As organizations shift their end users to remote work, IT admins have to account for new security vulnerabilities and take steps to ensure remote users and their devices are secure, no matter where they’re located. This includes users’ home networks, which likely aren’t on par with their in-office networks.
Organizations face a more pronounced attack vector in each user’s home router, but admins can take steps to account for that and protect users while they work.
Home Router Security Flaws
Often, users rent their routers instead of buying them, which leaves them more vulnerable to data collection by their internet service providers. They likely don’t change the default password or patch the router regularly either, both of which represent additional vulnerabilities.
It was revealed recently, for example, that millions of routers running the open-source OpenWRT were vulnerable to compromise. Although that might be a simple fix in a business context, it’s unlikely that users will follow that news closely or take steps needed to remedy it in a timely manner.
It probably wouldn’t play well with management if you laid down an edict that all users needed to upgrade their home setup with commercial-grade routers, but you can take other measures to secure users’ internet traffic when they work from home.
Solution: VPN for Remote Users
Organizations likely have a VPN in place so remote users can connect to the internal corporate network, but you can also instruct users to work via the VPN to secure and encrypt their network traffic while they work. This guidance is also relevant if users work on public networks (like at a coffee shop), though it’s best to discourage them from working on public networks all together.
You can connect the VPN to your core directory service via LDAP or RADIUS so you can then provision and deprovision user access to the VPN through it. That way, you don’t have to manually manage a separate directory for the VPN in addition to the core directory service. This also gives you the ability to provision access in bulk through users groups and other methods.
A straightforward way to do this is through a cloud directory service, which can either serve as a standalone directory or as an Active Directory® extension to IT resources including the VPN client. That way, too, users enter the same core credentials to access the VPN that they use for their other IT resources, and you can ensure that password is secure. You can further protect the VPN with multi-factor authentication (MFA) at login.
Offer Security Guidance to End Users
In addition to providing VPN access, you can offer guidance to users about how to secure their home WiFi networks and use the VPN without overloading it. We’ve created both of those guides, which you can tailor to your environment and share with your users. This guidance can include:
- Keep your router up to date, and make sure you’ve used secure passwords for both your router and your WiFi network.
- Limit the number of IoT devices you have connected to the WiFi network you use for remote work.
- Use the VPN only on work devices, for work traffic. Keep your personal browsing to your personal devices.
- Be mindful of the VPN’s bandwidth, which is a shared company resource. Don’t call into your team happy hour, for example, with the VPN.
If you’re looking for more information about how to provision and manage user VPN access, we’re here to help.
Learn More
One solution to manage user VPN access is JumpCloud® Directory-as-a-Service® — a full-suite directory in the cloud. JumpCloud can serve as an organization’s directory or as a comprehensive AD identity bridge, and with it in place admins have cloud LDAP and RADIUS functionality without any on-premises infrastructure or networking required. They can point the VPN at JumpCloud for authentication, as well as enable MFA for RADIUS networks so users enter their credentials and a TOTP token at login.
Click here to learn more about installing a VPN client on remote systems and centralizing VPN authentication with JumpCloud.