The BYOD and BYOM of 2019 will seem tame by comparison to The Big Return of 2022 as workers enjoy the benefits of working between the office and home office. They will bring their favorite devices, software, and platforms, exponentially increasing vulnerabilities to the enterprise network. And while working from home and sharing files, who is defending the castle?
The #WFH VPN Vulnerability
For more than two decades, companies have relied on the encrypted connection a virtual private network (VPN) provides to enable employees to access corporate email and safely transmit data over the internet while traveling or working from remote locations.
Matthew Rakes, managing director, Information Technology and Cybersecurity at Unity Aluminum, suggested that depending on how well the IT department has defined route policies, a VPN might not mitigate all risks. “One of the problems you can run into is if someone has a compromised local network or device and they attach via VPN to the enterprise, then that device now has traffic flowing into your network.”
There's a degree of Big Brother that has been assumed acceptable when employees are on corporate property. “This is where I think we need to train users' expectations to understand better that when you're using a particular application, that we are going to be Big Brother, even if we are going to be hands-off of the rest of your network,” Rakes said.
The term “Big Brother” often conjures the idea that evidence is being gathered against the user. “I often think that the best view of this is quite the contrary,” Rakes added. “We should actually be seen more as defenders of the castle.” A strong, secure IT department should first and foremost aim to protect employees and the company data equally. “We should seek to not only protect data, but we should seek to help protect and defend the people that represent your company, and the best way to do that is providing them with secure tools that help them to know that they don't find themselves in a compromising situation,” he said.
Rakes is taking a long-term approach to adding technologies as employees return. “We are looking at what solutions and technologies we can acquire now that alleviate our immediate pain, but will allow us to better transition into higher efficiency once people come back to the office.” Post-COVID, Unity Aluminum will continue to have a flexible remote work policy. “But we recognize that one of many benefits of being in the office is collaboration,” Rakes said. “We are leveraging tools from Mersive, Cisco, and Microsoft, which helped us to bridge the gap.”
Whenever possible, Rakes deploys a cloud-first model for IT and AV solutions. “That takes a lot of onus off IT departments when you don't have to worry about security patches because Microsoft Azure is already handling that for you,” he said.
Unity leverages a suite of Cisco technologies for its wired and wireless on-premise networks. “We use Cisco identity services and Cisco capabilities that work as an umbrella that can identify known pieces of hardware and dynamically insert them on the correct VLAN, regardless of what network they initially connect to,” Rakes said. Moving toward a “zero trust” security model, “with Cisco Duo Security, you're able to achieve a dynamic resilience, so when someone connects to a network, enters their credentials to authenticate to that network, then it says, ‘Oh hey, I know who this person is. I can dynamically put them on the correct VLAN,’” he said.
When choosing AV solutions, Rakes looks to companies with a security-first approach. “One of the things we like about Mersive is the way they handle the communication from the Solstice client back to a pod is different than many other AV solutions,” Rakes said. “Mersive went from the approach first of, ‘How do we secure the transmission of that traffic?’ and then, ‘Now let’s make sure that the audio-video protocols work.’”
[ How to Think About Network Security After COVID ]
Verify and Enforce
When it comes to security and BYOD/BYOM devices, the primary challenge is the verification and enforcement of an organization’s security policy. “Organizationally owned assets can be standardized and remotely managed. This allows the organization to enforce security best practices on network devices,” AV/IT industry consulting solutions architect of AVCoIP, Paul Zielie, said. “BYOx devices could bring in malware, which once inside the organizations, can do serious damage.”
The best way to mitigate risk is to require a security package run on the BYOD hardware. “If employees want to use these devices on the organization’s network, require that the security package needs to be running while connected,” Zielie said. “You then use a port level security protocol like 802.1x, which checks that it is running before data is passed.”
[ Shure on the Importance of Networked Audio Security ]
"It is not realistic to add protection services to every device that may be added to a collaboration space, but there are still several steps AV/IT managers can take to enable safe, secure, and seamless collaboration and productivity," said Nathan Holmes, senior manager of Training at Snap One. Segregating remote connectable collaboration areas from the rest of the corporate network, employing a Next-Gen firewall solution with unified threat protection services, and ensuring that your IT team is up to date on cybersecurity threats and employs best IT practices are some easy first steps to securing your corporate networks while supporting a remote workforce.
AV/IT managers are accustomed to creating an Information Security (InfoSEC) plan for their respective businesses, but these plans are typically based upon most, if not all, employees residing within the controlled corporate network hardware area. With the move toward BYOD and BYOM, the InfoSEC plan should include strategies that allow employees to join the collaboration space through devices that may not employ protection services. To mitigate security threats for all devices, we recommend the following course of action: The development and execution of a comprehensive security policy that includes unified threat protection, provides each employee with the networking equipment they need to work remotely, ensures devices include active information security services, actively manages and updates these services, provides secure VPN access for each employee, and ensures there is a specific policy and procedure for connecting non-company-owned equipment to the corporate network."
"A modern collaboration platform should include a suite of security features to guard against a variety of risk scenarios," said Brian Cockrell, Intel Unite Solution Product Owner and Co-founder at Intel. Robust encryption should be in place. The Intel Unite solution uses end-to-end TLS (transport layer security) encryption between a participant’s device and a room hub, whose connection to the server—on-prem or cloud—is also end-to-end TLS encrypted. In addition to encryption, there should be protections against unauthorized access to sessions, such as a rotating PIN, and the ability for participants to lock a meeting, as well as expel unwanted participants. Other security features include keystroke lockout, protected guest access, and the ability to authorize use by individual. Finally, content shouldn’t leave the organization’s network and use data should be anonymous. These protections should be embedded in software that is easy to learn and use. Otherwise, disuse becomes the primary protection. Good for security, but bad for collaboration. The Intel Unite solution is a good example of a collaboration platform that includes all these features.
When a new collaboration platform is combined with peripherals and plugins—especially in BYOD, BYOM, and remote environments—the result is a staggering number and variety of potential risks—some foreseeable, others novel. Do the research and choose tech wisely. Has the software been vetted by other users? Where is data going and is it sufficiently protected? What data is collected and where is it stored? Once the risks and benefits are fully understood, weigh those against a risk profile and choose the tools that provide the best balance."