Keeping Your Organization Secure With A Remote Workforce
Jeff Guillet MVP, MCSM
What a difference a few weeks can make. In less than a month, a huge segment of the world’s working population has had to transition to a work from home model. For some workers and organizations this is the first time they’ve done this, and some are still scrambling to make it work. A lot of organizations have spent the last 10-20 years securing their environments to prevent external access only to find out now that they need to break down those barriers.
What Admins Can Do
Before jumping directly to a remote connectivity solution, administrators must understand what remote workers need access to and from which devices. Do workers need access to internal applications? File shares? Collaboration tools? Will they need access from a corporate laptop, their home PC, or a mobile device? Depending on these answers you may decide to employ a secure remote access solution such as a VPN, Remote Desktop Services, Windows Virtual Desktops, or Azure Application Proxy. If you’re looking for a remote collaboration solution you may have heard of this thing called Microsoft Teams. 😊
How users authenticate to these apps or other remote access is extremely important. Hopefully, your organization is using some sort of MFA solution to keep your accounts safe. MFA is the single most important thing you can do to secure your environment. If your users are in Office 365 this is relatively easy to do – you can either assign users for MFA or configure Conditional Access. If your organization is on-premises or in hybrid, you should consider implementing Exchange Hybrid Modern Authentication to bring the security of Azure MFA to your on-premises Exchange users.
However, you should be careful what changes you make during this sensitive time. Now may not be the time for you to configure complicated Conditional Access policies, but the new Conditional Access reporting and “What If” features make it much easier to configure and deploy successfully. I’ve had great success implementing SAML authentication with MFA for on-prem systems, such as VPNs or Azure App Proxy, using these features.
A lot of organizations have deployed remote connectivity solutions rapidly due to the current COVID-19 situation. I encourage you to take a breath and review those solutions with an eye toward security to ensure you haven’t created an attack vector for bad actors. If you’re unsure where to start, you should engage with a professional to do a security audit.
Helping your users stay safe
It’s important for you to communicate to your remote workforce what changes the organization is making to support working from home. Remember that new procedures may be confusing to your workers. You know who I’m talking about. Make sure your communications are clear and concise and ensure that users have a way to contact someone if they have problems.
Unfortunately, there are a number of bad actors that are taking advantage of the confusion that comes with this. I’ve heard from several customers that they are receiving phishing Zoom and Teams meeting invites. Teach your users to be careful with emails and links and how to identify suspicious communications. Office 365 Advanced Threat Protection (ATP) can be used to protect users from unsafe links, unsafe attachments, and phishing emails. MFA and self-service password reset can be a big help here, too.
It’s important that users keep Windows, Office, and security software up to date. Some VPN solutions perform inventory checks to ensure the device is up to date and not vulnerable to attack. Your organization may be ready to quickly move all workloads to Office 365 and Azure, only to realize that your remote workforce is using Windows 7 or an unsupported version of Office.
What orgs can learn from this in the future
No one would believe that the world would shelter in place just one month ago. Organizations must learn to be agile and adaptive on short notice.
Make sure that your organization has a formal remote connectivity plan with time-based goals. The companies I see that are most successful at this are the ones that planned ahead. Their ability to pivot from work-at-work to work-at-home made this transition much smoother.
I believe that most organizations that we dead set against remote access for some reason will see that those reasons are not valid. Improvements in the ease of deploying secure remote access solutions and having a relationship with a trusted partner can make planning for the inevitable that much easier. It’s never too late.
End User Experience Monitoring
With a newly remote workforce, many IT departments are finding they have limited visibility into their end user experience with Office 365 and collaboration technologies like Zoom, Slack, and WebEx? The resolution to this visibility problem is to understand when services like Microsoft Teams suffer performance problems and to isolate where these issues are happening by geographical region.This approach helps to understand who is impacted within your organization so communication and expectations can be set. Remember, we also need to know when the employee experience starts to degrade way before a complete outage manifests itself. ENow enables you to proactively support employees by monitoring the core components of your environment from inside and outside your network.
Jeff Guillet MVP, MCSM
Microsoft Certified Master & MVP: Exchange Server MCITP 2012+Messaging+Lync+Virtualization | MCSE+Messaging | CISSP
Active Directory Management: Who Owns This Responsibility?