Working from home is now part of normal business routine. Teleworkers belong to the network just like everyone else, and they require the same security, connectivity, and user experience as in-person employees.
Company managers are aware that having a robust infrastructure that accommodates remote work will reduce the costs of real estate and office utilities, but network and security admins fear loss of control, observability, and security.
Small and medium businesses (SMB) are impacted by telework also, but even though their resources may be more limited than those of larger businesses, they possess the flexibility to evolve work from home into a day-to-day routine.
This article explores the challenges of telework faced by SMBs and provides suggestions on how to secure work-from-home connections.
Table of contents
What are the security risks of working from home?
In network security terms, there are four main hazards.
Loss of observability and control
Telework expands the company perimeter past office premises and to the public internet. Suddenly, workers need to connect from unknown locations and with unfamiliar devices.
This diminishes the ability of company IT to spot suspicious behaviors in the network, ensure good connectivity, and enforce compliance with data protection acts (GDPR, HIPAA, SOC2).
Phishing
Phishing is the most common opening move of ransomware attacks today. Work-at-home employees lack the protection of on-premise firewalls or web filters to stop phishing attempts early, which means there is little other protection other than employees recognizing and reporting phishing attempts themselves.
Weak passwords
A weak password is one that is easy to guess and will likely be listed in databases of leaked passwords. If it is to fulfill its purpose, a password should be randomly generated to be difficult to crack with brute force.
Users should be encouraged to use a password manager software to make it easy to use strong passwords (no one could possibly be expected to remember a randomly generated password).
Unsecured infrastructure
In SMBs, it is often work-from-anywhere rather than work-from-home. Employees can use their own devices and connect from home, café, or a hotel. However, this also presents security risks. Public networks are a common habitat for online threats like man-in-the-middle attacks.
This presents a danger for company data, whether this means access credentials or sensitive internal files.
What are the challenges of securing work from home?
There are three main challenges that SMBs face when securing their remote employees:
- Budget
- Infrastructure
- Ease of use and management
Budget and infrastructure limitations are the main obstacles preventing SMBs from securing work-from-home effectively. SMBs don’t often have the funds to make significant changes to their infrastructure to accommodate the needs of all their remote employees, and will likely prioritize providing teleworkers with decent bandwidth over acquiring security tools.
Another issue is the quality of life of end-users and IT admins. Security always comes first, but if it hampers user experience too much, employees lose productivity and the business loses revenue. Also, if security measures and procedures are bothersome to the end-users, they will resist training in them and may ignore them altogether.
From the IT admin point of view, a remote-work security solution should provide central management and dashboards able to accurately report on the security status of home-office employees. It should also scale easily and shouldn’t require extensive training.
Can you use a VPN to secure work-from-home connections?
Hardly, at least in its traditional form. Consumer VPNs, which historically provided secure connections to a single local network, are hard to configure, especially when you need to include multiple locations in one infrastructure. Even in simple scenarios, ensuring usability and good user experience is difficult.
In addition, a legacy in-house VPN concentrator scales poorly, causes management issues, and becomes a connectivity bottleneck. A traditional VPN may have served as a reasonable ad-hoc fix at the beginning of the pandemic, but the current reality of work requires a more robust model.
How to make work from home more secure?
There are multiple options available, but not all are within the reach of small and medium businesses. However, there are cloud-based security solutions that don’t require infrastructural changes, are relatively affordable, and promote work-from-anywhere.
These solutions may have a cloud-based VPN at their core, but are outfitted with additional security functionalities.
Some organizations, such as AMX13, use cloud-based remote-access solutions as their primary method of securing their work-from-anywhere model of working.
Software-defined perimeter
A software-defined perimeter (SDP) creates a shielded environment that connects all users and company systems on the network layer. It emphasizes authentication of both users and devices to prevent illegitimate entry to the company network. Every connection is therefore unique and private, and usually carries limited access privileges to curb potential attacks.
It is sometimes referred to as black cloud because it conceals all internal traffic from the public eye. In fact, it utilizes the flexibility and scalability of the cloud, and allows for the smooth incorporation of public clouds into the virtual infrastructure, interconnecting repositories, SaaS applications, and users irrespective of location.
Zero-trust network access
Zero-trust network access (ZTNA) also insists on the identity-based verification of users and their devices. The verification takes place on a per-session basis to minimize the risk of threat intrusion and enforce a consistent level of security throughout the infrastructure.
Once authenticated, users receive access rights on a least-privilege basis, which means they do not have unrestricted access to all systems, but only to those they necessarily need. In ZTNA terms, this is known as segmentation, and plays a significant part in the way ZTNA handles access control. Its purpose is to contain an attacker that has exploited stolen credentials, making it difficult to move laterally and cause more harm.
ZTNA conceals traffic by payload and TCP metadata encryption, making it impervious to in-transit interception. All user activity is monitored and logged to satisfy legal compliance and provide a resource for post-compromise analysis if a breach does occur.
Modern ZTNA solutions are often SaaS-delivered, and offer the usability of consumer tools but come with an enterprise-grade featureset.
How to choose a cloud-based ZTNA solution
Vendors like to dazzle potential customers with the most impressive features their products offer. Here are a few key criteria that you may find useful when navigating the choice of ZTNA offerings out there.
System-agnosticism
The cloud age makes it possible for users to work on devices of their choice, each with a different operating system. Businesses also have the same choice as well as a wide selection of SaaS applications, clouds, and server platforms.
Your ZTNA solution for securing work-from-home connections should be able to protect all these indifferently.
Emphasis on user experience
If your end-users find observing security procedures bothersome, they’ll be more likely to ignore them. Your ZTNA solution should ideally be always-on, so your employees don’t even know they’re there.
Use cloud gateways for management-free connection from anywhere, and to speed up login, use single sign-on (SSO).
Ease of management
A central dashboard greatly improves your situational awareness. From it, you should be able to access observability data to verify the security status of your team members.
But your solution should also make it easy to add or remove users, assign privileges, or connect systems. Especially if your infrastructure is large, this is a lot of pieces to juggle, so access control needs to be implemented in a clear and easy-to-use way to stay on top of things.
Security features
By far the most important criterion, always do due diligence and test if your ZTNA solution provides end-to-end encryption, independently check your IPs while connected to verify anonymity, scrutinize its online threat-blocking ability, and check if comprehensive logs are kept.
Try out multi-factor authentication works and test access control for exploits and vulnerabilities.
Summary
The main problem with finding a ZTNA solution for a small or medium business is balancing user experience, security, and cost. Traditional VPN solutions fall short of the required security and privacy features, while more advanced solutions are either difficult to manage or have a premium price-tag.
To preserve the high flexibility and mobility of their remote users, the best bet for small and medium businesses is to implement a ZTNA or SDP solution with a cloud business VPN at the core that will provide secure remote access to business systems regardless of location, as well as wide spectrum of additional security features, while remaining easy to manage and scale.
