A guide to IT infrastructure amid COVID-19

The COVID-19 outbreak has forced many businesses to change the way they carry out their day-to-day operations. Many have implemented a remote workforce strategy with varying degrees of success. Few have transitioned smoothly, others have gone about it sub-optimally, and yet some others are still struggling to make it happen.

Even highly sophisticated businesses have been caught off guard by these unusual and unforeseen circumstances — circumstances normally not accounted for in standard business continuity planning. Why? Because in many cases, it’s not as simple as just asking staff to take their laptops home. And it’s hard to keep track of the myriad things to consider when you’re busy in the trenches.

Shifting to a remote workforce, either temporarily or long term, requires a strategy that includes IT infrastructure and operations aspects. These guidelines can be used as validation for what you’ve already done or as a playbook to get started.

The use of cloud technology is very prevalent today. Many business-line applications, as well as collaboration and communication tools (voice, email, instant messaging, etc.) are offered under a cloud-first model, meaning a cloud-based deployment is the default scenario.

If all your applications and data are available via a cloud-based software as a service (SaaS) model, as is the case for Microsoft 365 or G-suite, any staff member with an internet connection at home will be able to access them.

However, most businesses have at least a few applications or data still residing in their on-premise environment, that is, in their own data center or equipment room, or in a private cloud or hosted environment (a data center owned by somebody else). These are normally accessed from the “corporate” network at the business’s facilities or offices, and thus some measures need to be taken to allow remote access.

Remote access to on-premise and private clouds is usually accomplished with virtual private network (VPN) technologies, which connect the user’s device to a physical or virtual VPN concentrator or firewall instance in the organization’s network. For this, consider whether your VPN solution has the necessary licenses and bandwidth to support the number of remote users and the quantity of concurrent connections required.

End users need a computing device to access the applications and data. The device can be the organization-provided laptop or desktop. In some instances, it can be a provided mobile device, such as a tablet or smartphone.

Regardless of the type, these devices need connectivity (internet access) to communicate with the applications and data. If your employees have an organization-provided device and a home Wi-Fi network, you can skip to the next point.

However, if staff don’t have access to an organization-provided computing device at home, it may be possible to implement a bring-your-own-device (BYOD) policy to allow staff to use their personal devices for certain work purposes. Such a policy requires the security controls described below to be even more strictly enforced.

If staff lack adequate internet access at home, consider providing them with wireless modems or hotspots. Alternatively, data allowances can be added to mobile phones, which can then be used as hotspots, providing Wi-Fi access to other devices (such as laptops and tablets).

Note that employees working remotely will still need IT support. Service desk (help desk) staff can use a remote access tool to remotely access the staff member’s device and aid in resolving issues.

Organizations need to safeguard their applications and data from unauthorized access. External attacks from hackers can hold the organization hostage for ransom (ransomware attack), and internal attacks can also affect your organization, like staff performing tasks they aren’t allowed to or accessing information they shouldn’t see, for personal benefit or with malicious intentions.

It’s essential that you allow access only to authorized individuals (authentication), and that such individuals have limited privileges (authorization) to perform only functions specified in their roles and responsibilities. There are many solutions available, like identity and access management (IAM) and mobile device management (MDM) solutions, that are tied to the organization’s on-premise or cloud-based directory service (e.g., Microsoft’s Active Directory or Azure AD).

Some of the functionality you should consider in these solutions includes single-sign-on (SSO) and multi-factor authentication (MFA).

Social distancing applies to devices, too. If a device’s security is compromised, it can’t be allowed into the network where your applications and data reside. Devices must be quarantined until they’re cured, which normally involves running antivirus software on them (severe cases may require additional actions). Also, much like individuals that have a weak immune system, devices can’t be allowed into the network until they have all the necessary protections, usually in the form of security updates and patches.

Validating security posture before granting any device access to the corporate network is necessary. Do they have the latest anti-virus installed? Do they have the latest operating system security updates? Are there any unresolved security alerts? Only after verifying and resolving those conditions should the devices be trusted to access the organization’s applications and data.

Solutions to accomplish this can be tied to the user identity verification or standalone appliances, commonly referred to as network access control (NAC) solutions. Such granular control allows enforcement of more strict security policies and facilitates detection of abnormal behavior.

Remote staff present additional challenges to safeguarding sensitive information. It’s important to monitor actions to confirm that staff are only accessing applications and data that they’re authorized to use.

Monitoring should be conducted in real-time with automated alerts when someone tries to access restricted information and incident response actions if the information is successfully accessed. The one responsible for monitoring should also log events to trace actions for audit or data privacy compliance purposes.

Many different tools can accomplish this functionality, and are most commonly referred to as security information and event management (SIEM) solutions.

Happier team = better work. It’s a win/win for everyone.

Follow Plow Networks: Twitter, LinkedIn, Facebook, and Instagram