Enabling Secure Access for a Remote Workforce

An increasing number of organisations are supporting distributed, remote teams. While these remote-work policies allow for increased flexibility, there are unique access and security considerations that are inherent to mobile work.

What collaboration tools should I use?

One of the biggest challenges of a decentralised workforce is ensuring that employees are empowered with the right tools. Over the past few years, we’ve seen many organisations adopting digital productivity applications such as Zoom, Slack and Box to enable their workforce to collaborate remotely.

In Okta’s 2020 Businesses @ Work Report, these were some of the most popular collaboration apps in the Okta catalogue. For organisations looking for a solid foundation of cloud-based collaboration tools, these are a great place to start.

How can I quickly provide access to cloud
and on-prem services?

Getting these new apps in the hands of your users can be done quickly and efficiently if rolled out through a single sign-on (SSO) solution.

While SSO is often associated with providing access to cloud apps, that is not its only use case. For employees that need to access cloud-hosted infrastructure, you can integrate your IaaS platforms with your SSO solution to ensure that the same set of credentials are being used when accessing servers.

Many organisations also struggle with providing employees with secure access to the on-premises applications, like Oracle eBusiness Suite, Peoplesoft, JD Edwards, SharePoint, and Qlik.

Oracle E-Business Suite
IBM Logo White
Oracle Peoplesoft
Microsoft IIS
Oracle Hyperion
Oracle JD Edwards
Qlik Logo White
Outlook Logo White
SharePoint Logo White

Legacy on-prem apps leveraged by your organisation can still be accessed remotely using Web Access Management (WAM) tools, which securely allow employees to sign into apps that are hosted on-premises. 

In addition, SSO can help with:

Decreased password reset requests to your IT Helpdesk

As all teams work remotely, end users require self service capabilities to reset their password when necessary.

Integrating with your existing directories

If your organisation is using Active Directory or another LDAP directory, users can continue to use the same credentials to access all their apps.

Reporting / logs

Though your workforce may be remote, enabling SSO will still allow IT and Security teams to track end user logins and respond to any security event.

How do I deploy effective multi-factor authentication (MFA)?

Many organizations take significant steps to secure their internal networks, but those security controls do not necessarily extend outside the office. Employees may inadvertently bypass these security controls as they access corporate resources from new devices and new networks.

In addition, consider that your employees may not only be working from their home, but from a cafe, airport, or any other location. This increases the chances of an employee’s device being lost or stolen, potentially allowing a bad actor to access sensitive corporate data.

At Okta, we strongly encourage customers to add a supplementary layer of security to all user accounts in the form of multi-factor authentication (MFA). Additional factors can take many forms, like security questions and SMS one-time passwords, but we recommend using strong factors like mobile authenticator apps and biometrics.

Here are steps you can take to get MFA rolled out to all your employees in a timely manner, regardless of where they are located:

Identify which factors you will make available to your employees

Our suggestion is to enable biometrics with WebAuthn (FIDO2.0) and mobile authenticator apps like Okta Verify, but we also commonly see SMS OTP and Email OTP. It’s a good idea to make at least two factor types available to users in case they do not have access to a phone during the time of enrollment.

Decide if certain groups require stronger factors

Executives and employees who have access to sensitive information should ideally be required to provide a WebAuthn (FIDO2.0) supported factor. Examples of this include TouchID on MacOS, Windows Hello, fingerprint on Android, as well as FIDO2.0 supported hard tokens. If your employees do not have laptops or phones which support FIDO2.0 authenticators, consider sending them FIDO2.0 hard tokens from Yubico.

Roll out MFA in a phased manner

Determine the groups that should enrol to MFA first, and expand from there. For example, you can choose to roll out MFA in an order similar to this: 

  • Phase 1 : IT and Security staff 
  • Phase 2: Executives (C-levels, VPs)
  • Phase 3: Employees with access to privileged information (Sales team with access to customer data, marketing teams with access to revenue information, engineers with access to source code etc)
  • Phase 4:  All other full time employees 
  • Phase 5: Interns, contractors, temporary workers 
  • Phase 6:  External partners who need to access your corporate resources

If you are new to WebAuthn (FIDO2.0), you can find more detail here. And, don’t forget to check out how WebAuthn works using the WebAuthn demo site

Rolling out MFA is an essential resource in securing app access for both admins’ and end-users’ cloud applications, it also has some remote-work applications that you may not be aware of:

MFA for on-prem apps

When you’ve connected your on-prem apps to an SSO solution, the same factor you are using for cloud apps can be used for on-prem apps. The same policy enforcement settings apply here - MFA just once, per app, or based on session time.

MFA for servers

The ability to access servers remotely is great, but because servers generally host critical apps, it becomes imperative that access to those servers is secure. Enable MFA when users RDP into cloud hosted servers.

MFA for VPNs

If you’re not yet ready to make your on-prem apps available externally, many VPN solutions integrate with single sign-on providers to support multi-factor authentication. Support for factors may differ based on the MFA solution, but the general guidelines on prompting for MFA when users access a VPN are: 

  • When supported, integrate your VPN provider with your SSO provider to enable SAML-based logins to your VPN. This helps to reduce password sprawl and allows you to use the same factor for VPNs as you use for all other apps
  • Alternatively, integrate your VPN provider with your SSO provider using RADIUS. Users will still be prompted for an SMS One-time Password, Voice One-time Password, or mobile authenticator app notification when logging in. 

What access policies should I set for remote workers?

Once you have deployed SSO and MFA to all your employees, consider creating more granular access policies based on user, device, network and location context. Ideally, you can create granular access policies that align the strength of the policy to the potential risk associated with the login. Examples of these policies include: 

Disallowing POP/IMAP based authentication to Office 365

POP/IMAP protocols bypass multi-factor authentication requirements. Because of this, it’s best to block access to Office 365 from these protocols altogether. More information on how to secure these protocols can be found in the whitepaper here.

Creating network blocklists

 If your organisation needs to block access from known bad networks, tor browsers, or risk geolocations, create policies that either deny access or prompt for MFA when a user accesses their apps from these types of networks. 

Email notifications for end users

End user visibility is important. As remote employees may need to access corporate resources across different device types, it’s helpful to have notifications sent to users when suspicious or infrequent activity like new device logins, mfa enrollment, or MFA reset is detected on their account. 

Enable managed device checks for mobile and desktop devices

A remote workforce means you’ll likely need to allow Bring Your Own Device (BYOD) to eliminate any sort of end user friction when accessing apps. To ensure that only known, managed devices are accessing corporate resources, integrate your SSO solution with an endpoint management vendor to deny access or prompt end users for enrollment on unmanaged devices.