6 top security technologies to protect remote workers

The COVID-19 pandemic is far from over, but many companies are signaling that they may never go back to requiring all employees to come to the office each day. The ability to work from anywhere, once just for traveling sales teams and outliers, might become the dominant option for many people.

Before this can happen, companies must lay a more secure foundation for remote collaboration. The tools that supported occasional access for road warriors must be extended and enhanced to carry the data for all the company’s workflow. The first job must be to ensure that the bits flow securely. These are the basic security tools and technologies to support remote workers.

TLS certificates

When employees log in remotely, they should use encrypted connections. Make sure websites have updated TLS certificates and the sites use HTTPS for all communications. Installing certificates to enable encrypted web connections couldn’t be easier thanks to the efforts of projects like Let’s Encrypt. Certificates offering more elaborate guarantees like organization are found with other certificate authorities like DigiCert, GeoTrust and Comodo. Many cloud providers and colocation services will resell certificates.

Zero trust

If you use a virtual private network (VPN), you must be able to trust the endpoint. Home VPN subscriptions will not do the job. Some of the well-established private network companies include Barracuda, Perimeter 81 and WindScribe and all offer traditional VPN solutions.

These tools, though, are showing their age, and VPN is not the best model for a world where no clear lines mark where the office begins and ends. Some organizations are adopting a zero-trust model, which assumes that all employees log in from dangerous places like, say, a coffee shop whose WiFi is compromised by an evil hacker collective. All packets are flowing through enemy territory. 

This wary attitude is not just for bits traveling over the network. Many inward-facing applications are constructed with the assumption that they will live in a secure network because some firewall or other access tool has filtered out dangerous packets. The old paradigm of a strong perimeter made it possible for application developers to ignore security concerns.

Moving to zero trust means shifting attitudes. Todd Thiemann, vice president of marketing at threat intelligence firm HYAS, says, “The perimeter is thoroughly dead. If you are relying on gateway security, you are not watching all the traffic flowing in and out of the work from home endpoints.”

Developers must study code to find places where the old assumptions don’t hold. For instance, does a web app respond to any request for a URL? Does it assume that only trusted people will know the right URL for downloading a file? Is everyone with an account on one machine assumed to be an administrator? These are common shortcuts that can be sufficient in a trusted network but fail badly on an open one. The architects will need to review their code with a plan for adopting a zero-trust paradigm. Some code can be fixed by adding checks for correct authentication, but others may require significant redesign. One straightforward solution is to secure data when it’s not being used.

“We’re a big Azure shop and all the data at rest is encrypted,” says Thiemann. “It’s not PII; it’s not customer sensitive data. But just as the best practice we encrypt that data when it’s in motion or at rest.”

Azure, like all the major clouds, offers options for securing the data. Oracle, as well as other database vendors, distribute an SDK with Python and Java code to simplify the process. Any wayward attacker won’t be able to leverage access to the file system or the network because the data will be locked up.

Secure access service edge (SASE)

Another way to rework existing applications for an audience on the open internet is to add a special gatekeeper where users and their requests for data will be stopped to check for correct identity and access. One growing architectural model for this kind of smart, pan-enterprise filter is a process that some vendors call “secure access service edge” or SASE (pronounced “sassy”). This gatekeeper is much smarter than a basic firewall and can deploy stateful filtering by examining the data inside the requests and make intelligent decisions based upon these values.

This new layer can be added to protect any of the various web services including many that might even be hosted outside the company in a cloud. The user’s computer talks only to the SASE gatekeeper and the other services only answer to requests that have been checked by the SASE gatekeeper.

Tools from companies like Citrix, Palo Alto Networks and McAfee track users over time and make decisions about access to all services even if they aren’t hosted in the same location or the same cloud.

Cloud applications and storage

Employees’ remote computers can’t become regular storage locations for sensitive documents and data. Employees should not be able to work with sensitive information with unencrypted thumb drives or other hardware and leave the data in locations where thieves could prey upon them. Ransomware continues to be a serious threat for destroying remote data.

Remote storage providers like Dropbox have encrypted options for extra security for data at rest. Developers should routinely check code into repositories like GitHub, GitLab, or Bitbucket. Data analysts should use central hubs like Saturn Cloud, Matrix DS, or the Collaboratory.

Many companies are shifting to the web-based versions of popular office tools like Google Workspace (formerly G Suite) or Microsoft Teams. These are flexible and relatively easy to deploy to large teams, but the security details are still not completely understood. While the major companies employ large security teams, the model of shipping code to people’s browsers is still evolving. Google, for example, suffered an embarrassing leak of private documents. Developers still don’t fully understand the complexity of securing code running in a browser that may inject code with extensions or the console. These tools, as all others, should be monitored for flaws or potential problems.

Multi-factor authentication

One of the first challenges will be identifying the users. The old-fashioned password may be sufficient in a trusted office but adding a layer of assurance is better. The simplest solution is to require a second level of authentication such as the employees’ mobile phones. Some service providers like Twilio, Vonage, Plivo, and Telnyx offer APIs for a wide range of communications including sending SMS messages.

More sophisticated solutions use apps running locally on the mobile device that can generate single-use passwords based upon the time. Tools like Google Authenticator, FreeOTP, and LinOTP store a shared secret when the user first initializes them and then uses this to generate a new password based upon the time each time the user wants to log in.

The rise of mobile phone malware has increased interest in dedicated hardware tokens that apply all encryption and authentication algorithms inside a special piece of hardware. Tools like the RSA SecurID, Yubikey, or Onlykey aren’t susceptible to attacks that are able to infiltrate the desktop or mobile operating systems. They offer increased security at the cost of requiring users to juggle one more item.

Identity and access management

The tools for multi-factor authentication (MFA) need to work closely with enterprise applications, and this is a challenge for in-house developers who will need to adjust the local codebase. Some teams are turning to identity and access management services (often refered to as identity as a service or authentication as a service) that are designed to be easily integrated into any codebase. Software from companies like Auth0 or Okta handle identity and access management with the best algorithms, allowing the in-house developers to concentrate on the business logic.

Auth0, for instance, offers a collection of quick-start examples that let a developer cut and paste a few lines of code and secure everything inside the application. The code from Auth0 adds a login dialog box and then the Auth0 servers check the password and enforce any stronger rules like a requirement for a two-factor authentication. If you need to trigger a mobile app or send an SMS, Auth0’s servers do the work. When it is satisfied, it passes control back to your application.

Okta offers a similar set of services and likes to call its approach an “identity engine” for testing anyone who wants access. It rolls together a collection of authentication and management tools into a flexible pipeline that simplifies creating accounts and granting the owners the correct access. The steps can be configured to include a variety of options like tracking the user’s specific laptop or phone to reduce the focus on the password alone.

The companies also simplify the work of juggling all the accounts by providing a dashboard for tracking users, adding new accounts and adjusting access roles. The developer can add a sophisticated layer that organizes both identity and authentication with the pre-tested code. 

Review assumptions about remote security

Some of the most important steps are not technical; they’re emotional and personal. “Everybody went home very rapidly and now I think we’re in an era where we have to formalize procedures,” says Greg Conti, a co-founder of cybersecurity research firm Kopidlon. “We can’t assume it’s temporary, then we need to develop policies for the long haul.” 

Everyone should pause and revisit all decisions made in haste. A surprisingly large number of security breaches come from social engineering, the process by which someone fools an employee into granting privileges or releasing information. A decentralized workforce won’t see each other in the hallways or the elevators.   

A simple solution is spending more on events. Throwing parties, buying lunches, or arranging for retreats will help maintain the social fabric that may be fraying. Having fun may sound frivolous, but it can be the best way to improve security around a distributed office.