The following is a transcription of an episode of our podcast, Where’s The Any Key? Feel free to reach out with any questions you may have in response to this recording. You can find our show on Apple Podcasts, Spotify, and wherever podcasts are available.
Welcome to Where’s the Any Key? The podcast where we talk about anything IT related and even some topics that are IT adjacent. I’m your host Ryan Bacon, the IT Support Engineer at JumpCloud® Directory-as-a-Service®.
Today I am joined by Jim Matthews, a Security Engineer at JumpCloud, to talk more about maintaining a secure environment while your workforce is remote.
A Bit of Background on Jim Matthews
Jim: I used to play a lot of video games as a kid, which is how I got into computers. Then, I got a UNIX account at Rutgers University in 1992, and later became a UNIX system administrator. Along the way I worked for a small software development company and for Duke University in the Perkins Library.
In 2007, I moved to Colorado and began working for another startup in the city of Boulder. I also spent some time working for DigitalGlobe and eventually made my way to JumpCloud about 16 months ago.
At the last startup I worked at, we had an Active Directory setup. It was very expensive, redundant, and we had licensing issues which made it difficult to solve our simple problem of authentication. JumpCloud came to us as a potential client, and when I saw their pitch I thought it was great. JumpCloud could eliminate my AD instance and my hardware costs, and overall I thought it had value.
So, when I was looking for a job a couple of years later, JumpCloud reached out to me and I eventually found my way there as an employee.
Jim Matthew’s Role at JumpCloud
Jim: I am a Security Engineer, and work as part of the security team here at JumpCloud. Given my background in system administration, infrastructure is my area of specialty within the team. So I maintain the security of our cloud infrastructure, and I do a little bit of teaching — I enjoy teaching people why they should be secure, not just forcing them to do so.
Securing a Remote Workforce
Ryan: We are in the midst of the COVID-19 pandemic, and our workforce has all gone entirely remote. For today’s discussion, we’d really like to get your perspective on security with regard to remote working.
The Process of Enabling Remote Work
Jim: Nowadays we’re all kind of being forced to work from home, which is both good and bad depending on how you look at it. From an IT admin’s perspective, this situation is a little concerning. IT admins like to have control over devices, the network, and how people are connecting to their resources. And when the entire workforce disperses, they don’t have the same control over user access as they would in an office.
JumpCloud is kind of at the forefront of enabling remote work. We all work on laptops and are able to take them home because they’re already provisioned by IT. Unfortunately, some organizations still operate on the “desktop” model so IT admins are having to rely on people using their own devices at home.
Ryan: That is definitely one of things that our department is having to deal with, but then again JumpCloud was already kind of set up for people to work remotely. So when we moved the entire workforce to remote, it was just a matter of scaling what we’d already done.
Prepare For VPN Usage
Jim: Try to make it as seamless as possible for your employees to use VPNs. I heavily invest in a lot of testing up front so that when you do roll it out to the rest of your organization it’s simple to understand. Think about it this way, if there’s a lot of hoops your users need to jump through, your adoption rate will drop significantly.
I’d also recommend evaluating exactly what you need from a VPN. There’s a lot of VPN software out there — both good and bad. Do your research carefully and make sure that what you’re signing up for with regard to a VPN service is exactly what you need, and make sure to work with a trusted company.
Ryan: From a VPN support point of view, I’ve seen that a lot of people’s home routers or firewalls were actually blocking certain types of VPNs. For example, I had to go into my home firewall to allow it to accept IPsec traffic.
Jim: That really highlights the importance of testing, which can be especially successful if it’s done in phases. So rather than roll something out to all employees at once, I would suggest you do it in smaller batches to catch specific blockers. If you roll new processes or technology out to 15 users at a time, you can kind of solve these problems as they come up, rather than having to manage 300 helpdesk requests all at once.
Ryan: It’s also a good idea to have these things up and running and tested before you even anticipate needing them. We have two main VPNs: one that comes into our office to allow people to access on-premises resources, and one that is for when employees are traveling. Neither of them got a ton of use, but I’m glad we had them set up — they were ready to go as soon as we needed them.
Keep On Top of Your Disaster Recovery Plan
Jim: A disaster recovery plan is only as good as the last time you tested it, and if you’ve never tested it, then it’s not a good plan.
Ryan: The IT industry as a whole would definitely agree with you on that. A lot of times people say they don’t have the bandwidth to constantly check and test their disaster recovery plan, but if you don’t test it you might as well not have it. The less you test a plan the more likely it is to fail when you need it.
I think that this pandemic has really opened up the workforce’s eyes and shown them what the future of work is going to look like. And this is going to happen in the near future, not decades out. The technological need for various work forces is showing alongside the necessity to invest into infrastructure and security.
Jim: It’s amazing to think about trying to do entirely remote work 15 to 20 years ago. Infrastructure and all those backend components really weren’t set up for working from home, so I think if this had happened decades ago it would have been a global disaster. Now, most of us are working from home and the infrastructure allows us to do so comfortably.
End User Education
Ryan: I feel that end user education should be a priority because employees are the weakest link in the security chain. What you would mainly focus on when it comes to educating your end users on security best practices?
Safe Password Practices
Jim: The first area of focus should be on passwords, and more specifically, password security. I used to have one password for everything, and if I needed to change it I added negligible characters to the end. But I’ve come to understand that it’s insecure to use the same password for all your resources, which is why I started using a password manager.
There are a lot of password managers out there (LastPass, Keeper, etc.), I’d strongly suggest that IT admins at least focus on educating end users on the benefits of using a password manager. Password managers store credentials so employees can confidently create unique, complex passwords for each of their resources.
Multi-Factor Authentication
Jim: The second area of focus for educating end users should be on multi-factor authentication (MFA), which is also referred to as two-factor authentication (2FA). A password is one part of the authentication puzzle, and by combining something you know (your credentials) with something you have (an MFA token typically generated by an app on your phone), you can make it harder for bad actors to hack user accounts. If all of your users are not currently using MFA for their endpoints, I would make that a top priority; it’s just another way to help protect user accounts.
Beware Phishing
Jim: The third area I’d recommend you focus on would be training on phishing awareness. A lot of people think the process of hackers penetrating your network is some sort of advanced, Mission Impossible-type process. However, it usually happens through a phishing email that compromises the company’s security. Which is easier: Breaking into an AWS® data center, or sending out a thousand emails to a company knowing you’re going to get a return of at least 5%?
So to make people aware of the dangers of phishing, I would start phishing my employees. A lot of companies actually do this type of training where they phish your company with sample emails, then provide education alongside them. This teaches people how to spot phishing emails. Keep in mind, no matter how many employees you have, there will always be that 5% that still click on emails, and the goal of phishing awareness is to get that rate as low as you possibly can.
Ryan: All three of those focus areas work really well when it comes to securing a remote workforce, especially with phishing emails. If you don’t have that ability to quickly communicate with a team member on whether the email is legitimate or not, then you’re more inclined to just click on the link or email. And by adding MFA, you can get an extra layer of authentication on your endpoints, which is reassuring.
Make Teaching Personable
Jim: It all starts with your IT admins. They need to be able to provision hardware (i.e. laptops) and enable security settings. This is where an MDM solution could help an IT team by making sure all laptops are configured in the exact way that IT admins expect.
It also helps to teach people why they need to be secure. I’m someone who needs to know why I’m doing things a certain way, so I think it’s important that people know why I’m asking what I am from them. Users will do what you ask them to do if you explain the value behind it.
You should also show how these practices for keeping an employee secure at work can roll over into their personal life. They’ll take it a lot more seriously. The things that I’m talking about — password managers and MFA — apply to peoples’ personal lives as well.
Resources That Help
Ryan: What are some good resources you’ve found that help you and your end users create a secure environment?
Jim: I think the best resources are the ones IT admins can create for their office environment. There are also a number of websites I think are great, such as the SANS ™Institute. The SANS Institute is a nonprofit organization that provides security training on best practices. In fact, they’ve released a Security Awareness Work-From-Home Deployment Kit in response to the pandemic.
Also, the Federal Trade Commission (FTC) has a number of great resources for users that may be traveling or working remotely. They’ve also released resources to help organizations adjust to this new way of working.
Make it Easy for Users to Learn
Ryan: And what IT teams can do is take these resources and curate them so that the information is easy for users to find and digest. Making the information with your organization in mind would greatly increase the adoption rate and overall usage of that information.
Jim: That’s one of the great things and the not so great things about the internet. There’s a whole world of information out there that would take more than a lifetime to parse through. So if you simply tell users to “Google it” or find the information themselves, you don’t know what they’re going to find. Maybe the information they find doesn’t apply to your organization, it’s outdated, or it’s incorrect. It helps your users to create an area for them to go to for finding that essential security information.
Ryan: When you curate types of environments you know the sites and information they’re looking at are trusted. For example, we have a large fleet of Apple systems, composed largely of macOS® machines. One of the big fixes for when something goes wrong on a Mac is an SMC reset. So instead of telling a user to look up how to reset their SMC, I send them a detailed explanation that has diagrams and a link to Apple’s support page. It helps prevent people going on sketchy websites or finding unreliable information.
Jim: For the IT admins supporting a remote workforce, make sure to seek out resources related to the areas you’re working in. So if you’re a Google shop, you would obviously want to go to Google support.
As a security guy, I have a number of different sites that I use. CSO Online is a great source for IT admins to get a high-level view on things like educating end users, password managers, and the benefits of a VPN.
The Challenges Involved in Remote Work
Jim: Unfortunately, during times like this you see scammers come out of the woodwork. For instance, people are sending our employees so-called advice on how to deal with COVID-19. I know that the government is currently working on getting out relief packages for a lot of workers, and users will soon be able to go out and claim benefits. Unfortunately, there exist a lot of people that are taking advantage of this.
Hackers are sending emails to users saying, “If you want to get your benefits right away, please click here. Please provide us with your social security number so we can release your benefits.”
You do want to make your users aware that this is unfortunately a time when a lot of scams arise. Make sure they know to cast a wary eye when they receive an email purportedly from the government. The government will never contact an employee at their office email address. In fact, the government will never contact you by email about anything that would be for legitimate reasons.
So make sure your end users are trained to be distrustful and not to take everything at face value. If you do get an email that says it’s from the government, reach out separately and find out if it’s actually legitimate.
Thanks For Tuning In!
Ryan: That is it for today. Thank you Jim Matthews, Security Engineer at JumpCloud, for your time.
Thank you for listening to Where’s the Any Key? If you like what you heard, please feel free to subscribe. Again, my name is Ryan Bacon and I work for JumpCloud Directory-as-a-Service, where the team here is building a cloud-based platform for system and identity management. You can learn more and even set up a free account at jumpcloud.com.
So until next time, keep looking for that any key. If you find it, please let us know.