Practices of enhancing security during remote working in distributed delivery

Avoiding Security risks when Work from home in Distributed Delivery

Due to the Pandemic, there are more and more companies, including professional services companies, providing distributed delivery that allow consultants to work from home. Compared with working in remote sites, this change brings extra challenges to information security, especially when separated and dedicated laptops for client work are involved. During the last year, we partnered with a few clients to address this and here are some thoughts on the security risks as well as mitigations.

Laptop lost or stolen 

It might happen both during transportation and at home. The risk is obvious especially when public transportation is involved. There are a few mitigations focusing on improving the endpoint security, including:

• Encrypted full disk

• Anti-malware software keeps current at all times

• Firewall be enabled

• Strong password policy

• Remote lock/wipe with MDM (mobile device management)

• System(macOS)/Application updates to the latest.

• Enforced auto-idle lock

• Firmware-level controls (preventing USB)

• Ensure laptop powered down for transport / not in use

• Leveraging MDM to do a regular phone home and auto lock if not success

• Location tracking - with the permission of individuals, making sure the locations of the laptops are expected

It is worth noting that some of the measures above are also implemented when working from the office and these are more valuable in a Work from Home situation.

Unsafe local network

In most cases, consultants are using the same wireless or wired network with other family members when working at home. This unsafe local network brings a cyber network threat which is dramatically more serious than office networks. Therefore, as aligned with a few clients, we have implemented a VPN solution by adding a hardware VPN router at home. 

Generally, the idea is to connect the laptops directly to the VPN router which has a VPN connection with the Thoughtworks Office. This VPN router has implemented wired or wireless security measures (for example, configured MAC address binding) to make sure only the laptops for Thoughtworks or client business purposes are allowed. Therefore, from the network perspective, this network is technically an extension of the Thoughtworks office network with implementing a similar level of security measures. This could prevent port scanning or other network risks in the previous open and unsafe family networks. 

This won’t bring huge extra efforts to professional consultants as there is no configuration required at home but simply plug the router into their own family network. There  is also no impact for the client IT team - as all are managed from the Thoughtworks perspective. We take SOHO level VPN routers into practice to consider the balance among costs, convenience and features. 

During the recent case, we implemented this solution in Thoughtworks China for a client in Australia to support more than 50 consultants working from home.  Based on our consultants feedback, this solution has been effective, whilst proving to not be of too much extra efforts.While this solution has been applied for this purpose within a short lead time of a few months, other options(including Software-Defined WAN) are still under development.

Summary

Working from home does bring extra efforts to mitigate the security risks especially when using clients' dedicated laptops. These practices mentioned above have been applied to several distributed engagements delivered in China for clients both from North America and Australia.