5 Steps to Securing Work From Home with Zero Trust
“Once upon a time, not everyone worked from home” might be the way our stories about life before COVID-19 start out fifteen years from now. While that might seem overly dramatic (and guaranteed to trigger eye rolls in teenagers), it’s no exaggeration to say that the events of 2020 will leave a lasting impact othe business running, using any and all resources available to them – often bending the rules when it comes to employees using personal devices for work. Security best practices can easily fall by the wayside when you just need to get employees working.
It is true that not everyone used to need remote access. Many employees could just unplug at the end of the day and go home, either because their jobs didn’t require it, or because the data they worked on was so critical they needed to be onsite to access it. Events have forced companies to open VPN access to all, regardless of function or job requirements. This unprecedented increase in broad access to corporate resources and assets has brought a corresponding increase in threats to corporate cybersecurity.
Employee devices are untrusted devices running on untrusted networks; with employees being wary of mobile device management solutions, which are perceived to be intrusive, it’s difficult for companies to enforce the device security context, given that tools like antivirus may not be recognized as sufficient. Even when employees do have a corporate machine, it’s now sharing the WiFi with every other user, computer, and IoT device in the home – and who hasn’t heard of the hacked baby monitor?
Taking over responsibility for every employee’s home network is not an option. With scores more users connected to the corporate network potentially 24x7, the threats to corporate assets and data in this “new normal” can really keep security, compliance, and data protection leads awake at night.
There are a few steps that you can take to prevent your Work From Home tale from turning into a nightmare.
1. Define what resources users need access to
You can’t protect your resources, assets, and data if you don’t know where they are and can’t control access to them. Analyze your network segmentation, and plan for controls if you don’t have them.
Not everyone needs access to the whole network. To secure the company against threats, it’s absolutely essential to follow the Principle of Least Privilege – don’t provide a user with more access than they need.
This step is often ignored simply because many companies have historically implemented an internal flat network, protected from the outside by a perimeter firewall. They then used user access VPNs to implement access control. Once a user is authenticated and authorized, the user device (including all applications!) is trusted and allowed access to the entire network.
Access control isn’t a VPN function. Implementing the access policies that govern who can access what requires very complex firewall rules on the perimeter firewall. Over time, this becomes extremely difficult to maintain and scale as the network grows in complexity.
However, newer Zero Trust Network Access tools dramatically simplify the control of end-to-end access with granular controls. You can first segment the resources (assets, and data), and then map these segmented resources, whether they be servers, VMs, web apps, equipment, IoT devices, and even cloud instances, to groups of users to simplify the process.
2. Take stock of who needs access
This list should be exhaustive, including employees and contractors, as well as 3rd party vendors, partners, and customers who can no longer come onsite to work with you. Don’t forget that your vendors’ employees are working from their homes, too, and are no longer logging in from a managed corporate network. So make sure your solution supports them, too.
Make sure to keep track of who’s who, even 3rd parties, with an identity and role-based access management solution, to facilitate establishing user access when users are on-boarded and revoking it once they are off-boarded.
3. Define where, when and how users are allowed to access those resources
Should remote access be constrained by geography? Time? Should users be locked to a specific, whitelisted set of applications? For example, an IT admin or developer might need ssh access to a database server, but a typical user or a business application using that database should not. Certainly, opening the inbound ssh port on the perimeter firewall and filtering based on the user’s laptop’s public IP is not a preferred solution.
Here, application-based policies are particularly powerful; when coupled with the segmentation and policies already Steps 1 and 2, they enable you to trust remote access from specific known applications, even if the machine they are running on, and the network they are in, aren’t fully trusted. If the data is sensitive enough, consider preventing data leaks by locking the connection to a secure remote terminal – RDP/VNC access to a landing server, with copy/paste functions blocked.
4. Configure reporting and alerts
Now that you are going about creating all this access, you’ll want to have records of who’s actually using it, and get alerts if they try to do anything that’s out-of-bounds, and you’ll want this visibility across the entire distributed landscape. Reporting should integrate with your existing workflows and tools. Alerts should be actionable; here, a whitelist policy approach is particularly valuable, as it helps define specific boundaries for “allowed” and “disallowed” activity.
5. Provision access and onboard users
If Steps 1-3 have been done right, this is straightforward – just create a few CSV files and you’re ready to import them. With a Zero Trust Network Access solution, end-to-end access is also Zero Touch. There’s no need to re-engineer your network infrastructure to build more VPN tunnels, reprogramming routing to force traffic through firewalls, or even open firewall ports. We’re talking about easy and instantaneous access control for critical resources and assets, overlaid on your existing infrastructure.
Securing Remote Access with Zentera CoIP® Access Platform
Zentera’s Zero Trust Network Access is a next-generation solution built to handle the challenges of today’s Work From Home environments, with rich features such as:
- Powerful policy controls, such as Application Interlock™, for establishing trust in an untrusted environment
- Overlay Zero Touch deployment that doesn’t require configuring VPN, firewalls or routers
- Single pane of glass management for end-to-end directed access
- Support for diverse resource types: bare metal servers, VMs, containers, IoT devices, and more
- Integration with external identity providers and directory services, with multi-factor authentication
- Integration with popular monitoring tools, such as Splunk
- Rapid user onboarding
Unlike other solutions, which can require a hardware CPE device in the home environment, CoIP Access Platform is a full software solution providing a “virtual CPE” on remote user laptops. This enables companies to seamlessly deploy a secure access control solution to remote user devices running in untrusted networks without running into unnecessary logistics, operational, or cost concerns.
Customers like Siemens have been using CoIP Access Platform to solve tricky secure remote access challenges for years. Now that the topic is front and center, nearly every company can benefit from that same approach, with robust security made simple.
Wait – you said there would be Zero Trust?
That's right, I did... the good news is, if you followed the 5 steps above, you've already done it! By verifying the identity of users, machines, and applications, and by defining least privilege access policies above, you've already satisfied the Zero Trust mantra: "never trust, always verify." With the right tools, Zero Trust network design is simple!
If your current Work From Home approach leaves you feeling exposed, consider taking these 5 steps towards peace of mind.