Cybersecurity in the Pandemic Panic - The Age of The Remote Workforce

The rise in employees forced to work from home (WFH) due to the COVID-19 outbreak has led to a major spike in companies realizing they are not prepared for the new onslaught of remote workers. There is no telling how long this period could last, and subsequently, businesses are starting to evaluate how they will securely facilitate long term access for their remote workers.

In Part 3 of our 4 part series, we will discuss:
  • Considering the viable solutions for remote users in response to COVID-19
  • Transitioning to the new norm of Working from Home
  • VPN use booming in response to COVID-19, but is it sustainable?
  • Working through the COVID-19 pandemic to set up secure remote connections

Different Infrastructures

Every organization has different needs and operating environments. As such, there is no “one solution fits all” approach. Before the cloud movement erupted, most applications were installed and hosted on an office network. In order to access these applications, users had 2 choices – physically show up to the office or use a virtual private network (VPN) application. It comes as no surprise that VPNs are popular. For one, users can turn on their VPN to connect to the office network which grants them access to on-premise applications. Additionally, they enable companies to operate when a crisis like COVID-19 occurs. Today, however, more organizations are shifting to a hybrid infrastructure solutions rather than on-premise.

The boom in Software as a Service (SaaS), Platform as a Service (PaaS), and Infrastructure as a Service (IaaS) more commonly known as “the cloud,” drastically changed how businesses operate.  Cloud environments gained major adoption because they are incredibly agile and thus, cost-effective. Furthermore, it enables employees to be exceedingly mobile and no longer restricted to being in the office or needing specific VPN hardware. With the cloud being so efficient, organizations are quick to adopt them in their disaster recovery plans of emergency WFH situations like COVID-19. Moreover, the cloud is becoming the new “norm” as commonly used productivity applications like Exchange and SharePoint are transferred to the cloud where Office 365, MS Teams, and Slack are now becoming the norm.

It almost seems meaningless to still have a VPN as a backup connection to the office when so many of the most fundamental business applications are hosted in cloud environments. Organizations with offsite support for end users on on-premise infrastructure are becoming an exception.  This is particularly impractical given that cloud applications do not run or reside in the business office. However, as organizations operate during the COVID-19 pandemic, this theory has started to materialize.


Different Needs and Hardware

Normal responsibilities such as firewall configuration and accounting do not cease to exist during catastrophes. There must always be a channel for mission-critical employees to perform their job. While this can be a dangerous point of entry, it can also save an organization if something goes wrong on the front end and physical access just isn’t possible.

First off, determining business objectives and where critical applications are located can eliminate unnecessary resource dominating expenditures. For instance, if protecting employees on public networks is the number one goal, a VPN might not have the best return on investment when compared to alternative options. This is because deploying VPN connections require significant budgeting, personnel, and time. Furthermore, most SaaS platforms are innately secure and make use of self-assured protocols like https. So, employees are protected as long as they exercise basic attentiveness.

Additionally, organizations need to consider what hardware is going to be used and with the current situation.  Hardware from China is not entirely feasible, especially during the current crisis. Businesses opting for a Bring Your Own Device (BYOD) setup need to consider the risks. Many home computers are shared devices and consequently, may have users visiting sites that can put the computer at risk. However, proper staff training and enforcing an acceptable use policy (AUP) can strengthen awareness and reduce endpoint security threats. This AUP can outline that the BYOD device will have a company approved anti-virus, passwords, privacy screen, etc. to protect the device. It can also specify the need for a separate user shell to protect technical aspects such as a session cookie from a remote email session.


Death of the VPN?

When employees remote into the office with a VPN, but still utilize their personal web browser to access SaaS platforms they are in a way defeating the purpose of a VPN. That is, a VPN serves to directly access remote resources. They also enable companies to apply corporate protections like safe URL inspection and malicious content protection. In which case, despite employees WFH, data in transit must still be secured to protect it from threats. To protect this data, businesses employ network security like firewalls and proxies that sit on the internal network. As a result, to confirm a secure connection requires forcing all connections to go through the VPN and back to the office for investigation before going to the actual SaaS provider. This is a rather tedious task that is not necessarily warranted with the proliferation of host-based security and endpoint protection.

It is also important to consider that internal network security devices are designed to handle a pre-determined volume of traffic. So, when a user works from home their bandwidth and volume can significantly vary. Therefore, they might endure extremely slow connections when they turn on their VPN to access commonly used SaaS applications.

Moreover, it is worth noting that home internet typically does not have the policies, security appliances, and safety nets of an office network. This means a user can visit a site that is questionable in safety and violates the company’s policies. However, there are numerous host-based controls and platforms that can be configured to act as a Web Application Firewall (WAF) and eliminate the need to deploy VPNs for every single employee. These solutions can expedite the time to get a business back up and operating in a securely. In addition, security teams can publish documents, host live demonstrations and record walkthroughs on how to install various agents. These agents are especially useful because regardless of a host’s location they can apply policies like limiting social media access.

As long as an endpoint is secure, a remote employee is protected from most threats. Nonetheless, VPNs are helping allow personnel to continue their jobs by remotely accessing office applications. However, their future is limited. The COVID-19 pandemic may have fast-tracked death of the VPN as organizations are considering that business requirements can be met with SaaS and workarounds do exist for getting on-premise security protections.

Silent sector is aware that cyber criminals increasingly use delicate situations like COVID-19 to infiltrate an organization. Contact us to learn more about architecture security reviews and other services to support your organization’s transition to the new norm of WFH.    

About the Author

Written by Haidon Storro

Cybersecurity Research & Content Manager, Silent Sector -- Haidon Storro is a Cyber Security Analyst for CVS Health. She has her BS in IT Cyber Security as well as security certifications like CompTIA Security+ and ISC2. While Haidon is newer to the security community, she has dedicated herself to learning as much as she can through internships, online courses, and conventions like DefCon. In her free time, she enjoys reading about new advancements in technology, going to security meetups and participating in cyber defense competitions. One of Haidon’s goals is to make the connected world safer by bridging the human aspect with technology.