When Remote Access Becomes the Norm

As companies respond to the COVID-19 pandemic, many are encouraging their employees to work remotely, where possible. Some are finding that this may be easier said than done.

In this blog, we discuss the challenges some IT and security teams may encounter related to the design of their current remote access capabilities. We review three technical design limitations commonly encountered by a broad-based move towards remote work:

• Relying on security controls implemented within the corporate network

• Restricting remote access to devices managed by IT

• Authentication limited to third-party hardware based methods

Many legacy remote access solutions were designed to support a specific set of corporate functions like remote IT support or field service and sales staff. The security controls put in place were designed based on the access requirements of specific resources. Adding large numbers of new remote workers to the solution can magnify other issues that were starting to develop based on changes related to the use of cloud services and different computing models.

Network Centric Design

Many legacy remote access solutions were designed around the idea that corporate resources were secured behind a strong perimeter and the goal of the remote access solution was to provide a secure path into the protected corporate infrastructure.

These solutions typically have the following characteristics:

• Use of a Virtual Private Network (VPN) to provide a secure tunnel into the corporate network that allows the remote device to function directly connected to the corporate infrastructure, with some potential access limitations.

• Security controls designed to protect devices and resources on the network, such as threat inspection, malware protection, and data loss prevention, are used to protect remotely connected devices as well.

• Software and security updates are distributed to remote devices only when they connect to the corporate network.

As companies move to utilize more and more cloud-based services, some of the underlying assumptions of this model begin to fall down. Resources users need access to are no longer hosted within the corporate infrastructure. The result is a circular path from an internet-connected remote client, through the corporate network, and back out to the internet to reach cloud resources.

While not optimum, this arrangement can be tolerated as long as some key factors remain true:

• The number of users impacted is relatively small

• The primary access required by the remote user is still to on-premise resources

• The role of the users accessing remotely continues to be the roles for which the remote access solution was designed.

However, some of the key services being moved to the cloud often involve basic office support functions, like email, collaboration tools, and shared file storage. These services are used frequently by all types of users.

When the mandate to work from home comes in, several factors have an immediate impact on this network-centric approach:

• The volume of traffic being backhauled across the network components increases with each user

• VPN infrastructure must be prepared to handle a larger number of connections

• Work patterns that had not previously been routed through the VPN and other supporting components require review and optimization to prevent latency issues.

• Enrollment processes must be adjusted to deal with the capacity and routing assessments

In order to address these issues, IT and security organizations must design a remote access solution that accounts for new ways of connecting to corporate resources. Cloud-based services can be used to provide more streamlined and direct connections from remote clients to both internet and internally hosted applications and services. These services have the ability to scale quickly and provide cost benefits when the need for broad-based remote access subsides.

Device Dependent Design

In order to protect corporate data and resources from the many threats and vulnerabilities that exist today, most companies install and manage software agents on the client devices they issue to their employees. Corporately managed devices are often required in the following situations:

• VPN connections - Remote access enrollment processes may include verification or deployment of these managed assets.

• Cloud Applications - In order to access the company sanctioned cloud services, users must often have a corporate managed device running the appropriate local software.

• Wireless Connections - Verification that proper security software is in place and current before a wireless connection to the corporate network is allowed.

These software agents are often sensitive to particular operating system settings and therefore must be managed and distributed for specific configurations, thus forcing IT organizations to support limited clients. Exceptions may often get made based on business justification, thus allowing a small number of non-corporate devices to be used to access corporate resources.

An onslaught of requests for remote access driven by an emergency move to remote work could be greatly impacted by this design in the following ways:

• The availability of corporate-issued devices is limited, and distribution often difficult.

• Exceptions being made at a large scale is an invitation for some serious security risks.

• If personal devices are allowed to be used, access to resources should be limited, and employees may find they cannot perform all of their normal tasks.

The ability to utilize alternative devices is key in being able to scale your remote access solution quickly. Modern remote access solutions can be designed to allow the use of an individual's personal devices, yet restrict the movement of corporate sensitive data onto those devices. Additionally, technologies such as digital rights management (DRM), virtual desktops (VDI) and remote browser isolation provide methods of access and protection that are not device dependent and can be used to mitigate the risks associated with working remotely.

Restrictive Authentication Design

Most remote access implementations recognize the need for strong, multi-factor authentication when remotely connecting. However, several factors can create deployment limitations regarding authentication methods. These include:

• Use of specialized hardware tokens that generate one time passwords. These can be expensive and require dedicated infrastructure to manage them.

• Focus on supporting IT staff using an onboarding process that is cumbersome and technical

• Lack of integration with corporate directories and other mechanisms used for supporting authentication with the general user population

These issues make it difficult and expensive to get additional types of users on-boarded and authenticated properly. To address these limitations, companies have been using mobile devices in authentication scenarios to alleviate dependencies on third-party devices. Companies should take a risk-based approach that can adapt the authentication to differences between user roles, devices used, location, and the classification of the resources being accessed. Adaptive authentication solutions provide integration with other corporate authentication methods to provide a smoother onboarding process and more user-friendly interfaces.

None of us have been truly prepared for remote work at the scale the coming weeks (and perhaps months) will demand. Work on these three core capabilities will pay off in the near future while also contributing to a robust system for the years ahead. If you would like some assistance in reviewing your remote access capabilities, contact us for a no-cost high-level assessment based on our years of experience in helping companies design robust and adaptive solutions.