If there is anything that the COVID-19 pandemic has taught the world, it is the fact that smart working is the future of companies and organizations working in services. A fact that, however, was already know by many employees, freelancers and partners working in the IT field: software developers, system administrators, and IT technicians were forced to embrace such paradigm many years ago, when virtualized Data Centers and Cloud-hosted infrastructures replaced a good portion of the existing on-premise environments, thus forcing everyone to remotely connect to them. That's especially true for organizations operating within the Information Technology business: a managed IT service company will likely already have the capabilities and the IT staff trained to provide remote assistance to their clients. However, having some skilled IT experts able to remotely connect to a Data Center securely hosted by a cloud provider such as Amazon AWS or MS Azure is not the same thing as allowing a bunch of non-IT employees to connect from their COPE or BYOD laptops to their company's workstations - unless you want to relax your organization's IT security posture.
For that very reason, in this article we'll try to briefly summarize the most important steps a System Administrator or IT Manager must follow to securely allow your employees to connect to the company's IT services.
Remote Desktop Connection through a VPN
The first thing to do is to identify the existing capabilities of the organization's network and IT infrastructure: for example, if we are dealing with Windows workstations, the most simple and effective way to remotely access those machines will be using the Windows native's Remote Desktop Connection Prodocol (RDP). However, such protocol requires to open the TCP port 3389 of all the system we want to access, which could pose a serious security risk. For that very reason, the following two countermeasures should be applied:
- Use a Firewall to block or restrict any incoming connection to the organization's public IP addresses, except those coming from authorized sources (see below).
- Use a VPN server with a strong protocol (OpenVPN, IKEv2, Wireguard and the likes) and mandatory MFA authentication to allow authorized users to securely authenticate before being able to access the internal LAN.
- Install an AntiVirus and/or AntiMalware tool on all the BYOD and COPE devices (including mobile devices) used by the employees to connect to the company's network from the outside.
This simple, yet effective strategy will effectively allow the employees to access the system through RDP protocol, as long as we provide each one of them with a unique, personal VPN account (and a BYOD or COPE smartphone for the MFA). Furthermore, the VPN protocol will encrypt all the incoming and outgoing RDP traffic with a strong cypher algorithm, thus ensuring a reliable in-transit encryption for all data.
An additional best practice would be enabling the logging & monitoring capabilities of the VPN server, so that the System Administrator and IT Security Specialist will be able to periodically check the incoming requests and overall traffic to prevent flood-based attacks or other malicious attempts.
Hardware & Software capabilities are not the only thing to consider when dealing with IT security: according to 2021's cyber attacks statistics, more than 80% of the data breaches have been caused by social engineering, thus not involving high-tech strategies. For that very reason, raising the employees awareness in terms of IT security countermeasures is a fundamental step to provide your organization with a good IT security defense perimeter.
In order to do that, it's advisable to carry out a dedicated training on all the resources on the technologies used by the company, as well as the most common risk factors connected to the data handled with them: this is especially true for people in Smart Working, since they will connect and operate outside the company's network. For example, employees should be trained to:
- Never transfer files or information of any kind outside the personal network or on any remote device, including the PC used for RDP.
- Never use unprotected (or otherwise “public”) Wi-Fi to connect to the company's network.
- Ensure that all Wi-Fi connection used to connect to the company's network is protected with WPA2 (or better).
- Provide each employee with a IT Security Policy with general guidance, including COPE & BYOD devices usage guidelines & GDPR specific measures (storage, local file copy, removable devices, lock screen, and so on): ideally, each employee should read & sign such policy at the start of their activity to declare they have read and understood it.
It goes without saying that the training can also be enforced by hardware and/or software security measures (security software, group policies, EDR tools and the likes), if the organization has the capabilities to implement them.
Switch to VOIP
If the company has a PTSN or ISDN phone system, it might be wise to upgrade it to a much more modern VOIP solution, so that each phone line can be routed (and handled) using the web. Needless to say, configuring a VOIP phone system will also require to train the staff to use it, so that they will be able to remotely answer to incoming calls, as well as efficiently use queues and response groups: this can be a business-critical feature depending of the type of service offered by the organization: it might be a pivotal step for a Contact Center or a B2C company, while it can be deferred to a later time for a B2B company.
Another important factor to consider is that remote working employees will likely still need to periodically access a IT Help-Desk service - for example when the VPN is down, or they are unable to connect due to various reasons (including HW failure). Such requirement can be addressed by using a remote assistance solution (such as TeamViewer, Supremo, VNC, and the likes) so that System Administrators and IT assistance technicians will be able to remotely access the employee's devices to provide fixes and handle updates and maintenance tasks, thus being able to resolve any problem directly on the remote (or local) PC of each staff member.
That's it, at least for now: we hope that this small guide will help other System Administrator and IT Managers to securely implement Smart Working capabilities within their organization.