In what has quickly become the age of the remote employee, many companies are struggling with a number of concerns: how to continue to provide services, how to keep remote employees engaged, how a remote workforce can collaborate and, perhaps most importantly, how to keep that remote workforce secure.
Security, a concern in the best of times, has become even more critical now that workforces are scattered all over, off the company network, and, in some cases, not using company-issued hardware. VPNs, often deployed in a rush, have become increasingly common as these employees need to access the company network, so it will come as no surprise that they are ripe for exploitation.
A joint alert from the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and the UK’s National Cyber Security Centre (NCSC) warns that “the surge in teleworking has increased the use of potentially vulnerable services, such as virtual private networks (VPNs), amplifying the threat to individuals and organizations.” Specifically, the bulletin notes that “Malicious cyber actors are taking advantage of this mass move to telework by exploiting a variety of publicly known vulnerabilities in VPNs and other remote working tools and software. In several examples, CISA and NCSC have observed actors scanning for publicly known vulnerabilities in Citrix … Similarly, known vulnerabilities affecting VPN products from Pulse Secure, Fortinet, and Palo Alto continue to be exploited.”
There are numerous resources and updates on the CISA and NCSC websites that can help keep track of these vulnerabilities and fixes, so it’s certainly worth checking out.
What also should come as no surprise is that for every exploit, there is a tech firm with a potential fix or new solution for what is very likely to be an increasingly remote workforce even after the current crisis has passed.
Google recently rolled out a new security service, BeyondCorp Remote Access, designed to allow internal systems to be accessed remotely without the use of a VPN. The cloud solution is based on a zero-trust network security model Google developed in 2010 and has been using internally for almost that long. Rather than a binary access model, where the user is either inside the entire network with full access or outside with no access, the BeyondCorp approach restricts access more specifically by certain conditions, like user and information. A blog post from Google Cloud’s Sunil Potti and Sampath Srinivas offers examples: “You can enforce a policy that says: ‘My contract HR recruiters working from home on their own laptops can access our web-based document management system (and nothing else), but only if they are using the latest version of the OS, and are using phishing-resistant authentication like security keys.’ Or: ‘My timecard application should be safely available to all hourly employees on any device, anywhere.’”
According to Google, BeyondCorp’s principles are:
- Connecting from a particular network must not determine which services you can access
- Access to services is granted based on what we know about you and your device
- All access to services must be authenticated, authorized, and encrypted
The approach removes some of the problems with traditional VPNs, which extend the network perimeter and, using the binary method, assume everyone within that perimeter is trustworthy. Implementing a VPN infrastructure can be difficult, particularly when it involves rolling out to a lot of users in a short time, as the COVID-19 pandemic and associated stay-at-home orders required. Google says that BeyondCorp Remote Access can start solving some of the most pressing issues, like remote access to internal web apps, in days rather than months.
A number of new technology products designed to aid in remote work and security have rolled out in the wake of the chaos caused by COVID-19, but there’s something to be said for a product Google has been using internally as an alternative to a VPN for nearly a decade. And it’s not only Google that has used the solution; many of its partners and customers have “battle-tested” it as well.
Security issues aren’t going away, and whether or not things go back to “normal” anytime soon, organizations need to be armed and ready with the right information and training to protect their data and employees — but if they also have some tools that make things both easier and safer, so much the better.