Security in the “Remote Work World” Part 2 (of 2)January 10, 2021
(Originally published for AIASF in May of 2020)
As the country is literally “working” its way through the current “COVID-19 crisis” (a.k.a. “coronavirus crisis”) and an increasing number of states are mandating “shelter in place” and/or “stay at home” orders, we thought that it would be helpful to post a pair of articles on maintaining cyber-security in the “remote work world” that has become the “new normal” for architecture firms these days.
In “Part 1” we focused on the “Basics of Cybersecurity at Home” as well as “Remote Security ‘On the Road’” for staff/individual contributors. In this article (“Part 2”), we will turn our attention to centrally managed cloud/server-side technologies that can help architecture firms deliver great service to their customers while at the same time staying (reasonably) secure.
This second article is geared primarily toward architecture firm Managers/Directors/Principals and IT Managers.
What this Article Will NOT Cover
This article will NOT offer a comparison of specific cybersecurity products/solutions a la Gartner’s “Magic Quadrant” or Capterra’s software feature comparison tool. Why not? Well, because there are thousands of cybersecurity vendors and it’s beyond the scope of this document to discuss those vendors and their products. (“Thousands” may be a slight exaggeration but as someone who has attended RSA conferences in the past, I can tell you that there are a LOT of cybersecurity vendors in the world!) Instead this article will focus broadly on technical solutions that enable a remote work force and the security challenges that come with those solutions.
Mixed Computing Environment
As we noted in “Part 1” of this article pair, most modern architecture firms employ a combination of centrally manage as well as distributed computing platforms and devices. And as if the job of securing those varying platforms and devices was not enough, now (because of the forced increase in the number of remote workers) the firm has to contend with securing those same systems and users OUTSIDE of their traditional offices/networks. (This is what “cybersecurity geeks” refer to as an “increased attack surface.”)
In the sections below, we will first discuss the security “pros” and “cons” of various centrally managed solutions/technologies and then move on to a (brief) discussion of the intersection between centrally managed applications/platforms and “distributed computing.”
Centrally Managed Cloud and Server-Side Technologies/Solutions
Virtual Desktop Infrastructure (VDI): I will “borrow” from Citrix what I think is the simplest description of this technology which is “the hosting of desktop environments on a central server.” Because of the costs and technical expertise required to setup and maintain this kind of VERY centralized computing environment, employing VDI technology is typically the prerogative of large architecture firms; however, as costs come down in the next few years for these technologies, I can imagine mid-sized and even “smaller” architecture firms will eventually leverage this technology as well.
- Completely centralized end user experience. All software (e.g., Revit, AutoCAD, Illustrator, Microsoft Office, etc.) is installed, licensed and updated via the virtual desktop host environment. The security benefit here is that the virtual desktops are all kept up to date as a whole by the IT administrator…no more “failed updates” because users have their computers turned off or because they simply refuse to allow updates to be run on their computers, etc.
- End users can easily be prohibited from installing any software that is NOT expressly allowed thus limiting exposure to malware/adware, etc.
- High cost (usually) for hardware and software to setup/run these VDI hosts. (Though, there are an increasing number of “Desktop as a Service” (DaaS) solutions on the market as well which will likely eliminate the need to “roll your own” VDI hardware…eventually.)
- Fairly high degree technical expertise required to setup/maintain (and this will likely continue to be true even as DaaS becomes more widely used).
- Not all software can (legally) be licensed/run in “multi-tenant” mode so, it’s best to check with your major software vendors to be certain before implementing any VDI solution!
- Vendors to check out in the VDI space: Citrix, VMware, Microsoft, Nutanix, Amazon Workspaces, etc.
Remote Desktop Applications: Vendors such as LogMeIn (LMI), Splashtop and TeamViewer offer remote control tools that operate (from an end user perspective, at least) in a similar way to VDI solutions in that they allow users to leverage a more powerful computer (usually a “workstation-class” desktop computer in the case of a Designer at an architect firm, for example) remotely from some other (usually less powerful) computer located on the Internet.
- Low cost for the remote-control software…certainly relative to VDI solutions.
- Easy for team members to use and easy for IT people to setup and manage.
- Security is still centrally managed because the end user workstations are still (more or less) under the direct control of the IT team. Also, remote access for particular end users can be quickly disabled if need be.
- Requires relatively high-speed Internet connection (and ideally multiple Internet connections for redundancy) at the firm’s office (or offices) where the “workstation-class” computers are running…especially if you have a large number of team members making these remote-control connections.
- The architecture firm still needs to invest in expensive “workstation-class” computers so that their staff can continue to be productive…even remotely.
- Vendors to check out in the Remote Desktop space: Splashtop, LogMeIn, TeamViewer, etc.
Virtual Private Networks (VPN): I almost did NOT include VPNs in this list because Designers working on shared models via VPN connection (for example, using Revit on a home computer that is VPN connected back to their Revit Server in their office) are well documented for causing model corruption and, basically, this solution does NOT work. That said, if you have other admin-type folks in your firm who are NOT working on shared model files but, instead, require remote access to Office docs, PDFs, etc., then VPNs are still a viable remote connection option for your end users…assuming your firewall supports VPN.
- Low cost to implement (again, assuming your existing firewall supports it).
- Encrypted traffic between the VPN client’s location and your office firewall.
- Typically, very reliable (assuming good Internet connectivity on both ends of the VPN connection).
- CANNOT be used to work on shared models by Designers in the firm!
- Are only as secure as the passwords and/or end user computers that are running the VPN clients.
- Various firewall manufacturers have VPN technologies built into them…we will not mention any specific vendors here.
Software Defined Wide Area Networking (SDWAN): SDWAN is a subset of Software Defined Networking (SDN) and is a HUGE and very technical subject. The upshot of this technology – from a security perspective – is that it can be used to encompass most (if not all) of company’s networking resources (e.g., firewalls, switches, Wireless Access Points (WAP), routers, etc.) including cloud-based resources, like Amazon AWS, Microsoft Azure, etc., such that those resources can ALL be managed centrally. So, the same network security rules, Quality of Service (QoS) policies, authentication, proxying, etc., can be applied to geographically separate areas/office (that, in turn, are using different Internet connections and networking hardware/protocols) all over the world!
- Completely centralized networking so, security for that network is also centralized.
- Highly scalable.
- Hardware/vendor “agnostic.” So, in theory, architecture IT teams could pre-configure inexpensive firewalls/switches that could be taken home by end users thus extending the corporate network (and, more importantly, the corporate network’s security policies/solutions) to the end user’s home. That said, the caveat still applies here from the VPN section above that working on shared models over an SDWAN is probably a very bad idea!
- Technically complex to setup and maintain.
- Still a relatively expensive solution from a licensing perspective, though, these licensing costs will likely go down as more vendors enter this market.
- Vendors to check out in the SDWAN space: Cisco Meraki, Riverbed, Fortinet, etc.
Single Sign On (SSO) and Multi Factor Authentication (MFA): Technically, SSO and MFA are separate technologies as MFA can be implemented on various web applications/services that are NOT SSO-capable but SSO vendors ALWAYS include MFA into their solutions so, we are combining these two solutions here. In a nutshell, SSO allows you to use a single set of login credentials (typically a “username” and “password”) to access multiple web/computing resources that would otherwise require separate login credentials for each web app/service…hence, SINGLE sign on. From an end user perspective this means that they do NOT have to remember (read: write down) multiple usernames/passwords for different applications; however, from an IT Manager perspective this means that you can disable an end user once and shut down their access to MANY applications! (The MFA piece of SSO is that in addition to requiring the end user to supply login credentials, they must also have a secondary device in their possession – e.g., a smart phone running an MFA app – that provides a second level of authentication that would be VERY DIFFICULT to fake unless a hacker actually had that MFA device in their possession while trying to gain access as an end user.)
- Centralizes authentication for all corporate applications (well, at least those that are SSO-capable).
- Centralizes the disabling of those same corporate applications and can speed up the process of new user on-boarding/account creation for these applications.
- While SSO solutions are not necessarily technically difficult to setup, in practice, they can be difficult to maintain. (Vendors that claim to be “SAML-compliant” or otherwise compatible with SSO solutions often really are not…so, adding corporate apps to the company’s SSO solution don’t always work as expected.)
- These solutions can still be relatively costly.
- Vendors to check out in the SSO/MFA space: Okta, OneLogin, Centrify, etc.
Mobile Device Management (MDM): MDM – as its name implies – is the ability to manage devices like smart phones, tablets, etc., so that if those devices are being used to access corporate resources (e.g., networks, data, applications, etc.), then they can be wiped (or otherwise disabled) in the event that those devices are lost (or stolen). Like many of the technologies above, MDM is a HUGE topic but for the purposes of this article, just know that this technology can be used to ensure that architectural data that may be sitting on a mobile device – potentially – be destroyed if need be.
- Centralized management and security for mobile devices.
- Enforced encryption of data on mobile devices.
- Multi-platform support for Windows, MacOS, iOS and Android devices (usually).
- Relatively inexpensive to implement and maintain.
- Can be technically challenging to setup and maintain.
- Can be costly if the company must purchase mobile devices for end users instead of putting MDM software on end user’s existing mobile devices. (In fact, many companies simply decide to purchase mobile devices with their MDM solution installed on them because they do not want to deal with employee pushback: “Why should I install COMPANY security on MY cell phone???”)
- Vendors to check out in the MDM space: Microsoft Intune, IBM MaaS360, VMware AirWatch, etc.
Distributed Computing Environments
If you are part of a “large” architecture firm (and let’s define “large” as a hundred Designers or more), then chances are that you are leveraging several (if not all) of the centralized computing solutions noted above. If you are part of a smaller firm, though, then it’s likely that you rely on either a fairly powerful desktop computer (or “workstation”) which anchors you to that workstation for actual design work…OR (as is becoming increasingly common these days) you have a very powerful laptop to keep you mobile…working from home, client/partner offices, coffee shops, etc.
It used to be that laptops that were capable of competently running architectural apps, e.g., Revit, AutoCAD, etc., were cost prohibitive…that is, in the range of $5,000 dollars or more. These days, though, a “workstation-class laptop” can be purchased for around $2,000 dollars with the bulk of that expense going towards the Graphics Processing Unit (GPU) and the supporting RAM for the GPU to allow the laptop to run 3D applications in a usable manner (meaning at high resolution and high refresh rates for rendering on-screen).
The combination of relatively inexpensive laptops and cloud-based collaboration and distributed storage/sync solutions (such as the ones noted below) has enabled smaller architecture firms to compete and/or partner with much larger firms…at least, from a technology perspective.
- Autodesk BIM 360: Remember the “olden days” when – in order for multiple Revit users to work on the same model (a.k.a. a “shared model”) that you (at the IT manager) had to setup a Revit Server (possibly a dedicated machine or perhaps running as a service on a non-dedicated server) and modify “revit.ini” files so that all the clients could point to the server and so on? And if you had a joint venture with another firm…you may have had to setup a Revit “Accelerator” Server to talk to the other company’s Revit Server and setup a Point-to-Point VPN connection to that other company’s network or poke a “pinhole” in your firewall and blah, blah, blah! Well, those days are gone and good riddance! Autodesk’s BIM 360 has obviated that madness and even though it can be a relatively costly solution for model collaboration (especially when you add in the Autodesk application licensing that you’re probably already paying for), it is worth EVERY PENNY! If your firm is using Autodesk design tools, then RUN – don’t walk – to BIM 360!
- “What does BIM 360 have to do with ‘remote work world’ security,” you ask? A LOT as it turns out and nobody makes this point better than Autodesk themselves in this link: https://www.autodesk.com/bim-360/construction-management-software/security/.
- Egnyte, Box, Google Drive, OneDrive, etc.: I could just as easily have labeled this bullet point as “file sharing and syncing tools” but, again, for the purposes of this article I thought it best to focus on the vendors in this space that are reasonably secure (Egnyte and OneDrive setting the standard on that point) and that are user-friendly enough to be used by architecture firms. If you need your firm’s Designers, Managers, administrative staff, etc., to be able to collaborate on documents (from ANYWHERE in the world where those people have a working Internet connection), then you need to be using one of these tools. Notice that I said “documents” and NOT “models” or, more specifically, “shared models”. Please DO NOT try to use any of these file sync tools as a “poor man’s version of BIM 360”! Many have tried and all have (or will have) failed. Just don’t do it. (You’d even be better off setting up a Revit Server if you must but, again, do NOT use these sync tools for model collaboration! Have I said that you should NOT do this enough times?)
As lengthy as this article is, believe it or not, I’ve only scratched the surface of managing security for your remote workforce! For instance, I’ve left the topics of “Managed Detection and Response” (MDR) and “Managed Security Services Providers (MSSP)” completely out of this article. Frankly, any firm that has the ability to pay between $10,000 to $30,000 dollars per month (starting price point) on this “next level” of security solution provider, is beyond the scope of this article. Instead, we chose to focus on security solutions that could realistically be used by mid-sized and smaller architecture firms.
Lastly, as with all things related to implementing cyber-security solutions, do not let “the perfect be the enemy of the good.” No matter how much money your firm spends on security, you will NOT be “hacker-proof.” The goal in any solution (or solutions) that you implement should be to simply raise the walls around your “castle”…at least enough to deter the “average hacker” and/or “bots” that are trolling the web looking for quick and easy access to your network and, ultimately, your data.
“I’m Sold! Where Do I Sign Up?”
While we LOVE your enthusiasm, we need to know a little bit more about you first before we can start Getting Stuff Done for you! Click the button below so that we can contact you and share in your enthusiasm!