In the latest installment of the educational series Java with Otava, Director of Product Management Jeremy Bigler chats through some common questions around deploying (or redeploying) remote access and planning a sustainable remote access strategy. Check out more Java with Otava on our YouTube page.
JEREMY BIGLER: Hi there. Thank you for joining me on this edition of Java With Otava. I hope you’ve had a chance to grab a cup of your favorite blend!
Today, I’d like to talk a little about four key questions to ask before you consider either deploying or – for many – redeploying remote access solutions. But first, an introduction. My name is Jeremy Bigler and I’m the Director of Product Management here at Otava. I’ve managed a few Desktop and Application virtualization practices in past lives, and I’m excited to discuss planning a sustainable remote access strategy. That said, let’s dive in!
The first question appears at first glace to be … well, rather obvious. But let’s consider who the user is – in terms of their organization identity. Are they a full-time employee? A part-time or temp resource, or a 3rd party contractor? What’s the role within the organization? Should they have any time of day or geographic (geo-fencing) restrictions?
That now queues up the next question – What type of access should they have?
Incidentally, one of the biggest security risks we’ve seen during the initial covid-19 outbreak was widespread open VPN usage. This essentially opens a front door into your networks, and allows users to access almost anything as if they were on the LAN or WAN. While this may be appropriate for some individuals, it’s likely not appropriate for everyone.
When we think about the type of access – VPN, Application Virtualization, and similar – there’s a number of considerations to keep in mind. The obvious first: what’s easiest to deploy and maintain, level of encryption for the tunnel, and similar are ones I’m sure you’ve already considered. There’s a few more points to think about though, such as
A final obvious question to close the discussion on users is how do we know it’s actually them?. 2020 has seen a significant uptick in social engineering attacks: phishing, water holing, pretexting, social media deception … the list goes on. Social engineering unfortunately targets the one vulnerability we can’t patch or update: ourselves.
Ensure whatever remote access solution you put into place is backed by at least two- or multi-factor authentication. Ensure strong password policies that recycle on a frequent basis. Conduct regular security training and assessments for your entire organization. While these aren’t foolproof, it provides a significantly level of deterrence, one of the most effective results of security practices.
In the interests of time, let’s move on to discussion application access.
Once we’ve ensured we know the use cases and requirements of our users, oftentimes defined by roles within the organization or business units, we now have to think about what should and shouldn’t they be accessing. Often overlooked, the concept of what shouldn’t they access is a key consideration. A significant percent of breaches of personal or company data have occurred because access to that information wasn’t specifically prohibited within the organization.
Understanding use cases for data and application access is usually defined at the department or similar organization structure, but exceptions may need to be made. It is important from a security perspective though to ensure you clearly identify required tools and data for each role or user identity, and then limit access to everything else. While exceptions can be made, those should also be documented as part of an exception process.
Finally, ensure your data access also has appropriate controls inherent in the platform. Can users remote print the data? Can they save the data to a local device? Can they upload data from their remote device back into the datacenter? Each of these questions pose potential security considerations that need to be evaluated. As a general practice, given the proliferation of ransomware and other attacks today, it is always advisable to limit access insofar as is possible and manage exceptions through a documented exception management process.
One note I’ll leave you with on this topic is it is very common for organizations to allow free data flow between endpoints and the organization’s Cloud or premises datacenter. While this may be perceived as being the most efficient strategy for productivity, it is also by far the riskiest since not only can data be taken from the organization but malware introduced back into the datacenter.
I’m curious – how many devices do each of you use on a regular basis? Personally, I have two laptops, a desktop, and several mobile devices. In fact, the average domestic employee has 3.7 devices that are used often. How many of these devices are employer-owned and controlled? How many are hybrid (meaning you’re partially reimbursed in exchange for limited control) and how many are entirely uncontrolled?
I’m sure you see where I’m going with this. Endpoint Devices, particularly devices that have access into your networks, pose a very real threat to your security and control of data. As you consider a remote access strategy, consider what device(s) your employees will be using and how secure or safe those devices are. Consider publishing an acceptable use policy for remote use of company equipment, and partially-reimbursed personal equipment.
You may want to consider a landing pad or zone for devices seeking direct LAN or WAN access so you can ensure those devices are healthy: malware free, proper security software and controls, etc. and restrict full LAN or WAN access for any device the company can’t control.
Another point of consideration is the type of connection over which your employees will connect. Bandwidth is certainly cheap these days, and most domestic employees will enjoy high-speed broadband connections.
From a continuity standpoint, keep in mind that such service is often “best effort” meaning unlike commercial-grade connections, there isn’t an SLA for uptime or service restoration. This can impact employee productivity. Consider building into your remote access strategy either compensation for back-up connectivity (WiFi from a mobile device or WiFi hotspot) or additional security controls in the event employees need to use public hotspots such as a Starbucks.
Lastly, let’s consider where the user will be located. Not because you want to ensure proper user experience over RDP or VPN, but rather from a compliance standpoint. While domestic US organizations have limited exposure here, multi-national Companies face a variety of data protection, privacy and similar legislative controls based on both country of traffic origin and destination. Ensure you’ve fully researched local compliance requirements and include appropriate user-based access controls based on those requirements.
I hope you’ve found these suggestions of value, or at least thought provoking. There’s quite a bit more content here we could have covered. Otava remains committed to assisting in any way we can, and we look forward to connecting with you soon. For more information, we would invite you to visit our website, and certainly take advantage of the other videos we’ve created in our YouTube channel shown here. Enjoy your day and your coffee!