Remote working - the security questions our clients are asking
- Posted on March 30, 2020
- Estimated reading time 3 minutes
We’re committed to sharing our expertise and insight so that you can keep your business productive and engaged during this exceptional time. We’ll be sharing a series of the most frequently asked questions we're hearing from our clients about remote working. The first in this evolving series of blog posts focuses on security – from how to keep your data safe through to ensuring secure collaboration.
EMPLOYEE SECURITY
Q: How do I scale remote working capabilities securely?
A: With an unprecedented demand for accessing company resources remotely this puts extra pressure on access points and VPN services. The user experience and the ability to work remotely depends your infrastructure’s ability to scale in order to meet the demand.
A modern born-in-the-cloud application proxy solution, that enables secure remote access to internal web applications – with additional security checks via conditional access and MFA – is highly scalable. And it can support a broad range of authentication capabilities.
You can also complement your traditional VPN technology with new cloud remote access solutions that will improve remote worker security while alleviating capacity risks on your legacy VPN solution.
Enable split tunneling where possible so users can get the fastest access to cloud services and alleviate traffic to a central VPN solution. At the same time, confirm your capacity on traditional remote access technologies, such as VPN concentrators, Next Generation Layer 7 Firewalls, and circuits.
Q: What other security challenges do I need to consider when more of the workforce is working from home?
A: Provide guidance to employees on best practices regarding security on their home network. Understand the users who have increased requirements for security, such as those handling sensitive data. Help employees to control where data resides and is processed by considering what security policies should be extended to corporate-owned devices or even personally owned devices.
Configure information protection for classifying and managing sensitive corporate data at rest and in motion. Enabling BYOD for employees and partners may require enhanced security and compliance controls for corporate assets through an endpoint management solution. Finally, consider reviewing and assigning policies to ensure and enforce secure behaviors. To achieve that, provide employees with clear, prescriptive guidance to help them adopt the behaviors required to remain secure in any remote working scenario.
SECURE COLLABORATION
Q: How can I provide my employees with an advanced protected environment for collaboration?
A: Implement a security layer in Office 365, such as Azure Information Protection, which allows you to configure policies and protect company data from cyberattacks.
Microsoft Defender Advanced Threat Protection (ATP) on the employee’s devices gives you visibility over risks before they become issues. Also ensure each employee has a company or personal device, like a smartphone (ideally enabled with biometric authentication), to receive the necessary codes to access corporate data (via multi-factor authentication). This requires a subscription to P1 plan (included in O365 Business) or P2 (included in O365 E5, A5 and M365).
Q: How can my employees interact and collaborate securely with their external partners?
A: Deploy an external sharing solution (with Microsoft Azure B2B) to allow employees to maintain business continuity and collaborate with external partners, clients or vendors. This solution provides additional control and management over Office 365 platform services. It also features identity lifecycle capabilities, such as onboarding and deleting Azure B2B accounts, modify permission and more.
This needs an active Office 365 platform as well as Azure Active Directory licenses (AAD Premium P1 or P2).
INFORMATION SECURITY
Q: How do I protect my information if it leaves the organization?
A: Company data which can be accessed remotely or sent remotely can remain ‘containerized’ and managed securely by using Microsoft Intune, Information Protection and Azure AD.
This enables users to access Office applications from their home laptop or mobile by protecting information with Microsoft Application Management (MAM) and Windows Information Protection (WIP), securing Office 365 data within Office desktop and mobile applications.
Information can be further protected from being lost, stolen or misplaced with Microsoft Information Protection, which classifies and protects assets using document-level encryption and access control lists. This is supported cross-platform and cross-device.
ACCESS AND APPLICATIONS
Q: Can I monitor who has access to data and applications, and monitor what they’re doing with them?
A: If you’re concerned that employees are using external file sharing services to work around internal IT limitations, you can monitor and assess this with Cloud App Security Broker – which can discover the cloud applications being used in your enterprise. It identifies and combats cyberthreats and enables you to control how your data travels.
Q: How do I ensure the right people get the right access to resources?
A: It all starts with managing identities. Whether your organization has a hybrid environment or is fully in the cloud, checks and balances can be put in place around identification, authentication, authorization and to ensure monitoring continually takes places.
Policies and conditional access rules will ensure the right people get access to the right resources (applications, data, services) at the right time.
Q: How do I securely enable access to my organization’s applications remotely?
A: Most organizations are running lots of business-critical apps on-premises, many of which may not be accessible from outside the corporate network. Azure AD Application Proxy is a lightweight agent that enables internet access to your on-premises apps, without opening up broad access to your network. You can combine this with your existing Azure AD authentication and Conditional Access policies to help keep your users and data secured.
DEVICES
Q: How do I enable access to resources on BYOD devices?
A: With more employees working remotely and across devices, it’s important to support bring-your-own-device (BYOD) scenarios. You can offer self-service enrolment so users can quickly and easily join Azure AD and enroll in MEM to access company resources.
Once enrolled, MEM then applies appropriate policies. For example, to ensure that a device is encrypted with a strong password and has certificates to access things like Virtual Private Networks (VPN) and Wi-Fi. MEM can also ensure that devices are adhering to policy by checking-in the device’s health compliance status to Azure AD as it processes the user’s authentication.
Q: How can I enroll my employee's personal mobile devices to securely access corporate applications?
A: Our recommendation is to deploy an enterprise mobile device management platform (Microsoft Intune) to securely enable employees to get access to corporate applications. This will allow a separation of corporate data and personal data at a device level while maintaining business productivity.
You’ll need an active Office 365 platform with Azure Active Directory and Microsoft Intune licenses (either standalone or as part of EMS E3/E5).
If you have any specific remote working challenges, please do reach out to us. You can add your questions in the comments section below, email me or find more guidance and advice around remote working.
Learn how to take the next steps toward a holistic security strategy.
EMPLOYEE SECURITY
Q: How do I scale remote working capabilities securely?
A: With an unprecedented demand for accessing company resources remotely this puts extra pressure on access points and VPN services. The user experience and the ability to work remotely depends your infrastructure’s ability to scale in order to meet the demand.
A modern born-in-the-cloud application proxy solution, that enables secure remote access to internal web applications – with additional security checks via conditional access and MFA – is highly scalable. And it can support a broad range of authentication capabilities.
You can also complement your traditional VPN technology with new cloud remote access solutions that will improve remote worker security while alleviating capacity risks on your legacy VPN solution.
Enable split tunneling where possible so users can get the fastest access to cloud services and alleviate traffic to a central VPN solution. At the same time, confirm your capacity on traditional remote access technologies, such as VPN concentrators, Next Generation Layer 7 Firewalls, and circuits.
Q: What other security challenges do I need to consider when more of the workforce is working from home?
A: Provide guidance to employees on best practices regarding security on their home network. Understand the users who have increased requirements for security, such as those handling sensitive data. Help employees to control where data resides and is processed by considering what security policies should be extended to corporate-owned devices or even personally owned devices.
Configure information protection for classifying and managing sensitive corporate data at rest and in motion. Enabling BYOD for employees and partners may require enhanced security and compliance controls for corporate assets through an endpoint management solution. Finally, consider reviewing and assigning policies to ensure and enforce secure behaviors. To achieve that, provide employees with clear, prescriptive guidance to help them adopt the behaviors required to remain secure in any remote working scenario.
SECURE COLLABORATION
Q: How can I provide my employees with an advanced protected environment for collaboration?
A: Implement a security layer in Office 365, such as Azure Information Protection, which allows you to configure policies and protect company data from cyberattacks.
Microsoft Defender Advanced Threat Protection (ATP) on the employee’s devices gives you visibility over risks before they become issues. Also ensure each employee has a company or personal device, like a smartphone (ideally enabled with biometric authentication), to receive the necessary codes to access corporate data (via multi-factor authentication). This requires a subscription to P1 plan (included in O365 Business) or P2 (included in O365 E5, A5 and M365).
Q: How can my employees interact and collaborate securely with their external partners?
A: Deploy an external sharing solution (with Microsoft Azure B2B) to allow employees to maintain business continuity and collaborate with external partners, clients or vendors. This solution provides additional control and management over Office 365 platform services. It also features identity lifecycle capabilities, such as onboarding and deleting Azure B2B accounts, modify permission and more.
This needs an active Office 365 platform as well as Azure Active Directory licenses (AAD Premium P1 or P2).
INFORMATION SECURITY
Q: How do I protect my information if it leaves the organization?
A: Company data which can be accessed remotely or sent remotely can remain ‘containerized’ and managed securely by using Microsoft Intune, Information Protection and Azure AD.
This enables users to access Office applications from their home laptop or mobile by protecting information with Microsoft Application Management (MAM) and Windows Information Protection (WIP), securing Office 365 data within Office desktop and mobile applications.
Information can be further protected from being lost, stolen or misplaced with Microsoft Information Protection, which classifies and protects assets using document-level encryption and access control lists. This is supported cross-platform and cross-device.
ACCESS AND APPLICATIONS
Q: Can I monitor who has access to data and applications, and monitor what they’re doing with them?
A: If you’re concerned that employees are using external file sharing services to work around internal IT limitations, you can monitor and assess this with Cloud App Security Broker – which can discover the cloud applications being used in your enterprise. It identifies and combats cyberthreats and enables you to control how your data travels.
Q: How do I ensure the right people get the right access to resources?
A: It all starts with managing identities. Whether your organization has a hybrid environment or is fully in the cloud, checks and balances can be put in place around identification, authentication, authorization and to ensure monitoring continually takes places.
Policies and conditional access rules will ensure the right people get access to the right resources (applications, data, services) at the right time.
Q: How do I securely enable access to my organization’s applications remotely?
A: Most organizations are running lots of business-critical apps on-premises, many of which may not be accessible from outside the corporate network. Azure AD Application Proxy is a lightweight agent that enables internet access to your on-premises apps, without opening up broad access to your network. You can combine this with your existing Azure AD authentication and Conditional Access policies to help keep your users and data secured.
DEVICES
Q: How do I enable access to resources on BYOD devices?
A: With more employees working remotely and across devices, it’s important to support bring-your-own-device (BYOD) scenarios. You can offer self-service enrolment so users can quickly and easily join Azure AD and enroll in MEM to access company resources.
Once enrolled, MEM then applies appropriate policies. For example, to ensure that a device is encrypted with a strong password and has certificates to access things like Virtual Private Networks (VPN) and Wi-Fi. MEM can also ensure that devices are adhering to policy by checking-in the device’s health compliance status to Azure AD as it processes the user’s authentication.
Q: How can I enroll my employee's personal mobile devices to securely access corporate applications?
A: Our recommendation is to deploy an enterprise mobile device management platform (Microsoft Intune) to securely enable employees to get access to corporate applications. This will allow a separation of corporate data and personal data at a device level while maintaining business productivity.
You’ll need an active Office 365 platform with Azure Active Directory and Microsoft Intune licenses (either standalone or as part of EMS E3/E5).
If you have any specific remote working challenges, please do reach out to us. You can add your questions in the comments section below, email me or find more guidance and advice around remote working.
Learn how to take the next steps toward a holistic security strategy.
Thanks for subscribing. Watch your inbox for blog alerts and updates.
Comments