Securing Remote Workers in Three Layers: Device, Access, & Identity

Written by Zach DeMeyer on April 1, 2020

Share This Article

The modern world dictates that organizations need to prioritize security and efficiency while also enabling their employees to do their jobs regardless of where they find themselves or what IT resources they leverage. In order to secure these remote workers, IT admins need to be equipped with the proper tooling to manage devices, control access, and keep identities locked down — all from the cloud.

Device Management

Ensuring that devices are set up for success and able to be managed remotely is critical. After all, a device acts as the end user’s gateway to all of their other IT resources, so protecting them is paramount. To do so remotely, IT admins need their device management tools to provide certain key capabilities.

Group-Based Policy Enforcement

Group-based policy enforcement provides IT admins with device system setting management at scale. This functionality is exemplified by Active Directory® group policy objects (GPOs). Unfortunately, solutions like Active Directory (AD) are limited by their domain, that is, the extent to which its identities can be leveraged for authentication. In AD’s case, its domain struggles to extend beyond Windows® systems and applications, on-prem servers, and a selection of web resources depending on the inclusion of AD FS or Azure® AD in an organization’s stack.

For organizations with devices like Mac® and Linux® systems, the traditional AD domain is largely ineffectual without the purchase of AD extension tools. Beyond that, even if an organization only has domain-bound devices, they are significantly harder to manage once they’re being used remotely and out of AD’s direct reach. Despite these limitations, admins still need to enforce security policies on these systems, like full disk encryption (FDE) and screen lock. These two policies in particular are critical for remote worker security, protecting their device from bad actors that wish to prey on the device directly.

Monitoring

Admins also need visibility on remote system performance and configurations to maintain end user productivity while identifying potential security threats. Key statuses that need to be tracked include, but aren’t limited to: 

  • Antivirus/anti-malware/firewalls
  • Battery life
  • Storage capacity
  • Current OS
  • Downloaded applications
  • Browser versions/extensions

By keeping tabs on these remote systems, IT organizations can make informed decisions to shut down attack vectors before they become major issues. In addition, remote device monitoring provides IT organizations with the insights they need to aid remote users with hardware issues.

Non-Invasive Update Workflows

Above all else, IT admins need to ensure that their work is as non-disruptive to remote end users as possible. Traditional device management tools require that the system is jacked in to the on-prem network in order to enforce updates. With the proper tooling, admins can monitor and update remote devices completely in the background, using agent-based system management and the cloud to push updates.

Access Control

Once the end user device is settled, secure tunneling to all other resources is the next key area of focus for securing remote workers. 

The virtual private network (VPN) has long provided a secure route for remote access to on-prem and remote resources. Although effective, VPNs can be finicky, proving highly technical to set up and maintain. For end users, VPNs create a source of frustration and can lead to vulnerabilities if used incorrectly or ignored.

So while they’re important in certain cases, much of the access control capabilities of VPNs can be accomplished through other authentication means. Protocols like SSH, SAML, and LDAP provide access routes that are just as secure as VPNs if not more so. These protocols can be managed through a central identity provider (IdP) to create a single identity that users can leverage to remotely access infrastructure, applications, and servers both on-prem and in the cloud.

In order to best serve their needs, however, IT admins need this IdP to be leveraged remotely as well. Access through these protocols and VPNs needs to be tightly managed, using the principle of least privilege to ensure that an end user can only access what they need to — no more, no less.

Identity Security

The core of both device management and access control rely on an IT admin’s ability to ensure that an end user’s identity is secure as possible. Many believe that this is accomplished through enforcing password complexity requirements and using a password manager to keep track of each disparate credential a user has.

Strong passwords are only the beginning of achieving firm identity security. IT admins need to enforce multi-factor authentication (MFA) at every instance an end user logs in to a resource, from their systems to VPNs, apps, infrastructure, and more. Applying MFA everywhere significantly cuts down on the risk associated with a compromised set of credentials.

Hearkening back to the section above, having a unified identity simplifies identity security greatly for both end users and IT admins alike. A centralized cloud directory service provides an identity that can be leveraged for virtually all IT resources that’s backed by MFA. That way, end users only need to remember a single, complex password to access everything. And, by changing that password through their device, they have a much lower risk of getting phished while being able to manage their password from anywhere in the world.

Learn More

These areas of consideration will put you well on your way towards securing remote workers, but only scratch the surface of all of the requirements admins face when enabling their user base to work remotely. To learn more, check out our admin’s guide to work from home (WFH), or see how our two-man IT department shifted our employees to a fully WFH model in only 3 days.

Continue Learning with our Newsletter