With a remote workforce, endpoints will generate a lot of data and more IP will be leaving your premises. Intellectual Property (IP), Financial Data, and Personnel Data are important data sets to be secured. What do you do? Clearly, it’s an open-ended question, but I want to lean in on this topic in the context of implementing security and protecting your data for continued operations in the midst of a crisis with nearly 100% remote workforce as we adjust to a rapidly evolving new normal for managing IT environments.
Maybe your IT organization is like Quantum’s in that you had a head start and prepared to weather this storm because you had previously established a business strategy that allowed your employees to work remotely as part of your normal business operations. If you did not have a head start, it’s understandable and you are now in a reactive mode. Nobody was ready for such a crisis nonetheless, preparedness is key. To deploy a remote workforce that is cost-effective, secure, reliable, and resilient, it takes time to develop and rollout as you prioritize hardware or software requirements within your infrastructure. Here are a few key insights from our own Quantum IT.
Enterprise Applications in the Cloud
At Quantum, every employee is issued a portable computer – either a Windows-based laptop or a MacBook, depending on the needs of the user. We also employ SaaS solutions like Microsoft 365. This provides us collaboration tools like Microsoft Teams and Exchange Online as well as business productivity tools either online or installed on the laptop. In addition, other of our Enterprise applications are SaaS based, meaning they are accessible from anywhere over the internet. Example: CRM (SalesForce.com). Leveraging the public cloud in this scenario is a good cost-effective solution that enables a remote workforce effective and efficiently.
Protection – Encryption
You’ve heard the saying: “Safety First.” In the digital era the profile of this statement has never been more important than today. It begins with a secured foundation at the server level (normally at the core). If your foundation is weak the rest of your endpoints will probably resemble the same weak structure. Do not take the shortcut, when possible leverage solutions such as:
Data encryption at rest and in transit. In transit, web data should always be sent via https. Also look at the various encryption models: Client-side, Server-side with service-managed keys, Server-side with Customer-managed keys. Also consider using a Key Vault to securely store keys.
Client-side encryption is performed outside of Azure. It includes:
- Data encrypted by an application that is running in the customer’s datacenter or by a service application.
- Data that is already encrypted when it is received by Azure.
With client-side encryption, cloud service providers do not have access to the encryption keys and cannot decrypt this data. You maintain complete control of the keys.
The three server-side encryption models offer different key management characteristics, which you can choose according to your requirements:
- Service-managed keys: Provides a combination of control and convenience with low overhead.
- Customer-managed keys: Gives you control over the keys, including Bring Your Own Keys (BYOK) support, or allows you to generate new ones.
- Service-managed keys in customer-controlled hardware: Enables you to manage keys in your proprietary repository, outside of Microsoft control. This characteristic is called Host Your Own Key (HYOK). However, configuration is complex, and most Azure services do not support this model.
IDC research shows that 93% of organizations have been attacked within the past three years (source: https://dl.acronis.com/u/rc/WP_IDC_Acronis_Cyber_Protection_EN-US_200403.pdf ). It is time to tighten up the integration of data protection, disaster recovery, and data security operations within the cybersecurity strategy and think about backups as part of your cybersecurity approach. Threats from ransomware and other malware are prevalent and there are plenty more threats engineered with AI capabilities to infiltrate your datacenter. Whatever cyber-security software or backup method you choose, (Flash, SSDs, HDD, Tape) or environment (physical, virtual, multi-cloud) or, the goal is to integrate what used to be silos and build a resilient IT operation.
Availability & Resiliency
Because of an enterprise’s global reach, systems and application need to be ready and available 24/7. Backup applications need to be efficient and predictable across multiple platforms. Any threat such as natural, man-made or cyber is disruptive to an IT environment; a resilient system is key to recover quickly and efficiently to withstand unforeseen events and ensure data is secure and available at any moment in time. Employ a backup method that enables the replication to a DR site or cloud provider by employing on-prem, cloud or a hybrid approach to backup. Our current global situation has reset many priorities and all these topics are now top of mind.
As the threat to businesses continues, a large majority of organizations have turned to VDI to rapidly deploy virtual desktop infrastructures and release a mobile workforce that can be as productive as if they were in the office. Virtual desktop infrastructure (VDI) is defined as the hosting of desktop environments on a central server. In other words, it’s like having a structured office available on-demand allowing you the ability to access virtual data and applications and you are really just shifting the compute cost from the endpoint to the data center (if on premises) or the cloud. To us, this is a very cost-effective solution that helps keep the data centralized and off endpoints which are more susceptible to data loss. One of the cool things about VDI, is break/fix becomes a lot easier because you can quickly “spin up” a new desktop for a user if their current desktop becomes corrupt. Also makes things like patch management and OS updates easier as it is all centrally managed i.e. lower administrative overhead.
An important part of the equation is flexibility. Whatever strategy you chose that meets your organization’s business goals or in this case, an effective and secured remote workforce for business continuity (BC), your solution should be flexible to adjust as needed to meet the demands of current and future national or global events that can affect your datacenter. This current global crisis is a good example of how quickly organization learned if the were ahead of behind the curve. Technology by itself cannot meet the need alone, it needs a strategy built upon it to mitigate risks associated with ‘crisis’ type events and or simple business continuity.
It has never been more important to back up data on the regular. With Ransomware getting more sophisticated, we need to adapt and build IT environments to expect (and withstand) an attack – there are some strains out there that as far as we know, there are no decryption tools available so you must have alternative methods to recover your data. Let’s remember that criminals are no longer using mass campaigns, instead they are going for remote access – remote desktop protocol was the most used entry vector.
In our new normal, we hope our insight provides some guidance to building, securing and protecting your data, your remote workforce, your network and helps you build solid business continuity plans… no matter what disaster comes your way. Check out our QonQ business continuity webinar here.