The WFH model has forced corporations to redesign their security architecture models. WFH endpoints are no longer inside a corporate network border nullifying basic security practices that work inside a corporate border. For example, A common practice in incident response is to disconnect the compromised machine from the network in order to limit the damage done by the compromise. A compromised machine in the WFH world is part of the ISP’s network. The ISP is the entity that has to disconnect the machine from the net and they will require a lot of justification, typically a court order or warrant, in order to do so.
WFH endpoint security presents its own set of challenges. There are two scenarios in the WFH model: a) WFH with organization owned machines b) WFH with the employee’s personal devices.
WFH with Organization owned machines
This may be the most common scenario for most organizations. As I mentioned earlier, since the devices aren’t inside the “corporate” border, a number of practices may have to change.
- Software licensing. Software licenses should be reviewed to ensure they’re not tied to the corporate network address block. WFH have their home ISP network addresses initially. Some software products that restrict access to the corporate network address blocks may not work.
- Vulnerability Scanning. Vulnerability scanning is a common practice and works well in a corporate network because the company owns the network infrastructure. However, you may not be able to scan your WFH assets because the local ISP will interpret the scan as an attack against one of their customers and actively block it.
- System, Application, Access logs. Your SIEM will need to be configured to accept logs from external hosts. This may be a management challenge due to the wide variety of ISPs used by your employees. The SIEM will have to allow external addresses to connect to it unless a VPN client is used.
- Cloud Services. This is probably the most straightforward process since cloud access was designed to be accessed from anywhere on the net. You may have to ensure access control is based on identity and not network addresses. Cloud providers may not log the information you need to determine which endpoint accessed files in your cloud.
- Some companies will configure their systems to automatically start a VPN connection back to the corporate network. This can help with the previous items mentioned here. However, you should not assume the WFH device can’t be accessed from the net. While a VPN client may restrict the WFH employee from going anywhere on the net, it won’t necessarily prevent anyone on the net from access the WFH device because the VPN client tunnels through the WFH device’s ISP address. This ISP address still remains active while the machine is connected to the net. Consider putting the device in a separate home network segment to isolate its traffic from your home devices.
WFH with Personal Device
There are a number of factors that need close examination when the employee uses their own device.
- Regulatory Requirements. Does your personal device meet any legal or regulatory requirements imposed on the data you’ll be processing on your home computer? What is the audit process to ensure compliance?
- Create a separate userid for work. When you’re doing personal stuff, use your personal account. Create a separate userid for work purposes. This separates items like browser history, data file access, logging from your personal account. This may help limit ransomware damage.
- System Security configuration. Chances are pretty good that the security settings on your personal devices are not as stringent as your corporate assets. Ensure your home network is segmented such that your home network devices (cameras, Echos, Ring cameras/locks, etc.) are on a different segment from your home computer. If you need a reason to change all default passwords of your home network devices, simply google “default passwords” to get a list of www sites that contain the make, model, version, userid, password of thousands of home networked devices.
- Net Access isn’t Equal. WFH has exposed the inequalities of residential internet access. Employees may live in areas where net access is minimal. Typically, the higher your network usage is in terms of capacity, the more you’ll pay for that plan. Tools like Zoom, GoToMeeting, Teams, BlueJeans will definitely add to your network usage. Also, during the pandemic, more than one family member may be using the net for school or their own jobs. Pushing patches, software updates and installations may take longer.
In both of the above scenarios, the organization may lose visibility of its data assets if the data is copied to the WFH device. File level encryption options include Microsoft Office file encryption feature which allows you to encrypt any Office file; Adobe Acrobat’s encryption features allowing you to use either a password or certificate to encrypt the file; Veracrypt freeware encryption tool which allows you to create folders (volumes) that can be encrypted on a wide variety of media ranging from USB drives to the cloud. You can tag your sensitive data files with a web bug aka beacon to let you know when the file is opened.
WFH in full remote or hybrid mode is here to stay. Data security strategies need to adapt to this new paradigm. You should design your security architecture around your sensitive data and your digital identity.