Each month, through our partnership with Harvard Business Review, we refresh our resource library with five new HBR articles we believe CIOs and IT leaders will value highly.
Remote security policies: 5 essential components
What are the key elements of a remote access policy? Experts explain how to update or create a remote security policy for your organization and stay safe while people work remotely
The quick shift to remote work in many organizations as a result of COVID-19 means some CIOs, CISOs, and their teams are playing catch-up in terms of remote security policies. But it’s not like they’re starting from square one.
“Institutional habits and preferences form over many years, but new norms have risen nearly overnight, causing many organizations to scramble to adjust. Now that work from home is here, it’ll take some time for written policies to catch up,” says Matt Wilson, chief information security advisor at BTB Security. “However, when they do, it should largely be to address the new technologies employed to enable the workforce – the basic requirements of asset management, encryption, and awareness should already be in place.”
[ For more advice, read Remote work security: 5 best practices.]
In other words, it’s more likely that you need to adapt or augment existing security policies than develop a completely new program from scratch.
How to update your remote security policy
A good place to start that revision process: Review your original requirements to see how they might need to change for the work-from-home (WFH) model. And if you never gathered those requirements in the first place, well, no time like the present – especially given that many organizations will have some form of WFH in place for the foreseeable future, if not forever. (See also: Twitter’s recent update about its long-term plans for a work-from-home strategy.)
“When building a work-from-home security policy, or any policy, really, you have to start by identifying a list of requirements. These requirements come from either contractual, legal, regulatory, or organizational needs and are often unique to every organization,” says Jerry Gamblin, principal security engineer at Kenna Security.
“Many security groups overlook this step and try to create their own policies based on popular templates or previous work experience. While these are not always bad, being able to point any part of your policy back to a real obligation makes it much more enforceable and supportable by leadership,” Gamblin says.
With those requirements in hand, the next step is to identify the technical and procedural controls you can put into place to fulfill them. Again, you aren’t (or shouldn’t be) starting from zero here. Rather, some of your existing controls may need to be fine-tuned or reinforced, and perhaps some new requirements related to the WFH model. In any instance, Gamblin points out that technical controls – such as password rotations, session timeouts, and automated patching – are typically easier to enforce than rules or procedures. The latter – which includes things like rules around transporting company equipment offsite and security awareness training – depends more on human behavior.
With that in mind, we asked Gamblin, Wilson, and other security pros to share some of the key components your remote security policies should address:
What should be in a remote security policy? 5 essentials
This is one of the fundamentals of what Wilson calls the “organizational-facing” remote work policy, meaning the overarching policy that governs the company’s security practices. It’s an area that likely needs to be reevaluated now and on an ongoing basis, especially in organizations where working from home was not already a regular or semi-regular practice.
“Start by identifying the groups authorized to conduct activities remotely, while noting that this has likely changed dramatically in the past two months, and capture the minimum necessary access privileges for end-user roles,” Wilson says. “Next, define authorized methods to access organizational resources (such as VPN) as well as approved third-party software, whether as-a-service or a traditional client on an end-user device. This includes the kinds of assets authorized to connect to organizational resources. The final component of this organizational-facing policy is to outline the encryption requirements for both at-rest and in-transit [data].”
VPN usage is higher than normal now in many organizations, which can pose various WFH security challenges. The split tunneling networking concept is one option, according to Joe Partlow, CTO at ReliaQuest.
“Organizations can manage the increase in VPN usage by implementing split-tunnel VPNs, which can maintain visibility into the endpoint while decreasing the load on the VPN,” Partlow says.
Brian Wilson, CISO at SAS, also recommends considering other types of secure access tools to relieve the pressure on your VPN.
“Streamline access to internal resources in order to make them available from the internet without VPN – access via Azure App Proxy, Cloudflare Access, Okta Access Gateway, for example,” the CISO says. “These technologies allow you to make internal resources available externally but verify your identity prior to exposing the services to you.”
Threat monitoring and detection – and initiating appropriate responses – is typically based on an organization’s assessment of “normal” on its network, web applications, endpoints, and other assets. Well, guess what: “Normal” kind of lost its meaning a couple of months ago. You need to revisit your baselines to be able to properly identify abnormal activity, according to Partlow.
“As employees surge onto corporate networks from disparate remote locations, security teams will likely see an uptick in login attempts and failures across your VPN or BDI portals. There will also be more RDP traffic, geo triggers outside of your corporation’s IP space, and an increase in false positives,” Partlow says. “Go back to your core security tenets of what is normal and abnormal activity, and baseline it.”
Your existing baselines won’t necessarily account for all, or even most, of your team members logging in remotely. An uptick in legitimate login failures, Partlow says, might look like a brute-force attack. Similarly, depending on the geographic distribution of your employees, travel restrictions most likely limit the number of different places or regions from which legitimate users will be trying to sign in. So if you’re seeing activity from a country in which none of your employees live, for example, that’s probably a warning sign.
It’s important to not dismiss these anomalies, as they could indicate a malicious outsider taking advantage of the remote work model, Partlow says. “Update your automation playbooks to reflect this ‘new normal,’ which will decrease false alarms and allow faster response to accurate anomalies.”
Most, if not all, of your endpoints are at least temporarily outside of the corporate perimeter. Moreover, personal device use is probably increasing. Both Partlow and SAS's Brian Wilson stress the need for endpoint visibility.
“A must-have for work-from-home security is endpoint visibility on or off the network,” Wilson from SAS says. “Many security technologies are designed to work on-premises or require client systems to connect to the VPN to get their work done. This can become problematic when clients on VPN attempt to access cloud technologies like G Suite or Office 365. Their traffic now must go through corporate and back out to the internet, causing latency and bandwidth issues.”
A robust WFH security policy should address how organizations will be able to effectively see and manage all of the devices employees use to access corporate systems and data. “Endpoint management tools are one way to increase visibility into user behavior,” Partlow says.
Let’s examine two more essentials: