End of WFH May Make Security Worse, Not Better

Posted on

As vaccine rollouts pick up steam, it’s time to start thinking about the day after.

The sudden shift to work from home (WFH) opened up security loopholes that enabled attackers to compromise employee devices and remotely access their networks. As a result, during COVID-19, we’ve seen an unprecedented rise in cyberattacks, which can be attributed in part to the economic and geo-political consequences of the pandemic and have created new opportunities for threat actors to target and attack organizations.

Once a significant portion of the population is vaccinated, many companies will start returning to normal, and allowing WFH employees to go back to the office. At first glance, it would seem that the end of WFH would strengthen the security posture of most organizations, since employees will be returning to the safety and comfort of the corporate network perimeter.

But is working within the perimeter really more secure? Has it ever been? Unfortunately, we are seeing that hackers consistently find ways to bypass perimeter security solutions and are able to breach the network. The recent SolarWinds supply chain attack demonstrated that threat actors were able to compromise more than 10,000 networks, without ever having to breach a firewall. Be it supply-chain attacks, zero-days in Internet-connected devices, or plain old brute-force attacks, there are many ways to gain access to the network and penetrate the perimeter.

Furthermore, the return of WFH devices to corporate offices will introduce a significant risk, since they have been exposed to multiple threat vectors. For example, corporate devices may have been used by family members for unsafe activities. Since traffic egressing to the Internet is not being inspected by a company security gateway, some of them are likely to have been exposed to malware.

Therefore, there is a very high probability that malware is sitting on these devices just waiting for the next time they connect to a high-value corporate network where they can exploit stolen credentials to move laterally and access sensitive infrastructure and data.

Fortunately, many security-conscious organizations have adopted a partial zero-trust approach to protect their cloud applications being accessed from non-secure networks, like employees’ homes. With this approach, any device, including a device used for working from home, is considered untrusted, and requires verification before allowing it to access sensitive corporate resources. But all too often, this zero-trust approach is only enforced on cloud applications, leaving on-premise systems, administrative interfaces, infrastructure, IoT devices and endpoints exposed to access from compromised devices accessing from within the network.

While organizations understand the value of a zero-trust security model and agree that it’s a necessary part of their cybersecurity strategy, we still don’t see widespread adoption. Implementing micro-segmentation with proxies, or adding protections that require software agents, is a very difficult task in today’s diverse networks. Many organizations resort to implementing the model on a small subset of the organization’s applications, rather than adopting a full network-wide zero-trust security model.

Despite these challenges, implementing a zero-trust security model on the corporate network and in cloud environments becomes even more critical as WFH winds down. Today, more than ever, we need to monitor access from inside and outside the network and analyze it to detect anomalies and suspicious activity.

Here are several security best practices to consider when planning a process for returning to the office:

  • Monitor access from all devices, especially those used for WFH, and over insecure environments for unusual and high-risk events
  • Use identity-based segmentation policies—to prevent WFH devices from accessing administrator interfaces of sensitive systems
  • Enforce risk-based authentication for all on-premise access to sensitive systems
  • Implement and enforce network-wide identity-based zero-trust policies

It is possible to implement zero-trust policies across both on-premise and cloud infrastructures with the right architecture and tools. Focusing on identity as a control plane is a good place to start. With hybrid WFH and in-the-office policies likely to remain in force for the foreseeable future, “never trust, always verify” has never been more important.

Human Element

endpoint security

Blogs posted to the RSAConference.com website are intended for educational purposes only and do not replace independent professional judgment.  Statements of fact and opinions expressed are those of the blog author individually and, unless expressly stated to the contrary, are not the opinion or position of RSA® Conference, RSA Security LLC or any other co-sponsors. RSA Conference does not endorse or approve, and assumes no responsibility for, the content, accuracy or completeness of the information presented in this blog.

Share With Your Community