Security Requirements in a COVID-19 Remote Work World
The COVID-19 outbreak has certainly changed the way that we view business operations in the short term but possibly forever. While many organizations have business continuity plans in place, most plans only account for regional disasters. Even for many mature organizations, they have not detailed a plan for situations with such a global impact as what COVID-19 has ushered.
VPN Security Issues
With the majority of workers now working remotely to decrease the spread of COVID-19, organizations have the extra burden of keeping teams in touch virtually to provide some sense of normal business operations for their employees. One popular method of virtually connecting employees is Microsoft Teams. Even though tools like Microsoft Teams and Zoom are extremely useful in providing continuity to many employees working remotely, they create new security issues.
Historically, many organizations have provided users remote access to corporate data using a VPN. Access may include applications that still reside on premise as well as data that may be cloud based like Office 365 and other critical business applications. While this solution does provide the organization control over their users’ access, due to the increase work from home requirements, VPN access is becoming oversubscribed. To meet this problem, below are some recommendations for how to streamline remote access to corporate data without compromising security.
Short Term Solutions
Your IT team can do the following in the short term, all within Microsoft 365:
- Control access to enterprise applications via the Azure Active Directory.
- Have a single sign-on which allows organizations to only have to monitor a singular login trace in addition reducing the amount of access links sent around which could create additional confusion and open up users to clicking on potential phishing links.
- Create conditional access with a MFA to secure access to corporate data through providing multiple factors of authentication (for all users, not just admins). Intune can be enabled to further secure data as it gets access from both corporate remote devices and BYOD.
- This can lead to additional secure productivity capabilities in the longer term such as Azure B2B and Azure AD Application Proxy.
Long Term Solutions
For long term planning, below are ways to secure systems:
- Initiate a program to identify and secure the most critical data with solutions like Azure Information Protection.
- Use Microsoft Defender Advance Threat Protection (ATP) to secure endpoints and watch for employee impersonators.
- Track and increase the organization’s security posture by leveraging Microsoft Secure Score as security and IT engineers start making changes to the access profiles.
- Provide robust training exercises to train users to watch out for possible phishing attempts and learn how to use the best practices in security.
- In order to meet these new access requirements without reducing their security posture, organizations need to change their mindset and adopt modern access and security measures as described above. Adoption can be a challenge if the enterprise does not have the appropriate skillsets to manage the new infrastructure.
Don’t Stress - Third-Party Providers Can Help
While these recommendations can be complicated, and overworked IT departments may not have the capacity to currently implement these features, third-party Microsoft providers are available to help identify gaps. Providers can help plug the gaps with already existing resources, advise on data loss protection programs for the cloud and remote access, and advise on information protection and classification.
The world changed suddenly and keeping up is a challenge. However, data security needs to remain paramount no matter the work environment. Working with a third-party like Epiq to assess any security gaps can allow your overworked IT staff to return to their day jobs and created peace of mind that your company’s data is safe.
Ilya Pozharsky is the Director of Microsoft Security Solutions for Epiq’s Information Governance solutions group where he leads the global security consulting practice.