In today’s world, the classic concept of remote workers and external users is still acceptable? As you know, once you’re on the cloud, the perimeter is dead, and each user is DMZ.
So the modern concept for an external user must focus on every user, and the device that consumes resources must be with dedicated security control.
Note: This blog post provides a best practice at a high level for endpoint security best practice for an external user and device using Microsoft 365 platform.
Companies of all sizes are under attack, and threat actors attack large companies, medium, and small companies. One of the biggest problems is for smaller companies that are often more vulnerable in a cloud and connected world. The simple compromise of every company or even an individual may compromise a larger target.
However, new risks arise when machines leave the office and employees work remotely, and additional policies are essential.
External users and remote workers present a unique challenge for corporate information security because external environments usually don’t have the same safeguards as inside a corporate office.
External users and remote workers may consume corporate resource and data in a few ways, from a corporate device, from personal devices and from any place that have internet, so this situation can lead to many security issues because user connected from everywhere and the data is traveling around.
Regardless of the endpoint used to access corporate data, one of the information security and admin’s most important jobs is to secure that data. At the same time, it’s stored on and accessed by corporate and personal endpoints.
So a few questions need to ask:
- Can we limit user access from an unfamiliar location?
- Do we need to restrict external access?
- What is the level of restrictions we need to set for external users?
- How can we avoid security issues with external devices?
- Do we need to managed external devices?
Alongside the above questions, other questions need to be asked and, more importantly, must be covered by the information security team.
Best Practices for Remote Workers
Remote workers and external users can be employees working from another small office, from home, and any location that isn’t part of the leading corporate office.
In this situation, you must enforce endpoint security, guidelines, set of policies, security restrictions, prevent data leakage, and many other actions to avoid security issues.
Below are some of the best practices for getting that job done and one company embracing them using Microsoft 365 security controls.
Part of the Identity solution and the first action that needs to be done is to enforce Multi-Factor Authentication (MFA), and the MFA needs to be done to all external users from any location. It’s recommended to use password-less technology, including FIDO options. It will be better to use password-less for external users to avoid typing passwords in an unfamiliar area.,
How to – Azure MFA provides many values to enforce MFA with a massive set of policies.
During the MFA enrollment, you need to provide password protection to prevent an attack scenario such as password spray, brute-force, password cracking, etc.
How to – Azure AD provides Password Protection for many kinds of password attacks.
Before remote workers connect to the corporate network, ensure their endpoints comply with your security policies such as:
- Access to specific apps
- Access to the VPN via MFA (using the same Identity provider)
- Blocked from risky location
- Sensitive information – if access to sensitive data must use information protection.
How to – Azure AD Conditional Access provides a granular platform with many rules, conditions, and policies to prevent security issues from internally and externally users, devices, and apps.
In many situations, employees require access to company resources and to use sensitive information with their devices. Using the wrong device can lead to a security issue.
Therefore MDM must be part of the solutions to register and device that need to perform actions with company resources.
How to – Intune provides UEM solutions for Windows, macOS, and smartphones. Using Intune, you can apply a set of policies and do hardening.
If your data isn’t encrypted, anyone who happens across your phone or machine can quickly get at the files within. With encryption added, accessing the data becomes very difficult or may not impossible.
With Windows 10, full disk encryption means your entire hard drive is encoded using a cryptographic algorithm. All the data is unreadable unless unlocked by a secret key from the user or admin.
How to – Once a device is managed by UEM, you can apply encryption such as BitLocker and Azure AD with Intune does a great job of using BitLocker with external devices.
LAPS is an excellent mitigation tool against lateral movement and privilege escalation by forcing all local Administrator accounts to have unique, complex passwords, so an attacker compromising one local Administrator account can’t move laterally to other endpoints and accounts that may share that same password.
How to – Yep, LAPS to an external device. In general, LAPS is working with an on-premises device, but there’s a simple way to apply LPAS to an external device with Windows 10 build 1809 and higher.
Control and help secure email, documents, and sensitive data that you share outside your company walls. This includes Information Protection in Windows 10 to protect local data at rest on endpoint devices and manages apps to save local data in use.
When users travel, confidential data goes with them, and wherever personal data is stored, it must be protected against unauthorized access, particularly if a device was lost or stolen.
How to – Divided into a few options, the first is to apply information protection for email and files with Azure Information Protection. The second is to use Information protection for an endpoint using Intune and Windows Information Protection.
Practice the principle of least privilege
Only grant necessary and sufficient permissions that users need to carry out their activities for a limited time. Restricting users to the minimum rights required by their tasks will significantly reduce the attack surface of the remote workforce.
How to – Azure AD Privileged Identity Management (PIM) and Privileged Access Management (PAM) in Office 365 together provide a robust set of controls for protecting privileged access to your corporate data.
Sandbox your enterprise applications so that corporate data can’t be accessed by other, possibly malicious apps installed on users’ devices. Sandboxing will stop the corporate data leak.
How to – MAM protects an organization’s data within an application. With MAM without enrollment (MAM-WE), a work or school-related app that contains sensitive data can be managed on almost any device.
Secure remote connection
Any corporate resource on the corporate network should be accessed through a VPN secure connection, and this can be done with the Identity provider and SSO app with a VPN.
Enterprises should manage the endpoints and keep them secure when they’re on the network and away from it. Expecting end users to connect to VPN and apply patches or security policies on their own is unrealistic. Similarly, the endpoint management and security tasks should be adequately automated to ensure your IT team is not overwhelmed by the work.
How to – Intune includes many options to apply policies such as Baseline security, configuration policies, and restrict the connectivity via SSO VPN with Azure AD.
Patch your endpoints
Keep your operating systems and applications up to date to stop the exploitation of known vulnerabilities. Patching should happen whether endpoints are connected to the network or not. An automation strategy allows remote and local endpoints to be updated without relying on individual employees. This ensures that all endpoints remain secure and compliant, including PCs, Macs, tablets, and mobile devices.
How to – Intune provides the option to manage computers and control many options, and Windows updates management is one of the essential options needed for secure and reliable working. Environment.
Implementing more security policies will decrease the user’s privacy. Besides, it would help if you educated remote workers about using strong passwords, the basics of social engineering attacks, and your company’s security policies overall.
For most companies, external users and remote workers are an unavoidable fact of life. The upside is employees are often more satisfied, and teams are more efficient.
The downside is security is usually compromised due to poorly managed endpoints. But as we’ve seen, you can mitigate threats posed by remote workers’ endpoints and significantly improve your overall network and data security with a few best practices.
So working from home is like…