image
image

InsideNow

Ensuring cyber-safe remote working becomes the new standard

Before the COVID-19 outbreak, enterprises devoted most of their technology and security spending on revenue generation and operational efficiency.

Authors

Authors

Stéphane Hurtaud - {Sponsoring} Partner - Cyber Risk - Deloitte

Yasser Aboukir - Senior Manager - Cyber Risk - Deloitte

Raphael Naegert - Consultant - Cyber Risk - Deloitte

Published on 21 January 2021

Share this article

image

The year 2020 will probably be remembered as one of the most challenging years in recent memory specifically for IT professionals. The COVID-19 pandemic forced organizations to entirely rethink their way of working. Governments largely adopted confinement measures and organizations had to provide employees with the means and infrastructure to work remotely. While remote working is not new to organizations, the sudden shift to the global and widespread use of these infrastructures has introduced a new set of risks for leaders and executives to consider.

This shift hinges on key decisions for which manner of remote access should be considered. The decision should be made based on the context/capabilities of the organization, and how well the organization can manage the risks associated with each type. Whether remote access is facilitated via a traditional VPN, or alternative Remote Access Services (RAS) such as Virtual Desktop Infrastructures (VDIs) and Remote Desktop Services (RDS), the decision should be driven by business requirements and take into account security safeguards.

What security risks are associated with this shift to remote working?

As with any technology rollout in a corporate environment, this shift towards remote working delivers tangible security risks. For organizations new to this operating model, this may involve considerable operational and security changes, requiring the implementation of new remote working components. These generally fall into three distinct categories:

These core remote working components have associated risks and threats that must be addressed before going live.

  • Traditional network design principles are still relevant to remote working infrastructures and need to be applied, including network segmentation, Active Directory hardening, etc.
  • Communication between remote working endpoints and the on-premises infrastructure should be authenticated and encrypted to mitigate traffic manipulation (e.g. Man-in-The-Middle attacks).
  • For identity management, remote users’ identities need to be strongly established, and include measures such as strong password policies and multi-factor authentication (MFA).

These examples only represent a sample of the risks. Organizations require a proper risk assessment of these critical infrastructures.

What are the most represented types of remote working solutions?

The traditional option: Virtual Private Networks

Virtual Private Networks (VPNs) have the highest adoption rate of the remote working options available. VPNs remotely establish tunnel connections to an internal endpoint, and provide access to internal resources, as if the remote workstation was directly connected to the internal network.

An alternative path: Remote Access Services

Remote Access Services (RAS), such as Virtual Desktop Infrastructures (VDIs) and Remote Desktop Services (RDS) do not virtually connect a remote endpoint to an internal network. Instead, RAS allow a user to connect to an endpoint that is already on the internal network. Also known as, desktop virtualization technologies, VDIs and RDS have been increasingly adopted in corporate environments in recent years.

VDIs enable desktop environments to run on dedicated-user virtual machines (VM) on a central server hosted by the organization. These environments are created on-the-fly based on a master image of a hardened operating system and can have either persistent or non-persistent storage.

While often considered equivalent, RDS offer an additional level of granularity compared to VDIs by limiting access to single applications, instead of the operating system. With RDS, multiple users share the same underlying system that run as a shared VM and each user has their own dedicated session on a Remote Desktop Services Host (RDSH).

Illustrative architecture of remote working technologies

RAS as a new (standard) way of working

Keeping control with desktop virtualization

VDIs and RDS are serious contenders in granting corporate users access to resources. These technologies provide a breadth of possibilities to restrict access to a minimum; allowing IT environments to adhere to the principle of least privilege, hindering potential attackers’ movements and abilities in case of compromise.

Keeping control with desktop virtualization

Some organizations have already made the switch from traditional dedicated workstations to dedicated VDIs. One major advantage of this switch is the ability to isolate processed data. Security-hardened VDIs can be configured to limit data transfer, making these environments complex to deal with for adversaries.

Organizations need however to assess their resilience to VDI “breakouts”, the action of moving to another system after an initial compromise of a VDI environment. A recently published Global Threat Report stated that the average “breakout time” in 2019 was nine hours. While this average varies depending on the security controls implemented and the threat actors involved, systems, VDIs and network security and hardening measures are meant to detect and prevent these scenarios from occurring and, if they do occur, to contain them. After gaining an initial foothold in an employee’s VDI instance, an attacker would need to find a way to persist in the targeted organization’s information system. Adversaries could do this vertically (e.g., compromising the local system’s administrator account) and/or horizontally (e.g., lateral movement on another system of the network).

Conclusion

  • Remote access components are critical for organizations, and provide real solutions for current and upcoming challenges, as they enable external access to internal resources.
  • Even when organizations implement stringent security controls for remote working connections, there can be residual risks. These include vulnerabilities of remote working gateway, physical security of remote working endpoints, and BYOD risks, including device theft or device compromise.
  • These associated residual risks must be taken into account when implementing and maintaining a remote working infrastructure. Despite the previous considerations, the odds are high that remote working, especially remote access services, will continue their expansion.

Share #DeloitteInsideNow

image
image

Vulnerability management

Identify and manage potential security risks with rigorous testing and cutting-edge vulnerability management tools

© 2021. See Terms of Use for more information. Deloitte refers to one or more of Deloitte Touche Tohmatsu Limited, a UK private company limited by guarantee (“DTTL”), its network of member firms, and their related entities. DTTL and each of its member firms are legally separate and independent entities. DTTL (also referred to as “Deloitte Global”) does not provide services to clients. Please see www.deloitte.com/about to learn more about our global network of member firms. The Luxembourg member firm of Deloitte Touche Tohmatsu Limited Privacy Statement notice may be found at www.deloitte.com/lu/privacy.