Dr. Strangenet—or, how I stopped worrying and embraced the WFH IT apocalypse

We all work from home now. We are the cloud.
Enlarge / We all work from home now. We are the cloud.
Aurich Lawson / Getty Images

We are now a solid two quarters into our new work-from-home bizarro world. Many companies found themselves in a bit of a pickle as workforces went from occasional or limited to everyone all-the-time, throwing up whatever they could provision to allow for remote access and continued productivity (or at least some semblance of it).

We’re well past the emergency stage, folks. For many of us, this will be ongoing and potentially permanent. And the way we do business will have to change—including how we structure our IT operations.

Who is your daddy, and what does his computer do?

This became extremely clear to me after a conversation with a friend, a line-of-business lead who has been working from home for the past few months. His company was semi-ready for remote work, having moved many employees over to Windows Terminal for desktops a while back. But he personally hadn’t transitioned, because much of his work involved a database running on his corporate desktop—on Microsoft Access.

This <a href="https://arstechnica.com/information-technology/2020/10/future-of-collaboration-02/">business cat</a> is making the same face most IT professionals make when they hear the words "Microsoft Access."
Enlarge / This business cat is making the same face most IT professionals make when they hear the words “Microsoft Access.”
GK Hart / Vikki Hart / Getty

So he was connecting into his own work desktop via Microsoft Remote Desktop Protocol rather than the Terminal Server hosting everyone else’s remote desktops. Fortunately, there was a virtual private network guarding his connection to the corporate network. But let’s just say the performance of his Remote Desktop Protocol session on the desktop in his cubicle at corporate was sub-optimal.

His is not a unique experience. And there have been many home workers who have used even more precarious means to continue to work from home—the vulnerability search engine Shodan recorded a spike in the number of RDP servers exposed directly to the Internet in the weeks following the start of lock-downs worldwide.

In fact, a recent check found over four million RDP hosts directly exposed to the Internet—and over a million of them in the US. That’s a huge pool of potential vulnerabilities, as ransomware operators have consistently targeted Internet-facing RDP in major attacks this year. These aren’t, on the whole, systems running within corporate networks; over a quarter were running in cloud environments. But many of the cloud instances were likely gateways to access corporate systems.

We’ve passed the days long ago when organizations could completely protect themselves by only focusing on the network perimeter. But to adjust to truly distributed operations—with people working remotely as a norm—a few things are going to have to change. IT resources have to be configured to support remote work at a level that is at least comparable to that of in-office networks in terms of application performance, availability, and security. We need to turn IT architecture inside-out.

Instead of starting from an assumption of having a trusted network, organizations are going to have to figure out how to operate without trusting the network at all—what has come to be called the Zero Trust Model. For bigger companies already operating large distributed IT operations, this may mean some significant but not overwhelming changes. For smaller organizations, it’s going to flip the table on how they’ve done IT before.

The perimeter is dead

The rise of working from home en masse has accelerated the need for redefining how organizations secure their applications and data. Forget the network; the whole Internet is the network now, and every endpoint is a potential security risk. It’s no longer possible to stop everything at the firewall, or protect against attacks with just anti-virus software on desktops. So it’s not just an assumption that attackers are inside the network all the time. No device (or user) should be trusted just based on location to begin with, and that includes those that come into the network via VPN.

Artist's impression of the attacker already inside your network.
Enlarge / Artist’s impression of the attacker already inside your network.
iStock / Getty Images Plus

When you had a small subset of people working from home or remotely, virtual private network connections offered a way to give them access to resources on corporate systems. But VPNs—at least as most companies use them today—are not a long-term solution for the distributed workplace. Having everyone have to connect to the physical office network to get work done requires a whole new level of networking infrastructure.

And as has been demonstrated repeatedly over the past year, VPNs that don’t get timely and proper software maintenance can be a very dangerous thing—the Pulse Secure and Citrix vulnerabilities that persisted for months (and, unfortunately, still exist on some companies’ networks) acted as welcome mats for ransomware attacks against a number of unlucky companies even before the big work-from-home push got underway.

There are some basic steps that can be taken to make VPNs less vulnerable, and most of them are things you should have already been doing—multifactor authentication being chief among them. But there’s a more important reason to adopt multifactor authentication: as part of a zero-trust friendly identity system that ties together what’s inside the corporate domain with the growing portion of stuff that isn’t.

https://arstechnica.com/?p=1716956