Securing the WFH Environment
1 Introduction
As the world started to battle with Covid, a lot of organizations scrambled to get their staff working remotely. The realization that “Work is an activity and not a place”, has dawned on us now more than ever before. The importance of remote working has increased tremendously, and will continue to rise even more significantly as organizations adapt to this new normal.
This forced drive for companies to have their employees work from home has worked out well so far. NASSCOM believes that over the next 3-5 years, up-to 60% of IT industry’s work and up-to 40% of the IT-enabled services ITES work could shift to a work from home (WFH) model. The Indian IT and ITES industries employ over four million workers . The Department of Personnel & Training (DoPT) is evaluating provisions for 4.3 million Central government employees to work from home for 15 days in a year.
This requires organizations to take a fresh look at their IT architectures and WFH policy. WFH comes with its own set of drivers and implications. Some of the major considerations for Working from Home policies can be grouped into the following buckets.
· Business Obligations
· Compliance norms and Regulatory frameworks
· Organizational Structure, Culture and Policies
· Productivity issues
· IT Operations
· Security Operations
While each of the topics above is a subject in itself, we will focus in this paper on the cyber-security implications and concerns around WFH and how can organizations develop a framework for effective and secure WFH environment.
2 Defining the WFH Cybersecurity Problem
Enabling WFH for employees requires organizations to reassess their IT architectures to ensure that the same security policies that were hitherto used within the campus/ offices, can be applied to the users when they connect to the enterprise systems from outside the traditional perimeter.
2.1 Ensuring Availability of the WFH infrastructure
At the bare minimum, WFH adds a new layer to the network infrastructure that enables users to connect to the enterprise network. This layer requires additional network devices like VPN headend, and associated policy definition and enforcement points. This layer becomes the core for business continuity for the organization, and ensuring 24x7 availability of this layer adds a new dimension to the existing organizational cyber security architectures.
Building the VPN head-end capacity and scaling it up to meet the additional user demands is a capacity issue that needs to be addressed. This scale problem manifests itself not just in terms of the additional network elements required to scale, but also in terms of the bandwidth requirements of the enterprise. As users come in from the Internet through VPN terminations, the bandwidth required at the VPN head-end increases multi-fold.
2.2 Identity and Access Management
Traditional cyber-security architectures were designed to ensure that the access to the network is controlled, and the devices used for access are secure and have the right security posture. This is because the devices were being monitored and updated from time to time by virtue of being on the corporate network. This premise needs to be revalidated against the backdrop that users might be using personal and untrusted devices. There is no way to ensure that the devices have the updated security definitions and updates installed on them.
The other premise of traditional cyber-security architectures is that the device is in the safe custody of the user who is logged into the device. In a WFH scenario, this premise is also questionable given that the user is outside the corporate environment.
2.3 Managing Cloud Delivered Application Experience
The agility and flexibility of the cloud platforms have led a lot of organizations to move their workloads to the cloud. When employees start to work from anywhere, bringing even the cloud traffic into the enterprise, and then go to the cloud degrades user experience, and chokes the VPN headend capacity. Intuitively, it would seem that allowing the users to access the cloud applications directly from their Internet connection rather than going through the VPN would enhance user experience. The traditional perimeter starts to fade even further when organizations allow direct internet access to the employees for cloud applications. This requires specific security controls at the end-user device itself, which was not the case in a traditional environment.
2.4 Protecting remote users and devices
Every organization has built its cyber-defence infrastructure to protect themselves. The challenge is that most of this cyber-protection is under the assumption that the assets to be secured, and the users are within the corporate premises, thereby providing a clear perimeter for protection. As employees start to work from anywhere they have connectivity from, that perimeter goes beyond the traditional enterprise boundary.
The devices used to access the applications in a WFH environment could be corporate devices, corporate managed devices or even personal devices. Personal devices that may have lower security controls in place on the same network can pose additional threats to the corporate devices and networks. Since most data breaches are attributed to employee negligence, the WFH scenario increases the risk due to negligence that needs to be addressed.
Most organizations used desktops for sensitive work, that had the auxiliary ports like USBs deactivated. This ensured protection against unauthorized data exfiltration. The same policies now need to be extended when users start working from home, and some might even be working from their personal devices. It becomes necessary that the policies are extended to not just company owned devices, but also that an optimal degree of security be applied to personal devices as well that conform to the privacy laws and other regulations.
2.5 IT and Security Operations
Cisco conducted a benchmarking study in 2019 across respondents from 11 countries in Asia Pacific to offer insights on security measures. The study found that security practitioners in Asia Pacific are being kept busier than their global counterparts when it comes to receiving security alerts. Globally, 35 percent of respondents reported receiving more than 10,000 threat alerts a day. In Asia Pacific, that figure is 46 percent. Hackers are aware of the challenges that organizations have been facing. This is reflected in the growing number of cyber-attacks in the few weeks that followed the Covid outbreak. . According to a recent report by PWC India, the number of cyberattacks on Indian organisations doubled in March 2020 from January 2020.
As the attacks rise, and the network architecture gets realigned, it is a natural next step that the security operations would need to change to keep up with the changing requirements. There is a need for getting visibility into the traffic and behaviour of even the remote users to proactively detect and prevent any security incidents. Both the IT and Security operations teams need to gear up to the challenge and provide additional security controls to ensure that the users and data are secured.
All these considerations make it imperative that organizations reassess their network architectures and make suitable changes to make WFH a secure and user-friendly experience.
3 An Architecture Framework for WFH Security
A robust and scalable WFH architecture has to address all of the problems discussed above. The basic tenet of the architecture has to rely on Zero Trust approach to data security, as the threat surface increases with employees working from home. The Zero Trust approach needs to be applied not only for remote access, but also nees to be extended inside the Data center/ cloud hosted infrastructure. For the purpose of this paper, we would focus on the Zero Trust aspects for enabling extended remote work.
A remote work architecture built on the zero trust approach would need to address the following challenges.
· Providing secure connectivity to the remote users, and ensure productivity while working remotely
· Protecting endpoints from any malware, and preventing any data loss through these remote systems.
· Securing the corporate network from the unsecured internet access available to the remote users.
· Protecting the assets against compromised credentials and devices
The architecture to address the WFH challenges of WFH from a cybersecurity perspective can be broadly depicted in four layers as shown in the figure. The fundamental WFH requirement is that of building a remote access VPN infrastructure that can be used by the employees when they are working from home. The Secure VPN Access layer provides the means to access the network, and also provide security for data in transit.
Once the users are able to reach the corporate network through the VPN, the next requirement is to validate the user’s identity, and the trustworthiness of the device being used to connect to the enterprise. This requirements is handled by the Trusted Access Control Layer.
The third layer of the framework, denoted as the Secure Internet breakout layer is used to ensure that only traffic that is destined for applications hosted inside the organizations data centres is carried on the VPN, while cloud hosted applications are accessed directly using the remote worker’s Internet connection. This layer also provides a layer of security for the remote users by blocking access to any malicious sites, phishing attempts and Command and control (C2) call backs.
The final layer denoted as the Malware and Data Protection layer protects the end users against any malware that can reach the device either through the Internet or directly using the USB ports ion the device. This layer also ensures data protection on the device by providing disk encryption, and putting data loss prevention controls in place. Organizations having stringent data access policies should use Virtual Desktop Infrastructure (VDI) solutions to ensure that no data is sent to the remote device, but only screens are rendered over the secure VPN connection.
The next sections provide a deeper analysis of each building block.
3.1 Secure VPN access
Virtual Private Network or VPN is an extension of the private network using a shared public network. In the WFH scenario, the shared network is generally the Internet which is used to build a secure, encrypted tunnel from the end user device up to the enterprise edge. The VPN is initiated using a software client generally called the VPN client, which acts as one end of the secure tunnel. The other end of this VPN tunnel is the VPN head-end which is located inside the corporate network. VPN access should be initiated using a VPN client that provides a choice of secure protocols like SSL/DTLS, IPSec/IKEv2 to ensure security of the data in transit.
The VPN tunnel establishment is done after the identity of the user is established. This can be done by using the Administrative Domain (AD) servers or any other LDAP server. However, since the users are working remotely, it is a good practice to add an additional layer of security using multi-factor authentication (MFA). MFA ensures that the device is in the safe custody of the user, because the second factor is generally used on the mobile device using a soft token.
The credentials of the user can be used to determine the type of access that is required by the user, based on his AD profile. This data can be used to assign separate logical network identifiers like vlan/ IP subnet/ security group tag (SGT) to the user-traffic. These network identifiers can be used to create end to end segmentation for different types of users within the enterprise network. It is a good practice to assign a static IP address to the remote users every time they connect to the VPN, for ease of troubleshooting.
Enterprises should consider an always-on VPN, so that the remote user has to access the corporate network when he/ she logs into his device. This will ensure that the device can be monitored by IT-Ops and is discussed in detail in the next section. Some enterprises that use cloud services might not want to bring the cloud destined traffic into the VPN. This is discussed in the Secure Internet Breakout section.
It is also important to protect the WFA infrastructure, to ensure remote users can work productively. The VPN headend is generally placed inside the DMZ zone of the enterprise, and is reachable from the public Internet. The internet facing firewall can be used to filter and allow only VPN traffic to reach the VPN headend. This can prevent any attempts at misusing or blocking the WFA infrastructure through a DDoS attack. Specific policies might also be used at the firewalls front-ending the VPN headend to allow traffic from certain locations or IP addresses using geo-location data.
Each headend has a limited capacity based on the hardware capability, and features in use. Hence it becomes important to ensure there is a bank of VPN headend devices that can be used by the remote users. Users connect to a VPN headend that is identified by an IP address. Organizations can use DNS Load balancing to distribute the users across the multiple head end devices, to ensure optimal utilization of available resources.
When the headend capacity needs to be increased in bursts due to unforeseen events, cloud providers can provide a viable alternative. The VPN headend can be deployed on the cloud infrastructure as a virtual network function (VNF), and a dedicated tunnel can be used to backhaul the traffic from the VPN headend into the enterprise.
3.2 Trusted Access Control
Most organizations have a Zero Trust framework for security to ensure that every user and every device who is on the network has been explicitly authenticated and validated for trust before any access has been granted. This zero trust approach needs to be implemented in an expeditious manner across enterprises adopting WFH.
In a WFH environment, users might access the network using corporate devices, or corporate managed devices or even personal devices. It is important to ensure that not only the user identity is established and validated, but that the device being used to access the network has also been verified. Using a combination of device posture and user identity, security policies can be tweaked to ensure compliance to the organizational security policy.
As discussed in the Secure VPN access section, the VPN tunnel is established after the user credentials are validated. We also described the relevance of MFA for additional security. The MFA functionality can be extended to do health checks on the devices before they are allowed access inside the enterprise. These checks can be done by using device certificates installed by corporate IT, or based on various MDM solutions. Organizations that do not have MDM deployed in their environments, can use adaptive MFA technologies to push health-check agents on the devices when the device is used.
In depth security posture assessments can be done using NAC clients, that can ensure compliance to organizational security policies like OS updates, software version checks, hotfixes, and personal firewall configurations on the devices.
IT administrators can have better control over network access by virtue of the granular access based on identity, device posture and user profiles. MFA systems can be used to augment the visibility using geofencing to limit the location of access for WFH users. It admins can use this to provide differentiated access to users based on their profile, location and device details.
Additional security controls can be extended beyond network access to applications by using adaptive MFA technologies. This ensures additional security beyond username/ passwords for both on-premise and cloud hosted applications, and can be extended to SaaS applications like O365 and salesforce.
WFH environments can be made secure and policy consistency can be achieved for on-premise and remote users by leveraging the technologies discussed above.
3.3 Secure Internet Breakout
As organizations allow users to work from anywhere, the centralized security policies can no longer be enforced, so the risk of a successful attack or compliance violations increases. Security teams are already struggling to keep up with cyber-security threats, as point products are generating thousands of alerts making it difficult for security analysts to keep up. The problem is accentuated with the adoption of cloud services, where WFH users can access the services directly from the cloud, without even touching the enterprise network. There is a need to strike a balance between user experience, bandwidth congestion at the VPN head-end, and enterprise security requirements.
WFA users can be allowed to access the cloud services, and the internet directly from their ISP connection without the need to create a VPN tunnel. This will ensure that the VPN capacity is used only for traffic that is destined for the assets within the organization, preventing any congestion at the VPN head-end and optimizing the user experience. This is achieved using the split-tunnel functionality at the VPN client, that routes traffic for specific destinations to the VPN, and forwards the remaining traffic to the internet bypassing the VPN.
There is also a requirement to manage the security of the users as they access the internet from their unsecure internet connections. DNS security can be used as the first line of defence against any sort of access to malicious domains. Users can be protected from malware, ransomware, C2 callbacks, phishing attempts and even any custom sites defined by the security policies. These capabilities coupled with features like secure web gateway, cloud delivered firewalls, cloud access security brokers will ensure a consistent security policy enforcement for on-prem and WFH users.
3.4 Malware and Data Protection
Protecting data and ensuring the security of the user devices becomes deserves greater focus as users start to work from home. The threats to safeguard against include physical device theft, security breaches through device malware, phishing attempts, and loss of data through channels like emails and auxiliary devices.
As a first step, Disk encryption can be used as a deterrent against any data exfiltration from the devices. Corporate and corporate managed devices can be enforced for disk encryption as a part of the security policy. Access to sensitive data on personal devices can be blocked using the solutions described in the Trusted Access Control section.
DNS security and secure Internet gateways can provide defence against any phishing attempts, malware, ransomware or C2 callbacks. This security can be enhanced using Endpoint Detection and Response (EDR) systems, which can detect any suspicious activity, threat hunting or data exploration activities on the device and take protective action. EDR systems can be integrated with the Security posture systems to limit access to the secure enterprise, and automate incident response.
Data Loss Prevention (DLP) tools can be used to monitor data usage on the end-point, network and cloud, and prevent any data loss through mails, auxiliary ports or embedding in other documents.
Organizations that have stringent data access policies/ business obligations might consider deploying Virtual Desktop Infrastructures (VDI) that can be accessed over the VPN. The VDI systems should be used in lock-down mode to block all network access other than VDI when these systems are used. VDI technologies can also be integrated with MFA to provide additional authentication, and can be a secure way of transacting businesses that involve confidential and sensitive data.
3.5 Operationalizing the framework
The previous sections of the document discussed the various technologies that can be deployed or reconfigured to achieve specific functional objectives. The figure provides a unified view of the solutions and technology components for a secure WFH environment.
The increased threat surface makes the IT operations and security operations teams job even more difficult. It is important that these teams have complete visibility into the network, users behaviours, security postures, and traffic patterns.
The WFH environment would generate additional logs that would need to be analysed from systems such as DNS security, web security control systems, MFA systems, DLP systems and EDR solutions. User behavioural patterns would now need to be profiled even more granularly for WFH users, and any deviations from the baseline accounted for, to prevent any security lapses.
The efficacy of the technology solutions can be enhanced by integrating the various disparate security solutions like EDR, DNS-layer security, Email/Web Security with Threat Intelligence Platforms. Using pre-integrated systems, that can exchange context and data with each other and using APIs for automation of operations will enable faster threat detection and response. Tools like Os-query or equivalent can be used to search for key IOCs and forensics trace amongst all endpoints in WFH environment.
4 Conclusion
WFH is the new normal, and can not only help in maintaining business continuity, but also bring in significant cost savings for organizations. The flexibility provided by WFH is used judiciously can enhance the organizational productivity, and lead to significant cost savings for organizations in terms of productivity gains, and reduced real estate costs. This will require a relook at the current IT architectures, and operational and security practices. The solutions described in the document will help organizations provide a secure WFH environment for their employees.