COVID-19: REDESIGN's Response

Fern Sianglam, March 16th, 2020

[RE]DESIGN is taking proactive measures to enable our clients to prioritize the health and wellness of the community while maintaining productivity and minimizing business risk. Here are several methodologies for your consideration as you look to adopt a virtual workforce.

Virtual Workforce Solutions

Network-based Remote Access

Remote access VPN with your firewall or Open SSL Provided only to authorized personnel with a business need.

Implementation guideline:

  • AES 256-bit

  • 2FA or greater, hard or soft tokens

  • Dedicated landing subnet

  • Unique (per-person) credentials ideally directory bound (AD)

  • Adopt inactivity disconnection after 20 minutes

Operational guidelines:

  • Alerting to management for successful/failed logins

  • Weekly review of VPN activity

Production network/system access:

  • Adopt bastion host model (jump box)

  • The jump box should be in a service (or dedicated) VLAN

  • Jump box authentication to use different credentials from VPN (if AD is not in use)

  • Ongoing access to production systems to use RDP/VNC or other type of remote desktop such as Nomachine


  • The only industry recognized solution including MPA/TPN

  • Centralized control/provisioning by engineering

  • Strong security


  • Requirement for enterprise firewall (or VPN device)

  • Requirement for VPN licensing

  • Engineering expertise to set up

Do ensure:

All mobile/tablets devices:

  • Are encrypted native for Android/iPhone

  • Authenticate with unique PIN/biometrics/passcode

All desktop/laptop systems:

  • Are dedicated to purpose (not shared with anyone)

  • Are encrypted with BitLocker/FileVault

  • Authenticate with unique username/password

  • Are running effective malware protection

  • Use non admin/root accounts, with privileged escalation where necessary

Do not:

  • Use portable HDDs (encrypted or otherwise) to transfer content/projects to residential environments (and non-corporate facilities)

  • Use personal devices (laptops/tablets) to directly access content/projects

  • Use open Wi-Fi networks (that require no passphrase to connect)


  • Enabling 2FA on all cloud services such as G Suite and O365

  • Only using trusted Wi-Fi networks that require passphrase to connect (WPA2)

  • Tethering from your mobile device rather than public Wi-Fi networks

Alternative Solutions that Require Client Approval

Services-based Remote Access

Implementation guideline:

  • Use of PCoIP protocol

  • Teradici remote host (workstation) card

  • Teradici cloud access (connector/gateway server)

  • Horizon View with VMware agent VDI implementation (hardware or software)

  • Consider implementing gateway through a VPN or NAT


  • Recognized by the industry

  • Strong security

  • Assets remain on production network/systems

  • Encrypted “stream of pixels”

  • Adopts low-latency approach

  • Remote host card accommodates high-performance workflows


  • Licensing costs apply

  • Hardware costs (if using remote host card) apply

  • Hardware requirements (servers, can be virtual) apply

  • Engineering expertise required to set up

Host-based Remote Access

Implementation guideline:

  • AnyDesk/NoMachine/TeamViewer/HP RGS

  • Must be centrally managed (and enterprise licensed)

  • Must adopt 2FA, hard or soft tokens

  • Is tied to corporate email accounts (not free/personal)

  • Applies same bastion host model as with VPN


  • Straightforward to implement

  • No hardware required

  • Encrypted


  • Easy to compromise (by accident/intent)

  • Lack of control/visibility by business/engineering

  • Not the strongest security implementation

Cloud-based Workflow

Implementation guideline:

  • AWS/Azure

  • Not considered remote access

  • Production workstations are “spun up” as required

  • Assets/content ingested direct to cloud