Balancing Availability and Security

We made it work, but at what cost? How do businesses successfully balance accessibility and security?

At this point it’s probably safe to say that a company (in the US at least) has already decided whether to enable employees to work from home (WFH), to scale down or restrict in-person operations. Since the initial decision has already been made, IT people everywhere got to work and to make IT happen.

VPN, RDP, web access, fancy new cloud desktops for everyone!

For years system admins everywhere have been slowly curating policies and implementing security solutions to protect company data and applications. In the last two weeks the following possible solutions to WFH solutions have been seen in the wild:

  • VDI, VPN, OWA, etc. (pretty much everything) without MFA
  • Virtual Private Networks (VPN) with PPTP
  • VPNs without AD authentication
  • Remote Desktop opened directly to the internet
  • Desktops going home with end users
  • VDI without consideration for resource location and app performance

Some may say:

High availability?
What is that?
Do we really need that for this option? 

This is perfect! No really, it is fantastic that those 6+ options were able to be implemented by IT admins—allowing organizations to continue to operate. It’s a high risk move, but sometimes that what is needed to get the job done.

Some may say:

Let’s just all agree not leave it running like this for just the next year. We can re-evaluate then, right? 

The two areas that are most likely to need improvement after these kinds of quick implementation are availability and security.

 

Understanding Availability

Obviously, best case scenario, this was already setup and you have N+1 availability built into the entire infrastructure. No? The main goal here is to skip all that and talk about some of the  “opportunities for improvement” (aka. potential point so failure) that might exist in a remote access setup.

 

Authentication Source(s)

Virtual Private Networks (VPN) and remote access solutions frequently have some basic options like RADIUS, LDAP, and Active Directory (AD). Depending on how the solution is implemented, the connection may be only actually be connecting to one backend server. Meaning, if it goes offline all your remote access is gone. Yes, gone.

For example, with the Meraki MX appliances it's considered best practice to setup at least two AD servers. 

Screenshot of Short Domain and Server IP

For some LDAP systems, it may ask for a server name. You can use the domain name (example: acme.local) rather than the actual name/IP of an individual server. RADIUS typically requires the VPN to support sending request to multiple servers. Otherwise, a thrid-party load balancer may be required.

 

Browser-Based Remote Access

One of the quickest WFH options that can be setup is utilizing something like GoToMyPC.com. While this is a convenient option because it uses existing hardware investments with per user/per month cost, and easy to setup, there are draw backs.
The biggest issue is that most organizations don’t have a way to turn on their PCs and workstations located in their business office remotely. It may seem like a small hurdle, but every time their is a power surge or outage at the business office, someone will need to physically go to their office to get all the desktops back online.

 

Virtual Desktop Infrastructure (VDI)

VDI while harder to implement than the previous options, accounts for availability from the start. Best practices are to double check these configurations to make sure:

    1. External load balancer, don’t forget the health checks
    2. Single-server farms (or pools), need at least two servers with the same configuration

 

Security

Maintaining security without the traditional edge devices, like firewalls and content filter(s), isn’t a new topic. In fact, it’s unlikely that there isn't a system admin alive that doesn’t know the importance of it. That said, there are a lot of new and emerging tools that can be easily implemented to better secure the environment. And while the road warriors might be fine with today’s tools, it's not just them, it's for everyone at the company with full remote access to all company data—and they just might be running Windows 7. This poses potential security risks since Microsoft's announced they are ending support (including security patching) for Windows 7.

Case in point: If they might have a browser that looks like the below, they need help, lots of help.

Screenshot of Windows 7 internet browser

 

Luckily there are some things businesses can implement to quickly ramp up security for mobile and remote workforces.

  1. Security Awareness Training
    With employees getting used to change to WFH policies, now is a great time to get some knowledge on cybersecurity. Nearly 99% of breaches are initiated  by a clicked link in an email or webpage. Training users can be anything from identifying a friendly email blast with tips like “Don’t send more that $5k without a phone call to verify” to a fully-structured program that trains and tests employees to ensure that that are up to speed on compliance requirements and general cybersecurity threat trends and tactics.

  2. Multi-Factor Authentication (MFA)
    Microsoft 365 is everywhere. And while there are some advantages to other solutions like Duo or Okta as an MFA option, it's it hard to look past Microsoft Azure MFA that is included in many Microsoft 365 plans. Is MFA already in your Microsoft 365 plan? Organizations can add MFA to VPN services, or remote access solutions, without any additional monthly cost.

  3. Endpoint Protection
    Anti-Virus (AV) is probably on devices already, but this is probably not the best nor easiest way to filter traffic for malicious content. DNS-based protections (like Cisco Umbrella, etc.) have agents that can be deployed to individual workstations to layer on top of the AV. This solution has proven to be more effective against newer ransomware attacks.

  4. Containment
    Endpoint Detection and Response (EDR) tools can help to shift the concentration of security back to the endpoints. Furthermore, Cloud Detection and Response (CDR) adds a layer of monitoring, containment and remediation to workloads and data hosted in cloud environments, including Amazon Web Services (AWS), Microsoft Azure and Google Cloud. 

The machine learning and big data that these tools use has proven to be the very effective in generating threat intelligence, and using that information to isolate and contain attacks.

 

Ariel Davenport, Solutions Architect for Centre Technologies

These tools collect a lot of data and can track a single event across the network as they occur, identify malicious activity and isolate the affected devices—in real time.

centre-security-containment-stats

Between availability and security there are a lot of creative solutions that help IT and system admins adapt to changes in business needs. Enter a trusted technology partner with a "secure by default" mindset. Whether it's having someone to reach out to when challenges and questions arise, or simply needing an extra set of hands and more boots on the ground to drive projects to completion, having additional resources available accelerates business (and IT) goals

If you already have a trusted partner or peer you can reach out to, do it. If you don’t, Centre Technologies exists to deliver "secure by default" business technology solutions and support that not just help keep the business running smoothly, but evaluate their game to out perform competition.