December 15, 2022
Widely used standards like NIST, ISO27001, PCI, US Federal TICv3, and AICPA SOC2 each specify a range of network-based controls: network segmentation, access control, stateful firewalls, wireless security, etc. They reflect three decades of experience networking in corporate environments and the evolving security concerns that accompany that.
You may adopt one or more of these standards based on your experience, by fiat based on your industry, because of the kind of data you handle, or based on governance via an auditing firm. The standards can be characterized as minimal or “best practice”, so whenever we deviate we need a justification or a compensating control.
What happens to your compliance obligation when you explicitly allow users to work from home, either full-time or part-time? As of 2020, this became an expectation and a near-universal requirement. If you direct users to work from home or you specifically allow them to work from home for a set number of days per week, is there a corresponding stipulation to apply network standards “where the users are?” Previously, working from home may have been viewed as occasional, for convenience only, or the equivalent of a traveling user, but now we’ve told our users that we expect them to work from home, at least some of the time. How do we apply network controls in this case? None of the standards make specific exceptions for users that are “working from home.
Your first reaction in 2020 was probably to route users through your corporate infrastructure via an always-on VPN and so retain some of the visibility, detection, and prevention mechanisms you already had in place. There’s a trade-off here - depending on where users are in relation to the infrastructure, there may be a noticeable performance problem sending everything through the corporate perimeter, not to mention all VPN data goes “in and out” and uses substantial network and processing resources. Vendors like Microsoft ( O365 / Teams ) advise not to do this with their network connections, and in fact, may not offer support for slow-response issues if they determine users are not connecting directly to their platform.
Ditto SASE solutions ( Zscaler, Palo Prisma Access, and the like ): now you send your work-from-home users through a third-party infrastructure but again may face performance issues, not to mention substantial administrative work in pushing out proprietary clients and maintaining them. And you typically still must split-tunnel some data due to requirements from SaaS services like O365. Add to that stringent compliance constraints like GDPR and EU labor agreements that regulate where private user data can be sent, often restricting it by country. Now you may need a SASE instance in multiple countries of operation with all the administrative issues that go along.
And none of those solutions address two key compliance concerns: segmentation and access control ( e.g. ISO27001 A.13.1.3, NIST 800-53 3.18, TIC 7.1, 7.2 ). When your users are at home, they are on a flat network and their work devices are directly adjacent to kids’ PCs, streaming devices, voice assistants, untrusted IoT devices, etc. They are also open to fragile home routers that are subject to exploits, default credentials, overly broad inbound access setup by users ( often for gaming ), and open WiFi networks. Think your users’ SOHO routers are not a target? Multiple reports have been issued in 2022 for just that, for example:
- ZuoRAT Hijacks SOHO Routers To Silently Stalk Networks
- Unauthenticated Remote Code Execution in a Wide Range of DrayTek Vigor Routers
- Chaos Is A Go-Based Swiss Army Knife Of Malware
- Zerobot – New Go-Based Botnet Campaign Targets Multiple Vulnerabilities
So of course, in EDR and host-based firewalls, we trust, but these are also subject to interference from our users or potentially being disabled by malware. These controls rely at least in part on the health of the workstation they are trying to protect, and obviously, they aren’t network controls, they are compensating host controls.
We don’t control any of the network elements in the home office and we’re only thinly protected from placing our work assets directly on the public network. Very few of us would support placing a workstation directly on the public network and simply trusting host controls to mitigate the risk.
To tick our network compliance needs and mitigate our risk, we need a network perimeter where our users are: home. PCI, NIST, and UK Cyber Essentials-v3 all reference the potential for an “organization-controlled” router/firewall for work-from-home users. Ideally, this works in conjunction with but doesn’t replace our users’ home routers because of privacy concerns. We don’t want to police private communications, only isolate work devices and enforce our GRC standards for them. We want to make the home network segment where our users connect equivalent to our office environment without taking over the home network.
It’s often unfortunately only after a breach that we review our compliance in detail. The twin questions are always: 1) what standard did we say we would apply and 2) did we do that? The answers to those are what stands between a “learning experience” where due diligence was followed but somehow circumvented, versus liability for knowing the standard but failing to apply it, even for our work-from-home staff. Home is where our users are, home is where we need network controls and endpoint controls.
The corporate network perimeter has been extended into untrusted networks, redefining the enterprise edge. Employees working from home are using these networks to access sensitive company assets, putting organizations at risk of lateral movement attacks. The DuskRise solution enables corporate security and segmentation policy management, extending office-grade protection to remote assets and users.
Schedule a demo today to see how it works.