March 16, 2020
Prioritize These Security Considerations as Users Work from Home More Frequently
Security is often an afterthought for WFH programs, but it shouldn’t be.
— Written by Jeff Falcon, Paul Shelton and Ziyad Roumaya
When it comes to working from home, for many organizations, user devices and network connectivity are top-of-mind concerns. And while that makes sense, there are certainly other considerations.
Like everything else IT-related, there are aspects of security that need to be minded when rolling out WFH capabilities. Security is an important factor as workers start using their own PCs or buying a new PC if they couldn’t source one through their work.
Managing VPN Capacity
With WFH, your organization needs additional capacity, not only on the infrastructure side but also in solving security challenges that you’ve perhaps already tackled internally. Now you need to worry about them from a different angle — from home, from the airport, from the coffee shop. You need to cover cloud access security and endpoint protection while scaling up security resources. VPN capacity needs to be tackled to provide the ability to access resources remotely from new places. These security concerns should be addressed right off the bat.
There are specific challenges around scaling up VPN around firewall capacity. You need to think about not just the number of VPN licenses but also the appliances. For example, the firewall may only support 25 users; it may not be able to support 2,500 users. Luckily, for organizations looking to scale quickly, there are solutions that can leverage some of our cloud providers and software-defined WAN technologies that allow you to scale a VPN beyond what your particular hardware platform will support, all without having to forklift in new hardware.
You will also want to look at your current internet bandwidth that will carry the VPN connections. One problem that may crop up is that the at-home solution can use up all the local internet bandwidth and cause delays in email and hosting websites. Organizations should be contacting their internet providers to see if they can increase their internet bandwidth to accommodate the high internet use. With encryption overhead and high speeds at home, a single user can eat up 1-10Mbps, depending on the task at hand. If possible, only use client VPN for applications that will only work internally. Solutions like email should be used outside of VPN clients along with collaboration tools.
Cloud Access Security Brokers and WFH
This Infrastructure as a Service type of add-on from providers is valuable to an organization. But having a guide to help you through that process and figure out where the other pitfalls are is really important. There’s a lot of risk to manage there and that’s where CDW solution architects come in. They can look at the different solutions available and suggest what’s the best fit for your unique environment.
From a security perspective, once we get these users plugged in and working through a cloud As-a-Service application, how do we protect them from the threats that are coming through? How do we get visibility into their connections? Can we inspect the data that’s being transmitted back and forth to the cloud? It’s important to consider tools like data loss prevention and cloud access security brokers (CASBs). There is a subset of protection mechanisms that we could potentially put in place some guardrails around WFH and make sure that we’re securing traffic and data.
Battling Shadow IT
When it comes to WFH, many organizations may look to collaboration tools such as Zoom, Cisco Webex, Microsoft’s suite and VMware. The providers of these solutions are offering free individual accounts. Attractive offers, but you need to be careful. For example, you don’t want to have 500 users and try to jump on this offer with each user setting up their own account. From a security standpoint, that can go wrong in so many ways. A better option is to partner with CDW or another solution provider and get set up with an enterprise trial for the entire organization. And the good news is that when the trial ends after 90 days, the organization can quickly roll into a Cisco Flex plan or resume the enterprise plan that they tested.
Our fear with all these trial offers is that you have all these independent lines of businesses going out and just signing up. The accounting department signing up for Webex, a marketing team doing it with Zoom. This is shadow IT — workers don’t have nefarious intentions, they’re just good folks trying to get their work done. We’re spinning up workloads and applications, finding ways around the normal safeguards and controls from a security perspective. How do we make sure that we’re doing this in a proper fashion? There still has to be an element of security built into this mechanism versus just flinging out all these free licenses to make sure that you can continue operations.
Most important, you need to get in front of it and get in front of your business leaders. You’ve got to go to them and say, “We know you need X, so let’s work together to get this done for you.” Don’t run off and grab the first shiny thing off the shelf. There are ways to go about doing this, and it can be done rapidly and at scale, but only if everybody’s talking to each other and having a conversation about what the business really needs to keep going forward.