Remote work muscled itself to the top of every security and risk manager’s agenda when the COVID-19 pandemic hit. Whereas remote work was previously the exception, up to 82% of company leaders now plan to permit remote working at least some of the time as workplaces begin to reopen.

Designing a durable enterprise-scale remote work program requires a significant strategy shift and many changes in the use of technology for security and risk management leaders. Scaling virtual private network access is only the start of the journey. The sharp increase in remote working breaks the longstanding assumption by security teams that remote access is a secondary concern compared with on-premises security.

Gartner predicts that through 2021, more than half of companies will convert and extend their crisis remote workforce tools and processes to a long-term strategy without updating the relevant security controls.

However, such a strategy is likely to leave significant security gaps. Chief information security officers must execute on a three-step plan to reset their business strategy for a long-term remote-work-first culture.

Step 1: Craft remote worker business profiles

The diversity of remote working scenarios in a typical organization implies that there will be more than one remote-work technology stack. This means that CISOs need to create multiple security profiles (Figure 1, below).

Gather information to understand each user role and team’s remote work strategy. Inventory the key applications and computing models for each user category and identify their data privacy requirements. Then, map these remote work profiles with existing risk assessments based on the employee’s role.

Figure 1: Key Components of an Employee’s Remote Work Profile

Step 2: Influence and adapt to remote work architectures

Following the COVID-19 outbreak, enterprise security teams were tasked with scaling tenfold — sometimes hundredfold — remote access to their infrastructure. Lessons learned from the crisis will prove useful, but what is good as first aid is not always good when designing for the long-term.

Moving forward, the challenge of scaling infrastructure for the long term is primarily in the hands of the infrastructure and operations or I&O cloud and application teams. However, as the I&O team experiments with new approaches, CISOs must ensure they have the opportunity to influence infrastructure design based on employee risk profiles. Proactively raise security requirements to the I&O team, which might include the following:

• Automating the integration of security software on client and server machines
• Enforcing minimum patching requirement and endpoint device health check before granting access
• Multifactor authentication
• Rerouting traffic through a security cloud or appliance gateway before user logon
• Enforcing connections through desktop-as-a-service (DaaS) or a virtual desktop infrastructure

The more disruptive the suggested changes, the earlier the negotiation should start. When possible, CISOs also must offer a range of options rather than a single solution. Adapt when business efficiency prevails, and influence the design when the risk is too high.

CISOs should also monitor for unbalanced controls that will lead to employees creating workarounds, defeating the purpose of the approach and thus increasing risk. For example, stringent email attachment stripping could lead to employees sending confidential corporate data to their personal email account.

Step 3: Build inclusive security profiles covering all assets and traffic patterns

Finally, build tailored security profiles to address all remote work use cases. CISOs and their teams should then review security best practices and identify solution options for each remote worker architecture.

Once shortlist candidates for remote security solutions have been identified, assess their relative benefits by evaluating each solution based on its efficacy against a specified threat vector. The most comment elements to review in a traditional remote work environment include:

• User security: Consider common threats such as legitimate credentials being used by attackers, social engineering attacks on remote users and employee “workarounds” and shadow IT practices.
• Endpoint security: The ability to provide granular controls on the remote connection client depends on IT architecture choices. Ensure you can build for continuous security posture assessment, rather than “at connection” controls for managed devices. Review in-app security, agentless health checks and automated patch management or monitoring possibilities for unmanaged devices.
• Endpoint local network: As the organization cannot enforce good security practices on every remote network, the assumption should be that the local network isn’t secure and can’t be made secure.
• Access gateway: The attack surface for an access gateway includes software vulnerabilities, poor configuration, account takeover and denial of service.
• Bastion host: Data as a Service and VDI are the most obvious use cases for using a bastion host to access the application from a managed endpoint. Security leaders should treat bastion hosts both as a server and as a client, combining security requirements.
• Application and data security: Application and data security are the most likely component to evolve when moving to enterprise-scale remote work. The main changes are likely to be the shift of east-west traffic (inside a data center) to north-south traffic (between a data center and other networks), changing security monitoring and network segmentation requirements, as well as an acceleration of infrastructure as a service and software as a service adoption, requiring new security solutions.
• Security monitoring and incident response: Many organizations still have immature capabilities for performing continuous security monitoring and incident response. The shift to remote working brings additional risks to organizations where heightened monitoring, detection and response to threats may be required.

Although the work-from-home environment is here to stay, it is paramount that CISOs refrain from approaching distributed work security with a “one size fits all” plan. Prepare for multiple security profiles and architectural approaches that more appropriately cater to today’s diverse and dispersed workforce.

Jeremy D’Hoinne is a research vice president for infrastructure protection at Gartner. He assists chief information security officers and their teams to develop strategies to protect against advanced threats, with a research focus on network security. Gartner analysts will provide additional analysis on IT security trends at the Gartner Security & Risk Management Summit 2020, taking place virtually Sept. 14-17 in the Americas and EMEA. D’Hoinne wrote this article for SiliconANGLE.

Image: Tumisu/Pixabay