AWS Startups Blog

Remote Work Rises: A Checklist for Secure Networks on AWS

Guest post by Sivan Tehila, Director of Solution Architecture, Perimeter 81

A company that has set its sights on providing secure, fast remote access to its employees will entertain this ambition for several great reasons. If it’s like the average organization today, the company’s employees now overwhelmingly prefer to work from outside the office, and in some modern cases are even required to. Work flexibility has proven excellent for morale and therefore productivity, as well as saves money. It allows for fast geographical expansion, and a deeper talent pool to hire from. Firms currently making this transition also find it much easier than anticipated, with most of the crucial resources required for work now existing on the cloud in solutions like Amazon Web Services (AWS).

According to a recent IDC report [1] on worker productivity, “A far greater percentage of employees work remotely or from a home office today, and workgroups often span the globe. Web and video conferencing and tools such as instant messaging and instant meetings let people collaborate in real time across distance, time zones, and organizational boundaries, and mobile devices help them be productive on the go.” These devices are often connected to vital assets that reside on AWS, which serves remote employees with a fast and reliable connection to their virtual office.

Such agility allows businesses to easily build and maintain the infrastructure they need to succeed, and it’s become so advantageous that over 84%[2] of organizations now host at least one crucial function in the cloud. Of these, 33%[3] utilize AWS, and many more alongside local resources, in what’s called the hybrid cloud model. Accordingly, for the company that has incorporated the right elements for remote work, its employees are as happy and productive at home as they are at their desks. Remote work support is also crucial for business continuity planning and keeping the gears of enterprise churning even as unavoidable challenges arise.

In places like the UK and USA, the prevalence of flexible work policies runs parallel with employee preferences.[4]

A pertinent example is found in one of Perimeter 81’s largest customers, a fintech leader which operates a platform enabling companies to process and accept cross-border payments from a variety of sources. With a global presence and more than 500 people across 10 international offices, remote access is central to this customer’s strategy. Crucially, it uses AWS servers to store data, an AWS-based web environment, and Remote Desktop Protocol (RDP) to coordinate activity across branches and employees.

For this specific organization, the entire workforce went remote very quickly and hundreds of people across its international offices required secure remote application access. Thankfully, it had been a happy Perimeter 81 customer for just over two years, and preparing for the inundation of remote workers was simply a matter of ticking a few boxes. Perimeter 81 provides policy-based agentless access for its applications and ensures access is authorized and secured with Okta, its preferred Identity Provider. Despite having so many employees dispersed across the globe and working from remote networks, the customer ensured secure access to critical AWS-based applications and has maintained the productivity of its workforce.

This case highlights that remote access and its benefits cannot be ignored, but there is a way to do it correctly. An organization that rushes to make remote work possible may experience network strain and expose themselves to data breaches if the transition lacks a rock-solid security foundation. Organizations that make AWS a cornerstone of their cloud grapple with this notion too, but the following checklist allows them to prepare, and complement their AWS solution with a security model that provides speedy, safe access to any number of remote employees no matter where they choose to work.

Remote Work is Inevitable for Organizations

Before looking at how an organization using AWS might scale their security along with their remote work activities, it’s worth taking a look at why the trend is here to stay. First, as younger workers replace older employees, their preferences for work come along as well. Second, the introduction of remote or flexible work policies is proven to suit all age groups, with over 68% of employees indicating that the trend benefits their work-life balance. It then makes sense that while over 70% of 18 to 34-year-olds take advantage of the freedom to work anywhere, more than half of workers up to age 60 do as well.

Those taking advantage of flexible work policies are the statistical majority in all age groups.[5]

The organizational benefits that come with remote work are also difficult to dismiss:

●      13% of remote workers take fewer sick days and report higher productivity

●      This will save over $4.5 billion by 2030 in the US

●      Instituting flexible work will increase employee retention by 10% in 2020

These results justify the rush towards remote-work optimization, but the change is something that must be approached from multiple angles and in deliberate steps. Typically, companies take the “two steps forward, one step back” strategy, unfortunately, whereby they stack new SaaS tools on top of the network, integrate them haphazardly and make them universally accessible to remote employees. This tactic might work for the employee and the organization on a short timeline, but on longer timeframes, exposure risk outweighs reward.

Thankfully, network security is moving in the same direction as AWS – towards the cloud-native “as a Service” model. For the organization that has found itself with a sprawling cloud and workforce, but without the scalable security infrastructure to protect it, there’s a quick win solution that doesn’t require them to pay exorbitantly for their lopsided priorities. Network as a Service platforms like Perimeter 81 are designed to be integrated at any stage of the cloud transition, and instantly envelop all network resources including AWS, all endpoints, SaaS applications and local environments.

 Checklist: Preparing AWS for an Inundation of Remote Workers

With 70% of potential hires considering remote work a key factor in whether or not to take a new position, your IT team needs to be ready for an influx of remote workers requesting access to their AWS resources via a plethora of devices, and over potentially unsafe Wi-Fi connections. Though the AWS infrastructure is itself very secure, several things must be considered before an organization adopting remote work can be confident that its entire network – and data – are as well.

Transition to Zero Trust for AWS Access

The first step of the playbook is simply to throw out old security models, which in their popularity have quietly been outmoded. Zero Trust security simplifies secure AWS cloud network access and offers user-centric security features that exceed AWS shared security requirements – a critical need for organizations using unmanaged AWS services. With a Software Defined Perimeter to implement least-privilege access to network resources, IT teams can skip the battle of configuring network hardware for the cloud. Instead, they’re provided a unified console for the visibility, control and threat inspection capabilities necessary to defend against malware, targeted attacks and the unauthorized exfiltration of sensitive data from AWS VPCs (and elsewhere).

A Secure Network as a Service (VPN Alternative)

SDP is often seen as a superior VPN alternative, and is the product that enables Zero Trust access, but also incorporates Virtual Private Networks (VPNs) – an essential part of safe networking and one that should be considered foremost among security solutions. Employees will be required to log into a mobile, web, or desktop application that then creates an encrypted tunnel between their device and resources they need to do their jobs. Wireguard and site-to-site IPSec VPN connections between your AWS server and network are simple to install via the AWS console, and with a SaaS model are simple to supplement with provided features like user segmentation and Secure Web Gateway.

A Cloud-Friendly Approach

Given the near universality of hybrid-cloud networks, security solutions must be cloud agnostic and able to seamlessly integrate into whichever SaaS or cloud-hosted resources the organization uses on a daily basis, and this includes AWS prominently. Local resources are also included in this idea, so that no matter which local  data and file storage sources your employees use alongside AWS, they’re all part of the same secure environment.

Defense Against Unsecured Wi-Fi

One of the biggest gaps in security that occurs when remoteness becomes a central theme in network access is public Wi-Fi, or simply unsecured Wi-Fi. Many employees will work from home, cafes, or places where the internet connection is less secure than if they were at the office, so the Wi-Fi security approach taken by organizations must account for this glaring threat and act accordingly. Surveys show that over 60% of people believe their connections are safe when connected to public Wi-Fi[6], despite heavy evidence to the contrary.

Geographically Diverse Data Solutions

Concentrating a virtual private network and security solution in one physical location will not suffice for larger organizations with many remote employees, who likely live far and wide of the office or their local branch. It’s therefore vital to find a provider with multiple data centers across the world, as employees can then connect to the most proximate server to reach AWS and other resources, without the latency that occurs with a centralized networking model. This increases productivity for the entire organization even while working remotely.

Layered Authentication to AWS and Other Resources

Requiring employees to authenticate themselves more than once is some of the lowest-hanging fruit for comprehensive network security, and is crucial for protecting your AWS resources. MFA ties access AWS and other resources to the proper credentials but also the employee’s personal mobile device. This is a very easy safety net to install, and ideally, the network security model employed should include ways to authenticate besides SMS.

Bring Your Own Device (BYOD) Accountability

Most modern devices are capable of connecting to a remote network, and with employees using a wide selection of smartphones, tablets, and laptops, it doesn’t pay to be narrow-minded when it comes to security. In fact, it literally pays to be pro-BYOD, with employees generating an additional $350 per capita[7] in value when allowed to use their own devices for work. With data liability in the hands of AWS users, the best network security solution is both dynamic and considers users and their chosen devices on an individual basis, covering all endpoints with the same efficiency.

Effortless Onboarding for IT

Proper network security models allow IT teams to seamlessly onboard new users into the system, assign them a profile or segment which grants access consistent with their role, and specific rules as to how their device connects. Employees who do not need access to your AWS solution can be quickly assigned a role-based profile that blocks them from getting to it, yet makes other relevant network resources available. If the IT team is given this capability then they’ll be more likely to respond efficiently when the need for remote access spikes across the organization.

Seamless Logins

Almost like a digital ID card, user-friendly features like Single Sign-On (SSO) are key to a user-centric security model and help reduce organizational liability for storing credentials. It’s especially powerful when combined with user segmentation features, and should be prioritized for companies that put a premium on productivity, reducing help desk costs, and streamlining the login process.

Agentless Remote Desktop

For in-browser access to data in the cloud, Remote Desktop Protocol (RDP) is a much appreciated addition to any network security apparatus, and tends to benefit particularly distributed workforces. The simplicity and agentless nature of RDP makes it one of the strongest and most lightweight building blocks of a secure network, but also one that maintains its accessibility to remote employees.

A Quick Win with Perimeter 81 Secure AWS Access

Unlike traditional hardware-based network security providers, Perimeter 81 provides greater network visibility, seamless onboarding, and automatic integration with AWS, giving companies of all industries and sizes the power to be securely mobile and cloud-confident.

Whether remote access is a dire need or a goal that an organization is gradually working towards, the Perimeter 81 Zero Trust Secure Network as a Service is the best unified solution. With a 15-minute onboarding process, no matter how large or diverse an organization’s resources, it’s no longer as potentially punishing to bring security up to speed.

To learn more about achieving seamless and efficient AWS access for your employees with a Zero Trust Secure Network as a Service platform, visit Perimeter 81 or schedule a demo.

Sources Cited

[1] https://warekennis.nl/wp-content/uploads/2013/11/bridging-the-information-worker-productivity-gap.pdf
[2] https://www.flexera.com/blog/cloud/2019/02/cloud-computing-trends-2019-state-of-the-cloud-survey/
[3] https://www.statista.com/chart/18819/worldwide-market-share-of-leading-cloud-infrastructure-service-providers/
[4] http://assets.regus.com/pdfs/iwg-workplace-survey/iwg-workplace-survey-2019.pdf
[5] https://www.polycom.com/content/dam/polycom/common/documents/whitepapers/changing-needs-of-the-workplace-whitepaper-enus.pdf
[6]https://www.nortonlifelock.com/content/dam/nortonlifelock/docs/reports/2017-norton-wifi-risk-report-global-results-summary-en.pdf
[7] https://techjury.net/stats-about/byod/#gref