Search

COVID-19: REDESIGN's Response

Fern Sianglam, March 16th, 2020


[RE]DESIGN is taking proactive measures to enable our clients to prioritize the health and wellness of the community while maintaining productivity and minimizing business risk. Here are several methodologies for your consideration as you look to adopt a virtual workforce.


Virtual Workforce Solutions


Network-based Remote Access

Remote access VPN with your firewall or Open SSL Provided only to authorized personnel with a business need.


Implementation guideline:

  • AES 256-bit

  • 2FA or greater, hard or soft tokens

  • Dedicated landing subnet

  • Unique (per-person) credentials ideally directory bound (AD)

  • Adopt inactivity disconnection after 20 minutes


Operational guidelines:

  • Alerting to management for successful/failed logins

  • Weekly review of VPN activity


Production network/system access:

  • Adopt bastion host model (jump box)

  • The jump box should be in a service (or dedicated) VLAN

  • Jump box authentication to use different credentials from VPN (if AD is not in use)

  • Ongoing access to production systems to use RDP/VNC or other type of remote desktop such as Nomachine


PROs:

  • The only industry recognized solution including MPA/TPN

  • Centralized control/provisioning by engineering

  • Strong security


CONs:

  • Requirement for enterprise firewall (or VPN device)

  • Requirement for VPN licensing

  • Engineering expertise to set up


Do ensure:


All mobile/tablets devices:

  • Are encrypted native for Android/iPhone

  • Authenticate with unique PIN/biometrics/passcode


All desktop/laptop systems:

  • Are dedicated to purpose (not shared with anyone)

  • Are encrypted with BitLocker/FileVault

  • Authenticate with unique username/password

  • Are running effective malware protection

  • Use non admin/root accounts, with privileged escalation where necessary


Do not:

  • Use portable HDDs (encrypted or otherwise) to transfer content/projects to residential environments (and non-corporate facilities)

  • Use personal devices (laptops/tablets) to directly access content/projects

  • Use open Wi-Fi networks (that require no passphrase to connect)


Consider

  • Enabling 2FA on all cloud services such as G Suite and O365

  • Only using trusted Wi-Fi networks that require passphrase to connect (WPA2)

  • Tethering from your mobile device rather than public Wi-Fi networks


Alternative Solutions that Require Client Approval


Services-based Remote Access


Implementation guideline:

  • Use of PCoIP protocol

  • Teradici remote host (workstation) card

  • Teradici cloud access (connector/gateway server)

  • Horizon View with VMware agent VDI implementation (hardware or software)

  • Consider implementing gateway through a VPN or NAT


PROs:

  • Recognized by the industry

  • Strong security

  • Assets remain on production network/systems

  • Encrypted “stream of pixels”

  • Adopts low-latency approach

  • Remote host card accommodates high-performance workflows


CONs:

  • Licensing costs apply

  • Hardware costs (if using remote host card) apply

  • Hardware requirements (servers, can be virtual) apply

  • Engineering expertise required to set up



Host-based Remote Access


Implementation guideline:

  • AnyDesk/NoMachine/TeamViewer/HP RGS

  • Must be centrally managed (and enterprise licensed)

  • Must adopt 2FA, hard or soft tokens

  • Is tied to corporate email accounts (not free/personal)

  • Applies same bastion host model as with VPN


PROs:

  • Straightforward to implement

  • No hardware required

  • Encrypted


CONs:

  • Easy to compromise (by accident/intent)

  • Lack of control/visibility by business/engineering

  • Not the strongest security implementation



Cloud-based Workflow


Implementation guideline:

  • AWS/Azure

  • Not considered remote access

  • Production workstations are “spun up” as required

  • Assets/content ingested direct to cloud


PROs:

  • Extremely resilient infrastructure/workflow

  • Can access from anywhere (that is authorized)


CONs:

  • Extensive workflow design required

  • Rolling/ongoing costs apply



What Solution is Best for You?


As always, [RE]DESIGN is vigilant about helping our clients align with industry security policies and guidelines. We encourage you to consult with us on the best option for your business.


Our Remote Workforce Assessment is a fast and easy way for us to gather the essentials about your current environment so we can make a recommendation.


Assessment


Contact Laura Coover with questions, concerns, or to arrange a brief discovery call.

lcoover@redesign-group.com

  • Grey LinkedIn Icon
  • Grey Twitter Icon
  • Grey Facebook Icon
  • Grey Instagram Icon
  • Grey Google+ Icon

The [RE]DESIGN Group

5792 W Jefferson Blvd
Los Angeles, CA 90016

United States

The [RE]DESIGN Group
2629 Manhattan Ave, #307
Hermosa Beach, CA 90254

United States

The [RE]DESIGN Group LTD

16 Great Chapel Street, London, England, W1F 8FL

United Kingdom

The [RE]DESIGN Group FR

64-66 rue Des Archives

75003 Paris
France

The [RE]DESIGN Group Canada

501- 321 Water Street
Vancouver BC V6B 1B8

Canada