As the Coronavirus pandemic continues to spread, businesses across the world are making remote working mandatory for their employees. ManageEngine, the IT management division of Zoho Corporation, which has 8000+ employees spread across 10 countries, serving over 180,0000 organisations worldwide, made a decision early on and asked its workforce to work from home. Under this scenario, the onus fell on the IT teams to facilitate a secure remote working environment, which not only enables safe connection to remote devices, but is conducive to executing routine activities without trading off cybersecurity.
This has been made possible due to some of ManageEngine’s tools including Access Manager Plus and Remote Access Plus. These solutions offer simplified remote IT networking, support, and maintenance for enterprises without compromising on security. They also allow seamless yet secure connections to desktops, servers, databases, and network devices right from the comfort of their employees’ homes.
With businesses, especially those in the small and medium segment, likely to face difficulties in ensuring a secure virtual workplace due to lack of right tools, ManageEngine has decided to make available fully-functional versions of Access Manager Plus and Remote Access Plus to IT teams free of cost till July 1.
Curbing unauthorised access
Most security models today work based on a full-trust model. Which is, once a user authenticates, there is no granular restriction on the access to information or the operations that could be performed. Which means, if the attacker gets access to someone’s credentials or gets access to their session, they have unfettered privileges. So organisations must move to a model of low-trust or even zero-trust, where every user must implicitly authenticate every access and every operation and the system should have the ability to check for both user’s and the device’s security posture constantly for every information access and operation.
On top of the zero-trust model, organisations must also have well-defined roles, clear separation of duties and allow people only the minimum privileges necessary to perform their duties. And even that privilege must be granted at run time and revoked once the job is done. For example, a database administrator gets access only to certain folders and specific commands and not the entire system, to work on a particular requirement or a problem. Even that access shall be granted only till the job requires it and after that, the Database Administrator does not carry the privileges, unless explicitly granted again.
With both the models above in place, the authentication layer itself should be tightened with multi-factor authentication enabled with three factors configured and at least two of them enabled at any point in time. Most unauthorised access is due to credential theft or session hijack and hence strengthening this layer is very critical to enable remote access.
Rajesh Ganesan, Vice President, ManageEngine has stated some of the best practices towards creating a safe and solid virtual workplace
- Inculcate situational awareness to all the employees across the different business functions. The security and monitoring team should be aware of the increased attack surface for the overall organisation because of employees working from remote from wherever they are. Even if they are privileged insiders, connecting from approved devices, the default corporate policies needs to be re-examined and stricter restrictions must be enforced according to the role, privilege and location of the employees and this should also include educating the employees appropriately.
- Deploy multiple, secure, reliable remote connection technologies both for operational and productivity benefits as well as redundancy. For example, organisations could use the VPN for allowing remote access to less critical resources, when the VPN does not allow granular access controls. For sensitive and confidential resources, they could deploy secure remote access software allowing granular access controls based on the role, time period, location, reduced command sets and the device security posture of the employee.
- Accelerate the move to cloud, which inherently addresses all the remote access needs still ensuring reliability and security. This is from utilising SaaS for various business apps, to moving major part of the infrastructure to IaaS and also taking advantage of virtual desktops served from the cloud.