Work-from-home security: Managing remote network access

Work-from-home (WFH) arrangements between employer and employee have become commonplace in today’s workforce. Although the technology to enable workers to work remotely has existed for several years, it wasn’t until the confluence of a global pandemic and mandated stay-at-home government policies that working remotely became truly mainstream.

Before the global shift to working from home, workplace IT security was mainly a centralized concern. Security engineers could oversee their perimeter: securing a contained environment of company-tagged assets on a company network, physically separated and firewalled from the internet. Today, however, with more and more employees working remotely full- or part-time, the workplace landscape needs to allow remote users to connect to an organization’s network from anywhere, and it needs to support hybrid use of company and personal assets.

This article discusses work from home security and how IT administrators can manage remote access and its risks. You’ll learn about virtual private networks (VPNs), how they are used to create a remote work network, and how they connect your employees when they’re away from the office. We’ll discuss the difference between Remote Desktop Protocol (RDP) and VPNs, and also highlight why VPNs are better for security when it comes to remote work. Finally, we’ll cover some ideal characteristics of a secure VPN along with the responsibilities that the VPN vendor, your organization, and your employees have in making working from home safe and secure.

Working remotely with a VPN and how to access a work network from home

A VPN is a service that creates a secure tunnel between a device and an internet destination. For businesses, VPNs give employees access to the organization’s network, allowing them to securely interact with company resources from anywhere. Using a VPN, employees can safely connect to the company network from a public network.

Working remotely: VPN or RDP?

IT infrastructure needs to connect staff with the company resources they need. To achieve this, most administrators either deploy a VPN or set up Remote Desktop Protocol (RDP).

As mentioned, a VPN gives you a secure private tunnel between a device and a private network, so that device can safely interact with internal resources. By contrast, RDP lets a user remotely drive a company computer, forwarding that computer’s screen to the user’s device and responding to the user’s cursor movements and keystrokes. This company computer is under an administrator’s control, so they can manage the OS, install applications, and customize the feel for users accessing the RDP device.

If you’d like your staff to perform workloads on a device, you can install the work application onto the RDP device, and any user that accesses it will be able to use the software. By contrast, a VPN can be used from any device, requiring the same software to be installed separately on each device.

Because you have more control over software and can manage the system centrally, RDP can be more flexible than a VPN. However, when it comes to security, the isolation and access granularity of a modern VPN provides better security properties overall. With a VPN, all software runs on the user’s device, so any compromise is contained to a single user and their access. The compromise of an RDP device, on the other hand, means the compromise of all resources accessible from that machine and all users connected to the device — a much larger blast radius.

While free and low-cost versions of VPNs exist, they typically lack fine-grained access controls and an ability to scale, both of which are essential characteristics in an enterprise deployment.

Choosing a VPN for secure remote network access

As a business, you want your WFH employees to work securely, be productive, and have support should infrastructure go offline. However, choosing a secure VPN is not always easy. Here’s a list of characteristics that make a good VPN:

• Security and encryption: A VPN should provide a robustly encrypted network. Tailscale’s point-to-point connections are encrypted using the open source WireGuard® protocol, meaning only devices on your private network can communicate with each other, and all traffic is secured with robust, modern cryptography.
• Access controls: Modern VPNs monitor network traffic traversing the VPN and make sure that users may only access permitted resources. Specifying access control configuration is an essential step to isolate components of your network and improve security.
• Audit logging: Storing logs provides businesses with a record of actions taken by software applications, allowing administrators to understand how resources are being used and to investigate any potential misuse. Different VPN solutions specify different levels of logging. Some have a no-log policy, and some have aggregated or de-identified data. Typically, having an audit capability is essential in an enterprise setting.
• Support: VPN deployments are typically critical infrastructure, because their availability is essential for anyone working remotely to access the resources they need. As such, it’s important to have a strong support story for both your users and infrastructure.
• High speed: The main objective of a VPN is to provide a secure connection to the internet; nevertheless, you don’t want to compromise on speed. Traditional (gateway-based) VPNs can result in high latency when users or resources are physically distant from the VPN infrastructure. Tailscale has found a solution for this problem using mesh routing, which uses a peer-to-peer network instead of a traditional central gateway server. This reduces latency because all peers can connect to each other instead of a central location.
• Multi-factor authentication (MFA): MFA involves requiring an additional authentication factor (such as needing a security key present or requiring a rolling code to be entered) for a user to authenticate. MFA provides substantially better security properties for an organization, because it reduces reliance on passwords which may be lost, stolen, cracked, or otherwise compromised. Using a VPN that supports MFA is essential in combating modern adversaries, and is particularly effective against credential phishing.
• Number of simultaneous users/connections: Your chosen VPN should support an adequate number of simultaneous connections. If you have many employees working from home, you will need a VPN that can scale bandwidth to support your users’ workloads.

What support do WFH employees need to use a VPN?

When workers are using a VPN, they rely on it for access to most, if not all, company resources. It’s important that they have adequate support so their effectiveness is not compromised. While VPN services themselves bear a great deal of the responsibility in providing this support, there are also measures you can take at the organizational level to ensure your employees are using your chosen VPN as intended, and have timely access to assistance when needed.

How companies can support WFH employees

As with any deployment of a secure network, the connection is only as secure as its weakest link. Even with the most secure VPN in the world, your network can be compromised by an employee sharing their VPN-protected device or credentials. As such, it’s important to provide employees with proper training on appropriate use and security best practices. This training may include educational resources on what a VPN is and how it does and does not protect them, as well as common attacks to watch out for.

Your employees may sometimes encounter issues with a VPN that isn’t covered by training. In this case, good documentation can help employees self-service their problems. Your documentation should be updated over time as employees encounter common issues to build up a library of knowledge. VPN vendor forums are also a great resource on VPN usage.

VPN features that ease deployment

As something that nearly every employee uses, a VPN should be easy to install and easy to administer. Tailscale provides a VPN that’s easy to set up and easy to use. Since the VPN uses a coordination server in the cloud, it’s always on, making it easier for IT admins to manage the VPN.

The ability to work from anywhere is essential in a WFH environment. To support this, VPNs need multi-device support and the ability to function from almost any network. A VPN should also be able to enable remote work without the need for a physical device.

Network access controls and role-based access controls are important to ensure that employees are given the right access to the right places. The principle of least privilege states that employees should only be given the minimum level of access they need to complete a task. Using access control lists can help your IT admins govern who can access which part of the network.

Risks of WFH

WFH employees are exposed to the same risks that are present in the workplace. However, there’s less organizational oversight regarding employee usage of the equipment and the physical security of a home work location. Next, you’ll learn more about the risks of deploying a VPN for your WFH employees, as well as some broader security risks associated with WFH to look out for.

Dangers of using a VPN

Employees leaving the office to work at an unsecured home location presents a sizable opportunity for cybercriminals; without the right protections, employees with access to sensitive company information can become easy targets. Employees using personal devices to send and retrieve information means that hacking a personal device has a higher value proposition.

Phishing is the practice of contacting a user, impersonating a trusted company or person, and asking for information. With so many people using VPNs, cybercriminals are frequently requesting VPN credentials to gain access to company networks, underscoring the need for MFA support in modern VPNs.

Insecure cybersecurity behaviors of employees can compromise a network. If malware exists on a home device in a file or folder, the malware can make its way onto the private network if files are transferred through the VPN. Furthermore, any malware running on a compromised user’s device could gain access to resources accessible to the VPN.

Broader risks of WFH

In addition to those mentioned above, there are broader risks introduced when employees work remotely. Your WFH employees may be working from unsecured locations. These locations may be public or shared with unauthorized users such as family members. It’s prudent to institute policies around accessing corporate resources in shared settings, as well as to establish a baseline of technical controls (such as establishing a screen lock timeout or mandating the device be encrypted).

Conclusion

With WFH having grown in popularity across the world, IT security admins are now faced with the challenge of securing a decentralized workforce. This article has given you an introduction to VPNs and highlighted their benefits. However, an organization’s security posture is about more than just a VPN: The implementation of MFA, the creation of solid access controls, the maintenance of infrastructure, and user behavior all contribute to maintaining a secure network. Finally, the VPN must be scalable, have low latency, and provide a secure connection to properly support remote users.

Built on top of the WireGuard protocol, Tailscale is a VPN designed for enterprise use. It combines high security with low latency thanks to its peer-to-peer mesh network, and it supports essential capabilities like MFA, audit logging, and tight access control. Download Tailscale to get started.