What if a remote device, accessing corporate resources behind your firewall or in the cloud, became rogue or fell into the wrong hands? How can you prevent this from ever happening?
Managing and securing a fleet of disparate mobile or personal devices is one of the most important and challenging things CIO's and IT managers must do.
When Information Technology does not leave the confines of your premises, and when you only use Windows® computers, managing user authentication and access to resources is relatively easy. All you need is a domain controller like Microsoft® Active Directory (AD) or Samba. Securing the domain is facilitated by the fact that it sits neatly within the firewall perimeter. The domain controller provides doors and keys to allow legitimate users in and out of resources. Your firewalls and associated security apparatus surround everything with fences and inspect what passes through each door in each direction. They also block what tries to bypass them.
For most midsize businesses however, reality is now more complex than the situation depicted above. Resources* and the computers that access them are as likely to sit within the firewall perimeter as they are to be outside of it. Likewise, devices are as likely to be personal as they are to be company-owned. They are as likely to be stationary as they are to be mobile. They can be Windows® machines, but they can also be Mac's®, smart phones, Linux systems, tablets, or Chromebooks. This creates new security and compliance risks on two main fronts:
- on the device front: Loosely hardened remote devices that poke through your company firewall via VPN or VPN+RDP can infect internal resources, e.g: crypto-malware spreading through mapped drives.
- on the user front: When resources can be accessed anywhere on the Internet, eavesdropping, theft or tampering are hard to prevent and detect, e.g: Documents containing "protected health information" (ePHI) could be downloaded from the cloud into a local drive in an untrusted computer.
User related risks are addressed through policies, training, control, and enforcement while device related risks are addressed through technical means. Incidentally - as we will see further on - technical means should also be used to help enforce "acceptable use policies" in the cloud and address "user related risks".
In traditional VPN setups, companies configure a single hub-and-spoke VPN between a central location and remote devices as well as secondary tunnels between locations. The system can be hardened: (1) Pre-shared static keys uniquely identify "paired" devices with one another. Passwords are required to provide some insurance that users are who they claim to be. Two factor authentication can optionally be used to further increase security. (2) Once the VPN user is connected to the gateway, 100% of his Internet traffic goes through the gateway where it is filtered by your company's firewall and other security systems. (3) You can go one step further and set up firewall rules so that remote users can only access their own PC's on the corporate network. Once they have successfully logged into their PC, they can access domain resources as they would if they were physically present in front of their computer (from their office computer).
Up to this point, the transmission is as safe as any transmission within a corporate network. What is potentially unsafe in this case is the data transmitted. Hardening the transmission does not address the fact that something saved or installed in the remote device can infect the corporate network, open a breach or allow an attacker into your network. Personal computers and home networks are not as secure as their corporate peers. There are connected devices in homes that can easily be broken into from the Internet and open the home network to attackers (IoT's, Gateways). Personal computers may not be patched as rigorously, and they may not have an antivirus system (so you need to manage them with your Remote Management and Monitoring system - RMM). They may also be run as "admin" and be used by multiple people who may not behave securely on the Internet (so you may need to ask users to create a new non-admin user profile for their work activities). Finally, they are often exposed to public WiFi networks where threats are more likely to exist. In short: For your corporate network, the risk of infection becomes higher when the attack surface widens.
The simplest and most effective way to address this issue is to deny remote Windows devices access to your network and only let "safer" devices in: managed Chromebooks, Mac's, Linux PC's, tablets, and phones (with sealed and encrypted work profiles protected by MDM systems). These devices are more imprevious to Windows malware. Once connected via VPN, they are as capable as a PC of accessing network shares and of using Remote Desktop to access corporate PC's.
Alternatively, instead of using a Remote Desktop session to log into a corporate PC, you may run a Windows virtual machine to log directly into the corporate network with your domain credentials. This virtual Machine can run in a personal computers or in the cloud (e.g.: via Amazon Workspaces). The virtual machine is set to start with a single click and to open a VPN tunnel at boot. Once the user is logged into the domain, group policies kick in to enforce corporate security standards. The user is not an admin and cannot install programs. Acceptable use policies become easier to enforce. Files cannot be pasted into the VM.
In this scenario, the VPN software and pre-shared static keys are not installed in the remote PC host. They are installed in the virtual machine. The virtual disk of the Virtual Machine is encrypted. Should the PC be lost or stolen, neither the VPN settings nor any corporate data would be lost. The VM can be insulated from the host (no shared folders or copy-to-clipboard enabled). With user profile redirection, user folders (My documents, Desktop, etc.) could stay in a folder on a corporate server. No document would need to be duplicated or saved in the Virtual Machine. With a reboot-to-restore software like Deep Freeze, the virtual computer could be automatically reset to its original state after every session. Like any other computer in your network, this virtual PC would be equipped with an endpoint security suite (Antivirus, firewall, etc), and it would be shielded from much of the dangers of the Internet by a filtering DNS service like OpenDNS or Cloudflare. The likelihood that the host infects this virtual machine and the corporate network would be greatly reduced. This virtual machine would be built once and copied into new hosts with new licenses when needed. This would set you back $200+ in license costs + LOB + labor per device (a cloud Virtual Machine would be even pricier). Substantially less than a decent business-owned Windows laptop, but more, over time, than an enterprise Chromebook or Chromebox that would be virtually maintenance-free.
Sending traffic that is destined to the Internet or to resources in the cloud through a central location via a hub-and-spoke VPN can creates/lead to congestion and lag, so this VPN solution is not viable for hundreds of users and heavy workloads (as might happen with Covid, work from home, and video conferencing). In organizations with multiple locations where this issue is exacerbated, multiple connected hub-and-spoke VPN hubs can be used to distribute the traffic. This, however, makes setup and management more complex and time consuming.
For larger teams and distributed organizations, a more manageable solution is preferable. For these situations the hub-and-spoke VPN can be replaced with a mesh VPN** like Zerotier, Nebula, or Tailsail and a zero trust security solution. in a Mesh VPN, devices communicate directly with each other without having to send traffic through a VPN concentrator. Your remote PC can communicate with your work PC, your phone, a Chrome device, a printer or any endpoint you choose in any direction. The network is virtual, and each connection is individually encrypted. A single dedicated network can be used to connect two devices and further isolate them from their environments. The Mesh VPN system is managed through a centralized web-based controller which can be self-hosted to shield you from the risks inherent to using a public multi-tenant system. The traffic is scanned and scrubbed at each endpoint and as it enters your corporate network or office computers. While Mesh VPN's are a great way to handle complex networking situations, they are quite complex themselves and can pose security risks of their own (misconfigurations, back-doors, etc..)
When remote devices can be "trusted" and when you use a traditional or a mesh VPN that is sufficiently hardened, an acceptable level of security can finally be achieved, and the room for error or accident in the handling of sensitive information is reduced.
This leads us to our second category of risks: user related risks. As mentioned earlier, these risks are addressed through policies, training, control, and enforcement.
- Policies and training should clearly state that no sensitive data should leave the corporate network or reside in the cloud unless authorized and under restricted conditions.
By default, public cloud services like Google Workspace or Microsoft 365 are not HIPAA compliant. You have to make them so by signing a BAA agreement with the vendor and by following particular implementation rules. - Control and enforcement are facilitated by the fact that every action users take in the public cloud like Google Workspace or Microsoft 365 is logged and easily searchable. In your corporate network, this role is assumed by your Domain Controller, firewall and Intrusion Detection System.
Managing and securing a fleet of disparate mobile or personal devices is not trivial, but it must be done. The good news is that this can be accomplished easily, quickly and at scale with best of breed open source software and the cloud services you already use. The most widely used domain controller, firewall, VPN, and Intrusion Prevention Systems are Open Source, free and well documented.
This being said, an alternative and even better solution is to forego the convenience of using a VPN and to rely entirely on web-based resources hosted outside of the firewall perimeter.
Call me today.
* computers, applications, shared directories...
** aka network hypervisor or software-defined WAN VPN