Controls
June 09, 2020

Using Zero Trust to Secure Your Company When Going Remote

blog
8 min. read

Many companies and organizations around the world have issued mandatory work-from-home policies due to the COVID-19 pandemic. When companies find themselves in a situation like we are in today, going from a zero percent remote workforce to 100 percent in a matter of days, it can be daunting. What used to be safe, thanks to office-based systems and procedures, may now be unsafe. Other things are just as secure from home as they are from the office. Cloud services can be used from anywhere; they don’t ask or care where you are located. The more you were running on the cloud before COVID-19, the less disruptive the move to working from home will be.

In this article, you’ll find tips to ensure security for an all-remote workforce, whether it be at a moment’s notice due to an emergency like we’re experiencing today, or in the future as part of a longer-term company objective. We will talk about the resurgence of VPN when you work from home, the shift to Zero Trust networking, the usefulness of proper endpoint protection, and the importance of cyber hygiene. With a few but vital changes to how you think about security, you can make sure working from home is as productive and secure as working from the office.

Upgrade to Zero Trust Networking

With the move to cloud hosting services, connecting to sensitive systems has never been easier, or harder. While you can’t just plug into a server since there is no server to plug into, cloud services allow you to host necessary tools connected to ultra-fast networks anywhere in the world. How you connect is of key importance in ensuring security, compliance and proper access.

Whether you’re connecting to public cloud, a private cloud, or just your own datacenter, our first instinct is often to set up a VPN, but VPNs aren’t always enough. While they are still commonly used and there are still occasional needs for them, “Zero Trust” or “Beyond Corp” style virtual networking is a far better solution. VPNs often have very little system security checking and are often not tied as tightly to a user as we would hope. Zero Trust networking allows for security teams to set granular permissions every time an employee wants to access something sensitive. The only way to get close to this is with very complex networking rules tied to user accounts, but even those don’t ensure every computer is up to date and coming from a region you feel is safe. Modern Zero Trust tools allow organizations to prevent things like two-factor authenticated phishing and ensure browsers, phones and computers are up to date even when they fall out of the purview of what the company “owns.” With Zero Trust set up correctly, organizations can ensure that only the users that should be accessing specific applications are, that their equipment is up to date, that they are in the appropriate locations, and with more than a little bit of assurance those employees are who they say they are.

There are many paid and free tools to help establish Zero Trust, including many open-source options. Many of these tools tie into existing user infrastructure so provisioning access should be a breeze.

If You Choose to Use a VPN, Make Sure It Is Secure

If you choose to use a VPN or any other remote networking infrastructure, ensure that the infrastructure you’re building is secure. Triple check all of your network configurations, ACLs, firewall rules, etc. This is made far easier with automation tools that allow you to create rules and templates ensuring that, once you build it right the first time, building it the second, third or thousandth time is just as easy and secure. It is important to note when switching environments, accounts, zones or anything similar that all parent rules remain the same. Using tools like Amazon Inspector can also help identify security misconfigurations.

Without a doubt, in 9 months we’ll likely be looking at news stories about all the breaches that have happened because of negligent infrastructure. A VPN breach is about as bad as you can get, and the ability for someone to travel internally from VPN infrastructure into sensitive data is extremely easy. Worst of all, with sudden surges of VPN traffic like companies are experiencing today, it will be difficult to detect a breach and, while we may return to work very soon, these hacks — much like COVID-19 — will be lingering around considerably longer than our quarantine.

No matter what option you choose, VPN or Zero Trust, be prepared to handle the scale of traffic from all locations. For larger organizations, this may mean building load balancers so that you can direct people to the fastest nodes possible. For organizations of all sizes, it may mean relying on a cloud service provider to manage this traffic.

Endpoint Intelligence and Security Are Crucially Important

Going entirely remote means it will be important to stop relying on a corporate network to protect everything. Use endpoint management tools to keep your endpoints locked down and secured and tools to add device identity to authentication aside from just user identity. Use tools on endpoints to monitor for abnormal events that you might previously have used a network IDS for. At HackerOne, we have a strong belief in logging and alerting. Our goal is to gather intelligence in real-time on all our endpoints, send that data to a centralized platform, and, with that data, send various levels of alerts — from casual notices to late-night pages — to the IT team. This data can be anything from new applications installed, use of USB devices, or potential malware binaries detected. Tools like traditional antivirus usually lag crucial days behind on payload detection and even then, the best bet isn’t removing the payload, but erasing or quarantining the device indefinitely. This is harder to do as a remote company, so be sure you have machines ready to ship still!

Working Away From Your Operation Center

While no one is physically in your office or Data Center to break anything when your company is completely remote, no one is there to fix it either. If you can, ensure that you have a good on-call system and are able to stay within Service Level Agreements. Try to keep your local staff to a minimum for health and create a solid staff rotation. If you don’t have to maintain physical infrastructure, all the better.

Cloud service providers (CSPs) take away concerns over the physical aspect of data centers entirely. Even if office network stacks were to fall over during this period of working from home, no one is going to be bothered by it. Employees connect to resources not through office networking, a site-to-site VPN or through allowlisted IPs, so it doesn’t matter much where they are working from. Now is a great time to invest in tooling and structure to support something similar at your workplace. Even if you’re not on the cloud but have your own datacenter, companies often still route traffic from one “trusted site” to another.

CSPs like AWS or Microsoft Azure offer robust sets of tools and infinite configurations that allow customers to deploy any crucial infrastructure to their hosted services. Companies are able to leverage diverse sets of access roles matrixed to specific accounts so they can ensure only the right employees have access to the right equipment. The ability to spin up new infrastructure across the world in minutes also allows users to provide optimal experiences for employees at a global scale. They allow teams to build robust zero-trust infrastructure using tools like Duo, to securely support customers and online communities without the need for VPNs from home. Because users can build what they want when they want, it doesn’t matter if a tool was built to be self-hosted, SaaS-based, something you run locally on your own laptop, or a complex cluster that mixes any of the above; CSPs let users like HackerOne build it.

If you haven’t already invested in alerting tools from your logging platforms or aggregated lots of your logging data into a central place, now is a great time to do so. Try to think about all of the alerts, notifications and information you look at in your Network Operations Center/Data Center, Virtual Private Cloud, or other services.

What Happens When Something Goes Amiss? Managing Expectations in a Remote World

Explaining security processes to your team isn’t always easy when you’re in person — especially when something goes wrong. So how are you handling it when there are thousands of miles between you and your team?

Communication is everything. It is best to quickly jump on a call, just as quickly as you would go to someone’s desk in an office setting. Screen sharing or even free consumer-grade tools like FaceTime can be used when you can’t see someone’s screen. Ask questions to help decipher what an end-user is seeing rather than making assumptions. Be patient and be considerate. Amidst stress, it’s vital to be thorough about verifying user’s identities before resetting passwords or MFA or anything else. Having a good company organization chart with up-to-date photos helps to ensure when you’re talking to Stacey in sales, it’s actually Stacey.

Basic Cyber Hygiene

Just like effective hand washing is so important right now to thwart the spread of COVID-19, it is important to ensure that your employees are in the habit of practicing good cyber hygiene. Everyone doing their part can go a long way to protect both individual employees and the company from cybercriminals. Providing tools like multi-factor authentication and password managers are good examples. It is important to remind employees to make sure their home routers are also up to date with WPA2 security and strong passwords, resist the urge to work at a cafe and on insecure networks without protection, be aware of phishing scams and imposters, avoid installing new apps without approval from IT, and refrain from sharing photos of online meeting URLs on social networks.

Concluding Thoughts

While there is nothing that we can do to stop a natural disaster or health pandemic from happening, it is important to be nimble enough to adjust to the changing circumstances. This might include transitioning to a remote work environment rather quickly. Working remotely forces us into a place that demands process, communication, and procedure. We are fortunate that there are tools available today to make the transition to remote work quite seamless. It is important to use this time to polish these parts of your business and make them work in any environment so that they can work even better when things go back to what we consider “normal.” If we take this as an opportunity to improve, every ounce of the work we’re doing to support these changes today can have a strong ROI in the future.

Need-to-Know

Expertly picked stories on threat intelligence

Hundreds of apps will be attacked by the time you read this.

So, we get to work. We obsess over effective attack methods. We monitor the growth of IoT and its evolving threats. We dive deep into the latest crypto-mining campaigns. We analyze banking Trojan targets. We dissect exploits. We hunt for the latest malware. And then our team of experts share it all with you. For more than 20 years, F5 has been leading the app delivery space. With our experience, we are passionate about educating the security community-providing the intel you need to stay informed so your apps can stay safe.

Every

9 hrs

a critical vulnerability—with the potential for remote code execution—is released.