By: Clay Miller, CTO, SyncDog
Since working from home is the new norm for many across the world, it’s important to understand network security basics. Internet service providers (ISPs), love or hate them, are responsible for providing the infrastructure for transmitting data, not necessarily securing it. By nature, ISPs need to support a wide variety of network traffic on different protocols and ports; so, the responsibility of protecting network traffic lies almost solely on the administrator. Because of this, virtual private networks (VPNs) are a popular tool to leverage when connecting to a different network securely. In both cases, the user plays a critical role in security by adhering to best practices. Below are some shortcomings of ISPs and VPNs to be wary of, especially if employees aren’t working in an office environment.
Lack of Visibility & Hardware/Software Flukes
When network traffic is traveling from a client computer to a host in the corporate network, it travels over the ISP. This journey is over an uncontrolled network in the sense that the corporate network administrators do not have any visibility or control over the environment in the ISP. There is always a non-zero probability that hardware or software in the ISP is compromised and there is no way to validate that it isn’t. Whether ISPs implement good security or not is a moot point because the responsibility of a corporate system administrator is to ensure that the data is secure even when traveling over an uncontrolled network.
The Human Element
Remote workers may utilize their VPN in many different ways, not always in the corporate-approved manner. Users are always a risk and no amount of training will be able to completely remove the risk associated with technology in a user’s hands.
Auto Login & Physical Security
An issue with work from home environments is that, for convenience sake, a lot of employees will set their VPN to auto login. This is ok as long as they are in control of the device. However, when the corporate security team or an employee is not in control of the device, whether it’s stolen, compromised or home networks are infiltrated, it creates a significant vulnerability.
Other potential issues involve deactivation of users. There is the possibility a disgruntled soon to be ex-employee maintains company hardware, and access to company resources, prior to officially separating. An employee who is working at home, without the same supervision of an office environment, can use their access to company resources to steal data or otherwise damage resources before their account is terminated, or VPN access is suspended.
Ultimately, VPNs will continue to be commonly utilized for network security with off-site employees. When managed correctly, they can be a workable solution. BUT, just like with ISP security, the burden is on the administrators. In the case of VPNs, a process needs to be in place to ensure that access does not become a liability. One way to tackle this risk is having a rapidly deployable exit strategy for employees leaving the company.