Maksim Kabakou - Fotolia
The centralised datacentre or computer room has been slowly going out of fashion with the move to cloud computing and the buying in of different services from a variety of cloud-based suppliers – for example, email services from supplier A and sales and marketing services from supplier B. Other suppliers might be in the mix, providing specialised services such as accounting.
This leaves the company’s central site providing an internet firewall with DHCP, DNS and VPN functions plus, in a typical site, Active Directory, local file and print servers, terminal server and, in some cases, specialised or sensitive servers/applications that have not been outsourced to the cloud.
Covid-19 and the resultant large increase in home working has hastened the move to an even more decentralised IT model as each piece of the home worker’s equipment becomes part of the distributed IT infrastructure.
Looking at the home worker’s setup, we typically will see a PC or laptop, a printer and possibly a scanner. The internet router will have been supplied by their ISP and will provide local DHCP, while the ISP itself will provide DNS services. Typically, the home worker’s internet connection will be shared within the house and most probably by Wi-Fi from the ISP’s router. In many instances, the home worker won’t have a dedicated room or space to work from.
Throw into the mix the possibility of children, visitors (observing the government restrictions, of course) and a spouse possibly also working from home but not for the same company as the home worker, and you have an interesting security nightmare – and that’s without taking into consideration the security concerns of the company’s outsourced IT.
So what does the security professional do to maintain a good security stance for the company? The starting point for me is to understand that company and company-related information is an asset and, as such, needs protecting wherever it is stored, processed and when it is communicated.
Where those functions occur on a company-owned site on company-owned and operated IT, it is under the security professional’s direct governance and supervision. Where it is remote and/or outsourced, the security professional needs to ensure that reliance can be placed on the ruling controls and governance of the service offering or that mechanisms can be put in place that effectively control and negate any potential deficiencies of the remote or outsourced service.
Outsourced and cloud
For those outsourced and cloud-based services, reliance on security controls and security governance is placed in the formal contract of service supply, such as IS27001 certification, Cyber Essentials (CE Plus recommended) certification and their notification of annual recertification.
The service contract could also require the service supplier to restrict staff access to maintain and manage company systems to only those individuals whose CV has been approved by the contracting company. Communications to/from cloud and outsourced IT should be over encrypted VPN tunnels.
The subject of cloud and hybrid environments was covered in the Security Think Tank articles published in November 2019.
The home worker
For home workers, the key is that all company communications are done over an encrypted link to a central company site/service from the home worker’s PC or laptop.
- Where the PC or laptop is company-provided, the hard disk should be encrypted and access to the PC/laptop additionally protected by a PIN code at boot time. The PC/laptop and peripherals should not be available for shared use in the home. Communications to the central site or service would typically be over an encrypted VPN link and there should be no split tunnelling. A user’s PC/laptop should be part of the company’s network and, as such, be part of the update, maintenance and access control regime.
- Where, due to poor internet speeds at a home worker’s site, data is copied to a user’s company PC/laptop, the data owner should advised and steps taken to ensure the data is kept in synchronism with the central master copy.
- For home worker-owned and supplied equipment, again communications to the central company site/service should be over an encrypted link (typically https://) and should be terminated on a terminal server providing user applications (email, Word processing, and so on), together with appropriate security measures in place (such as anti-virus, malware prevention).
- It should not be forgotten that a formal home working policy, procedure and work practices document should be prepared in collaboration with the company’s HR group. This could be a brand new document or an annex to an updated and existing “Road Warrior” or mobile user document. It should cover, as a minimum: screen locking when the PC is left powered on but unattended; finding a position to use the PC where the screen cannot be overlooked; keeping to a clear desk policy even at home; ensuring a safe and comfortable operation position (for health and safety), advice on communications in the home (Wi-Fi and issues, Power Line Ethernet extenders, and so on) and an FAQ.
- Be safe, maintain social distancing and mask-wearing where necessary.