We were recently approached by the press to provide some policy guidelines for companies adopting the hybrid or 100%-remote model.
Truth be told, GlobalDots’ legacy of remote work dates back to the surge of Skype. Yes, we’ve been working remotely for quite a while, so for us, the Pandemic didn’t change much.
It is this time-honored tradition which makes us pursue the easiest, most effective way to secure the distributed organization: For our clients, as well as for our own assets. And today, we believe, this comes down to a single trending term: Zero Trust Access.
These guidelines below will inspire you where to start your own Zero Trust journey.
What is a proper remote work policy in 2022?
All remote users should be given Zero Trust network access (no VPN) with enforced and adaptive MFA for application access. An additional VPN should be provided to be used on non-secure wifi domains.
What should I allow employees to do with their own devices?
Only web access should be allowed from BYODs. This means no email is downloaded locally, and apps must be consumed via a Zero Trust web portal.
How should I treat traffic from risk areas, like China?
Remote access should be restricted to countries from which you expect traffic (i.e. where we have employees and/or locations they travel to/from). Other countries are blacklisted from remote access. Adaptive MFA ensures users location is tracked, so if a user is tracked in Germany, then 10 minutes later tries to access from Russia, then higher authentication protocols will be required (as travelling this distance in this time is impossible)
What is a proper security policy when employees travel for work?
Travel devices are not necessary, if all resources employees consume are either SaaS and/or provided through a Zero Trust access portal. All devices are treated equally, i.e. untrusted!
Employees should be instructed never to connect to open, unsecure wireless networks. However, in such cases where it is the only option, enforce using secure VPN for all traffic. Example would be a coffee shop wifi that’s open with no password: in this case users will connect to the wifi first, then connect to a secured VPN to tunnel all requests outside of prying eyes.
How do you get security clearance for WFH workforce?
Basic training on do’s and don’ts of remote work must be given to all new starters as part of employee onboarding. The IT department will sign these off and then remote work can be allowed.
How to audit compliance by your employee?
For any action that would put company data at risk, ensure systems do not allow non-compliant behavior. For other activities, make sure to have Zero Trust access logs and audit trails. User web access to social and gambling sites (for example) can generally be allowed, but log data should be available if ‘fair usage’ policy is not adhered to.
Adopt Zero Trust Today
Your Zero Trust journey doesn’t have to be lengthy. At GlobalDots, we have unrivaled access to the latest technologies, and implementation expertise to get your defenses up and running the same day.
Leave a message for a commitment-free consultancy!