centers or in public cloud matters a lot.

If you’re hosted in data centers, how are you thinking about this problem?

If you have a Corporate VPN deployed, can it scale quickly to support the higher number of concurrent users? Does it have built-in security capabilities needed to protect all of these new access patterns and tools, such as web/URL filtering, data loss prevention (DLP), packet inspection, malware detection, etc.? Same questions apply to VDI deployments: can they scale sufficiently, and are they defended appropriately? And if none of these capabilities already exist for your users, properly designing and deploying them is a massive undertaking (possible side benefit: it does present the opportunity to “do it right” from a security standpoint!).

If your business is already leveraging public cloud heavily, part of the problem becomes easier.

Remember those native capabilities I mentioned earlier that the CSPs built? Services like VDI are already in place and ready to deploy and scale quickly. Same with VPN, and other services to support a remote workforce. However, as we’ve seen all too often in the news, public cloud services are only as secure as you make them. A phrase I’ve heard before and rings true is “Public Cloud providers give you all the rope you need”. The technological capabilities – and security controls to protect them – are usually well-defined and well-built. But they rely on the user to follow appropriate steps to actually do the right things and put those defensive capabilities in place!

What does all of this mean, and how does your company identify and manage these risks?

While there are a huge number of considerations and risks to be evaluated, quantified, accepted, denied, and so on, – start by breaking the problem down into the four main areas discussed above:

1. Clearly define your priorities.
2. Identify the types of employees you are solving for, using simple and logical criteria (I chose sophistication of tooling and data access needs, this may not be the right fit for your business).
3. Understand the specific technologies and tools used by these groups and where they live – e.g. in data centers, on public cloud, SaaS.
4. Look for opportunities to leverage native cloud-based tooling where possible, and take the time to understand how those tools are managed and secured well ahead of adoption.

As I mentioned earlier, this is not meant to be a “how to” guide. Every business is different, and the challenges associated with remote work manifest in many different ways. But every problem has a solution! Take the time to assess and understand the scope of the challenge. Break it up into digestible chunks. Tackle each area, and keep in mind that a “one size fits all” approach may not be feasible and multiple solutions may have to come together in the larger scenario in order for your business to effectively and securely manage a remote workforce.