
Fern Sianglam, March 16th, 2020
[RE]DESIGN is taking proactive measures to enable our clients to prioritize the health and wellness of the community while maintaining productivity and minimizing business risk. Here are several methodologies for your consideration as you look to adopt a virtual workforce.
Virtual Workforce Solutions
Network-based Remote Access
Remote access VPN with your firewall or Open SSL Provided only to authorized personnel with a business need.
Implementation guideline:
AES 256-bit
2FA or greater, hard or soft tokens
Dedicated landing subnet
Unique (per-person) credentials ideally directory bound (AD)
Adopt inactivity disconnection after 20 minutes
Operational guidelines:
Alerting to management for successful/failed logins
Weekly review of VPN activity
Production network/system access:
Adopt bastion host model (jump box)
The jump box should be in a service (or dedicated) VLAN
Jump box authentication to use different credentials from VPN (if AD is not in use)
Ongoing access to production systems to use RDP/VNC or other type of remote desktop such as Nomachine
PROs:
The only industry recognized solution including MPA/TPN
Centralized control/provisioning by engineering
Strong security
CONs:
Requirement for enterprise firewall (or VPN device)
Requirement for VPN licensing
Engineering expertise to set up
Do ensure:
All mobile/tablets devices:
Are encrypted native for Android/iPhone
Authenticate with unique PIN/biometrics/passcode
All desktop/laptop systems:
Are dedicated to purpose (not shared with anyone)
Are encrypted with BitLocker/FileVault
Authenticate with unique username/password
Are running effective malware protection
Use non admin/root accounts, with privileged escalation where necessary
Do not:
Use portable HDDs (encrypted or otherwise) to transfer content/projects to residential environments (and non-corporate facilities)
Use personal devices (laptops/tablets) to directly access content/projects
Use open Wi-Fi networks (that require no passphrase to connect)
Consider
Enabling 2FA on all cloud services such as G Suite and O365
Only using trusted Wi-Fi networks that require passphrase to connect (WPA2)
Tethering from your mobile device rather than public Wi-Fi networks
Alternative Solutions that Require Client Approval
Services-based Remote Access
Implementation guideline:
Use of PCoIP protocol
Teradici remote host (workstation) card
Teradici cloud access (connector/gateway server)
Horizon View with VMware agent VDI implementation (hardware or software)
Consider implementing gateway through a VPN or NAT
PROs:
Recognized by the industry
Strong security
Assets remain on production network/systems
Encrypted “stream of pixels”
Adopts low-latency approach
Remote host card accommodates high-performance workflows
CONs:
Licensing costs apply
Hardware costs (if using remote host card) apply
Hardware requirements (servers, can be virtual) apply
Engineering expertise required to set up
Host-based Remote Access
Implementation guideline:
AnyDesk/NoMachine/TeamViewer/HP RGS
Must be centrally managed (and enterprise licensed)
Must adopt 2FA, hard or soft tokens
Is tied to corporate email accounts (not free/personal)
Applies same bastion host model as with VPN
PROs:
Straightforward to implement
No hardware required
Encrypted
CONs:
Easy to compromise (by accident/intent)
Lack of control/visibility by business/engineering
Not the strongest security implementation
Cloud-based Workflow
Implementation guideline:
AWS/Azure
Not considered remote access
Production workstations are “spun up” as required
Assets/content ingested direct to cloud