The recent unprecedented social distancing measures, implemented at an almost global scale, have created a unique and somewhat unexpected challenge for many IT and risk teams.
Business Continuity Planning (BCP) strategies often center around dedicated off-site office space or repurposed desk space, where business critical workers can still perform their functions as they would in the office. This is because typically, Disaster Recovery (DR) procedures make assumptions about the need for a relatively temporary arrangement until longer term solutions are identified. And these plans often involve specific job functions most critical to key operations. They also assume the “disaster” involves the loss of building space through infrastructure interruptions or environmental factors, such as a fire or tornado.
The need to provide completely decentralized business continuity across a majority of functions at short notice was a shock— a shock that many IT teams have dealt with admirably and dynamically. Infrastructure teams have jumped into action, adding VPN and VDI capacity, on-boarding cloud-based VDI capabilities and increasing assigned network ranges for firewalls. For remote users, enabling home telephony and ensuring supply of laptops has been a focus, amongst other activities that required immediate attention to ensure businesses could function and serve their customers.
But now the dust is settling on this “new normal” and these teams are starting to take a breath. With the reality that this will likely not be a short-term situation, this tactical approach must now be reviewed for robustness, especially when it comes to security, risk management, and compliance.
As a result, organizations are facing an expansion of the external attack footprint, which often includes workers that are not familiar with remote working practices and do not have a dedicated work space. To compound this, there are some high-value, “crown jewel” assets that were never accessible or managed from remote locations that may now be. And worse still, this opportunity is not lost on the malicious actors that seek to benefit and profit from this time of change and uncertainty.
Reflecting on this, some areas need a more considered assessment and suitable controls applied.
- Ensuring that users have function-based least privilege access
Once a user arrives on remote access infrastructure, such as a Virtual Desktop or Virtual Apps Presentation, it should be ensured that they can access only the applications and systems that their function requires. This reduces external exposure considerably and adds significant attack surface reduction to the majority of business users that only need very specific access to perform their jobs.
Ideally, this should be based on an identity and destination system-based control, not just by limiting their access to desktop applications. This is especially true when a desktop is presented. This way, you can be sure that remote workers with a functional need to use a very specific system do not have broader network access to other assets. This is the principle of least privilege or Zero Trust.
- Ensuring adequate lateral controls are in place internally
With the increased exposure of all systems to external and potentially poorly secured environments such as the home, it is important to consider the increased likelihood of compromise. I recommend taking the mindset of assuming that a breach will happen and putting controls like micro-segmentation in place to limit the blast radius of any such occurrence.
As we know, a compromise in one of many less critical systems often leads to a pivot to high-value systems within an organization, so ensuring that the minimum lateral pathways are in place internally greatly minimizes risk.
It is almost always true that inside the enterprise, the vast majority of open pathways are completely unnecessary and unused during usual operations. Closing these pathways will make a huge difference in mitigating possible risk. Pivots to high-value assets often occur from the least critical systems, which get low operational focus. Internal convenience applications, such as dashboards and social platforms, generally require no access to critical applications and usually receive less resources to secure, monitor, and manage effectively. These should be partitioned just as much as the critical apps.
- Ensuring that this access is visible, logged, and can be reported on
Once users access systems, actionable logging data that records connectivity to applications, especially sensitive ones, is vital. This is a way to validate that the expected controls are in place and allows reporting data to be provided to auditors or compliance teams to verify. This also provides a detailed view of how applications are accessed externally, and, especially, highlights failed attempts which may require deeper scrutiny.
With the additional exposure of internal applications, gaining this visibility internally between systems is also critical. If evidence presents itself that a breach did occur, you need visibility to follow the kill chain and find out where any successful attacker could have pivoted. If a clean-up is needed, you need to know where to focus your energy.
I should note, this is not a new way of thinking and these considerations are just part of a Zero Trust framework. However, they should be addressed with increased urgency now that the vectors for compromise and data exfiltration are far more numerous and less visible. And although Zero Trust is gaining real traction as a recognized best practice, many organizations have yet to implement this mindset broadly, so controls are not widely deployed.
Strategically speaking, an opportunity exists. The model of using traditional BCP approaches is suddenly seeing an entirely new light. For many organizations, progress toward ubiquitous remote working moved forward years in the space of a few weeks, and once that problem is solved technically and philosophically, a more distributed approach to business continuity planning will be realized.
Why would an organization pay for dedicated business continuity facilities that failed to deliver when it was needed most when users can be effective from anywhere?
It is safe to say that, upon reflection, how companies manage business continuity planning will change forever. And once normality returns, many organizations will also get on board with the benefits that effective remote working provides both in terms of business continuity, but also attracting talent and increasing productivity.
This sudden shift may become a common reality in the future. So, IT security and risk should now focus on ensuring that the short-term fixes put in place are fit for long-term use and can be implemented safely and effectively.