For IT teams preparing their approach to 2020, the emphasis would have been on big picture plans around digital transformation and how changes in cloud and software would support these goals. Today, companies are looking at how they will manage remote working and operations for the foreseeable future. Both employees and security teams will be remote, unable to work together directly in the same location.
Due to the coronavirus – or COVID-19 to be accurate – many IT departments will have found that their companies’ priorities will have shifted significantly. To be successful here, IT security teams have to support remote working and keep things going as much as possible. This change will shine a spotlight on how to keep these IT assets current and secure when IT has less control and is not physically able to touch the IT devices involved.
At the same time, there are opportunities to look at ‘smart working’ – where the move to remote working can make people more productive and happier in their roles over time, rather than just replicating their existing approach at home.
Preparing for remote working and security
To work remotely, employees may use their own devices or work-provided machines. They will need access to the internet in order to connect to the applications or services they require. And they will need to be kept secure, so that any information they create or access can’t be seen by those not authorised to view it.
These three principles might seem obvious, but they are all necessary to make remote working feasible. While devices and internet access can be provided, managing the security side can be more nuanced. In preparation for any remote working activities, IT teams will have had to keep those devices patched and updated, as well as implementing standard security tools such as firewalls and anti-virus software.
However, the onset of coronavirus means that there are two major changes taking place. Firstly, those assets are now not on the corporate network. This means that laptops and other assets no longer benefit from the corporate firewall or other perimeter security technologies that were implemented centrally; instead, these machines are dependent on whatever security solutions were put on them beforehand.
Secondly, those machines are not being managed directly over the network by the IT team. Instead, they are dependent on their users following security protocols and ensuring that updates are installed as and when they are needed. The biggest problem becomes understanding devices that are connecting to the network, their vulnerabilities and importantly, patching those hundreds of thousands of remote endpoints, through Virtual Private Networks and limited network bandwidth. Managing and enforcing this is easier said than done. When problems arise, IT staff can’t go to the person’s desk as they normally would have done.
Managing vulnerabilities over time
The challenge around vulnerabilities in software is that there are more of them, every day. From the largest holes in operating system components that can affect everyone through to specific and serious issues in niche applications, the sheer number of software vulnerabilities continues to grow. As more issues are discovered in existing software that has been around for years as well as new problems in modern applications, the problem is keeping up with all these patches.
Big technology companies like Microsoft and Adobe provide their patches monthly to make the job easier. By collecting all their patches into monthly releases, it should be easier for IT teams to test out any updates and then ensure they are installed. However, that model works best when IT has full control over the network and the device. It allows time for testing to check that new patches don’t break other software components, as all the vulnerable devices have some protection from the corporate firewall. It also allows IT to check that updates have been successfully installed and remediate where not.
In today’s environment, that is not so simple. For employee-owned devices, mandating security levels before access can be granted is something that has to be managed carefully. For corporate devices that are now outside the network, getting insight into what is still installed and whether it is up to date is also a challenge. Lastly, those endpoints now may not have the same degree of protection against attack.
In this situation, devices brought up to date by the IT team before the big move to remote working should be secure. However, they may drift over time, as employees have to install updates or allow IT to do so on their behalf. Similarly, IT may find it more difficult to get that vaunted ‘single view of the truth’ around updates and potential vulnerabilities when devices are spread across hundreds or thousands of locations at employees’ homes.
Instead, it will be critical to get that insight back. Using cloud services, IT teams should be able to view current status across every machine that employees are using. This should provide insight into any new vulnerabilities that are discovered, and then show up any assets that fit the same profile. Equally, any new approach should help the IT team automate the patching process so that devices automatically receive updates and are kept secure over time. Lastly, IT should be able to put together their own rules on patching and prioritisation, so new issues are ranked depending on their seriousness, their risk levels and their potential for exploits.
Alongside this insight, any patching activity will have to be carried out remotely. Rather than relying on employees and their abilities to roll out updates, patches should be controlled and managed centrally so that IT teams can be sure they have been deployed. This approach ensures compliance and security against issues remains consistent and allows enterprises to enforce patches when new threats are discovered in the wild that would otherwise jeopardise company assets and data.
Making security business as usual
The biggest challenge for security isn’t just today’s remote working set-up – it’s what will happen over the coming weeks and months. Supporting remote working involves getting the same degree of insight across all of a company’s IT assets and devices over time as is possible on the corporate network. Without this, it is impossible to maintain the same degree of insight and security as before.
For smart working, these processes can be streamlined and improved so that working is frictionless and easier. Online tools can be used to replicate the previous environment where that makes sense, remove issues where possible, and keep the overall process secure. It also has to be said that some remote workers will need more care and support to keep their systems protected, too.
Instead, it is essential to look at how to understand potential vulnerabilities as they develop, how they can be remediated, and how to manage the response across the company as a whole. This new approach is necessary to keep remote working secure and to make today’s working environment as close to business as usual as possible.
Marco Rottigni
Chief Technical Security Officer EMEA for Qualys