The National Institute of Standards and Technology (NIST) has put out a series of new documents to help organizations and employees protect their privacy and security while working remotely. In a recent webinar, Ari Schwartz, Coordinator of the Cybersecurity Coalition and Director of Venable’s Cybersecurity Risk Management Group, moderated a panel of cybersecurity experts, including Karen Scarfone, Senior Computer Scientist at NIST; Jeff Greene, Director of the National Cybersecurity Center of Excellence at NIST; Sridhar Mullapudi, SVP Product Management at Citrix; and Sean Frazier, Advisory CISO for Federal at Duo Security. The panelists discussed the recommendations set forth in the NIST publications and shared their advice on best teleworking practices. Here are some of the key takeaways:
- NIST Guidance. Much of the discussion revolved around one of NIST’s recent IT bulletins, Security for Enterprise Telework, Remote Access, and Bring Your Own Device (BYOD) Solutions, which is directed at two audiences – seasoned IT professionals and “newly christened” teleworkers. The bulletin provides high-level information on how organizations can prepare for telework and remote access security, identifies the threats and problems organizations are facing, and offers recommendations on how to mitigate these threats through planning and implementation.
- Enterprise Planning. In ideal circumstances, organizations would have plenty of time before an emergency occurs to do telework planning. In the unprecedented situation brought about by COVID-19, however, even if organizations had emergency policies in place, with large numbers of people teleworking for the first time and using networks and equipment that are unfamiliar, any policies should be reevaluated to ensure they are up to date and sufficient. When re-evaluating telework policies, organizations should think about controls with a “zero-trust” mindset, adding new controls if necessary or tweaking the way controls work.
- Defining Tiers of Access. NIST is encouraging organizations to take a tiered approach to their teleworking policies. Aside from implementing multi-factor authentication, and encrypting communication and storage, organizations should think about defining tiers of access – what workers can access and from where. For instance, a company may support access to certain enterprise resources from devices the organization controls, but not allow workers to connect to a critical customer database with their smart phone. Ultimately the best approach is to give workers only the access they need to further the organization’s mission. While it may be necessary to grant total access in an emergency, organizations should narrow the access to only what is necessary as soon as possible.
- Enterprise Implementation. Once tiers are defined, organizations can begin implementing their enterprise policy, ensuring remote access servers are effectively secured and continuing to monitor their security. All telework devices must also be secured, including phones and tablets. This will require thought about how the organization’s task management solution is configured, so that updates are mainly downloaded from patch management servers. In the end, it’s important to balance security with keeping servers functional and operational.
- Securing Virtual Communications. With the increased use of conference calls and other virtual collaborations, it’s important to keep track of everyone who joins a call; to ensure that everyone has disconnected from a call before embarking on any private conversations; and that the same call-in number and passcode are not constantly redistributed. If a call is recorded, it’s necessary to think about where the recording should be stored, and how it can be protected. With high-sensitivity calls, organizations should consider using a service with a waiting room or green room so they can control when the call starts, who gets in to the call, and who gets to speak. Finally, on any high-sensitivity call, it’s best practice to use a one-time security code or pin and wait until just before the call starts to distribute it.
- Telework Basics for Workers. Workers should ensure they are aware of and follow their organization’s rules and that their home Wi-Fi and router are secure. Workers should consider getting a VPN for their own use, so they can surf with confidence anywhere. To keep personal equipment secure, all devices should be password protected. Workers should also watch for unusual activity and report anything out of the ordinary to their organization’s IT desk. Finally, collaborating technologies can be used for virtual happy hours and other types of social interactions that are essential to maintaining camaraderie while working remotely.
- Citrix Workspace Aims to Provide a Unified Experience. Remote work can cause complications from a security perspective, but also poses challenges for employees that can potentially affect their productivity and engagement. In order to create a balance between security and ease of access for workers, Citrix has been working to build a unified digital workspace, accessible from any device, with a single sign-on to all applications and data using a multi-factor authentication. Citrix takes a “VPN less” approach, which limits user access to essential data only, rather than allowing full network access. Citrix follows the (NIST-recommended) industry standard approach of enabling a zero-trust framework and architecture. This means providing contextual and secure access, which is monitored continuously so that access can be blocked or adjusted in real time, as required.
- Built in Security and Performance Analytics. As more users are turning to telework, organizations may want to know how their workers are adapting or performing. By analyzing User Experience (UX) scores, organizations can be more proactive in how they can help users have a better teleworking experience no matter what device they are using. Similarly, security analytics can help organizations understand the risks of users downloading data or files to local devices.
- Enabling Mission Continuity. The challenge at this moment is that organizations have suddenly had to adapt from having perhaps a 10% remote workforce to a 100% remote workforce, while their available technology hasn’t necessarily kept up with that level of scalability. Nonetheless, organizations need to act quickly to ensure a seamless and integral teleworking experience, enabling their workers with technologies that don’t force them to go outside their normal workflow. The good news is that the technology is out there, a lot of workloads are already in the cloud, our access capabilities are already mobile, and there isn’t much difference between connectivity at home compared to an office.
- Attackers Are Still Out There. Teleworkers, particularly those using their own technologies and devices, are even more vulnerable to identity theft and other data breaches. While workers should take steps to ensure their Wi-Fi and devices are secure, organizations can’t make the end user wholly responsible. NIST’s zero-trust approach can help organizations find a way to create a secure remote working environment that will both enable and protect your remote workforce. Ultimately putting best telework practices in place now will empower your workforce and make it more flexible in the future.
Want to learn more? View the full webinar or find additional alerts, news, and resources at Venable.com/COVID-19.