Working remotely is no longer a pipe dream. According to the Work Trends Index by Microsoft, 74% of workers in Asia want remote work options to continue after the last two “pandemic” years. However, telework’s dispersed nature introduces security issues with the additional danger of compromise and data exposure.
Over the last decade, IT departments have seen dramatic changes when the notion of a single location housing IT systems has become outdated. Today’s typical firm houses some key systems onsite, but it also utilizes SaaS services such as Google Workspace or a CRM, and benefits from cloud storage. Employees nowadays work from home more frequently and access IT resources remotely, using their preferred devices.
This is a challenge for IT security managers, as they now need to make sure that the company’s data stays protected when accessed outside of a corporate network. Let’s take a look at 5 must-haves for making your IT resources secure in the remote world.
1. Strengthen Your Access Control with 2FA and MFA
Credential stuffing attacks are among the most prevalent and hazardous because a single leaked password may give access to an entire IT ecosystem (see the hack of Colonial Pipeline). If you let your users remotely access vital IT systems, don’t rely on passwords alone and implement effective protection against unauthorized entry.
Instead of relying on passwords only, use two-factor authentication via a private text message or email code, or multi-factor authentication that combines several forms of verification based on what the users know (password), what they have (token, device), or who they are (identity).
2. Adopt a Zero-trust Network Access Framework
In a zero-trust environment, your business systems and networks are segmented into several independent pieces that work together but are isolated from each other (a closed ecosystem). The idea is to move away from the concept of a walled garden (IT perimeter) which is no longer defensible due to distributed IT (on-premise, cloud, hybrid), BYOD, and geographically distributed remote workforce, and adopt a more flexible approach in which each user is authorized to access only to digital resources they need for their job.
For instance, if you let every company department access the CRM system, you are only increasing the number of potentially exploitable infiltration points without any practical tradeoff.
By restricting access by the team, system, application, and IP address, you can better contain emerging breaches and limit the spread of a breach.
If you are not there yet, now is a good time to start thinking about how to implement zero-trust network access in your business environment.
3. Use IP Whitelisting to Hide Your Systems from the Public Eyes
To reduce the threat surface introduced by the public internet, it is essential not to open the business-critical systems to everyone. IP whitelisting, while seeming simple, is a powerful tool for this purpose. It’s a technique of preventing unauthorized access by allowing only trusted IP addresses to connect to the system (LAN, business system, database, etc.).
A prerequisite of IP whitelisting is a static IP address (check the difference between static and dynamic IP described by GoodAccess) that is owned exclusively by the target device/devices. You can lease one from your ISP or better, use a cloud VPN to deliver a dedicated static IP; read this article to learn more.
As a result, by utilizing IP whitelisting on the server, you may easily conceal online systems from prying eyes. Such systems are accessible only to individuals with the organization’s trusted IP address, whether they connect via a private corporate network or through a VPN gateway, and are automatically resistant to most network-based attacks.
4. Encrypt All Remote Communication on Both the Application and Network level
In today’s world, end-to-end encryption of data before it leaves a device is easy and relatively cheap to implement on both the application level (e.g. using TLS) or network level (e.g. business cloud VPN). Let’s apply it whenever you can.
Application-layer encryption is broadly used on the internet nowadays. However, it only encrypts the payload. To further minimize the attack surface, it’s good to combine it with network-layer encryption, which extends to the TCP header as well, and therefore protects information like DNS queries and servers from interception and misuse.
To implement network-layer encryption, you need to deploy a business cloud VPN, which creates a secure tunnel between two points identified by, e.g., static IP address, and is highly suitable for network security scenarios where high speed and low latency are required.
The combination of both encryption schemes ensures the privacy of the payload throughout its transit to the recipient and hides the identity of the communicating parties from the public Internet.
5. Log User Activity
User activity monitoring and logging on all the network communication and systems is a fundamental tool that gives your company visibility into access history and is an essential component of implementing your compliance policy.
In addition, being able to review access and communication history is invaluable when investigating a breach post-compromise, as it is here that you can trace the adversary’s footsteps and repair the damage they caused.
The author is the content lead at GoodAccess
Secure remote access for your business systems, apps & clouds with GoodAccess. 100% SaaS, zero-hardware solution deployed in 10 minutes. Join more than 1000+ business customers. Try the 14-day free trial.