Working from Home – New Security Issues
So your organization has found itself suddenly having its staff work from home as the more common means of conducting business these days. You quickly setup a solution or you already have a solution but you haven’t utilized it as much as you are now.
There are several security and possibly regulatory issues to consider when working from home. I will present a checklist here.
- Data Encryption at rest
- Data Encryption in motion
- Minimum Acceptable Health and Compliance of the endpoint
- Identity Management and Verification
Let’s talk about data encryption at rest. If you use Office 365, drop box, Google Suite/Apps or any other cloud based solution for telecommuting, it’s likely your home end user has a home based version of Windows 10 or MacOS if they are on an Apple device. One thing to take into consideration is data encryption. Some organizations are required to have their data encrypted at rest, where ever it is resting. It can be reseting on an in-house server, in the cloud or on an endpoint device. Even if the files are stored in the cloud, they are often synced to the endpoint device to be manipulated by the end user.
Windows 10 pro and above have a a built-in feature to encrypt data at rest called Bitlocker. It will encrypt the entire drive contents of a system. Basically what this does is prevent anyone other than the rightful owner/user of that endpoint from accessing data on the drive. You see, with an unencrypted drive, I can simply yank the drive out of the system it is in, connect it to another system as a secondary drive and access all data on that drive with absolutely zero authentication in the way to prevent unauthorized access. This means that should a laptop or desktop be stolen or lost, all data on it is fair game to whoever has it in their possession.
The same is true of mobile devices as well. This is why we lock down any phone with a pin code or password if it is accessing company data. Newer Android phones and all iPhones encrypt data at rest automatically by default. Older generation Android phones do not. No Windows machine encrypts by default. Nor does Apple MacOS devices. It must be turned on and configured.
Then there is encryption recovery. What if you forget your encryption password or lose your access token? If the endpoint is joined to Microsoft Azure, cloud based Active Directory for Office 365 and Microsoft 365, then the recovery key can be saved to the cloud where a global administrator of your tenant can retrieve it for your device. Otherwise, you must manually keep up with the recovery key and keep it stored in a physically secure location.
I have been focused on cloud here and haven’t mentioned VPN yet. Even with VPN remote solutions, it’s possible for your end user to copy data down to their home endpoint, making it vulnerable to unauthorized access at rest on the endpoint.
We are a WatchGuard reseller and the WatchGuard firewalls have a VPN over HTTPS solution for working from home for those who are not in the cloud or are a hybrid cloud setup. VPN is secure because it encrypts data in motion, but it doesn’t encrypt it at rest.
The other thing to consider with your home users is the health of their endpoints. Are they secured with an authentication method? Is it a legacy authentication (username/password) or is it Multi-Factor? What about your cloud based accounts? Are they Multi-Factor or does it just take an email address and a half way secure password to convince your infrastructure that the right person is accessing the right information? Do their endpoints have adequate client security to prevent viruses and malware? Is there a method in place to monitor and enforce these things?
Identity management and verification becomes a lot more critical when more of you staff are working remotely. Does access to your data leave an audit trail?
There’s a lot to consider when managing access to your precious corporate data and maintaining compliance with any regulatory requirements.