Loading

Enable a Secure Remote Workforce

Data pubblicazione: Oct 13, 2022
Descrizione

At Salesforce, we’ve never had so many of our employees working remotely as we have since the onset of COVID-19. To meet our team’s needs while continuing to protect customer data, we challenged some of our traditional security processes and adapted them to modern technologies. By doing this this, we increased availability of services and operations, without compromising on security. Below are a some tips to help medium to large-sized businesses — with an on-premise network and hybrid-cloud infrastructure — better securely support their remote workforce.

Traditional Perimeter Security

Salesforce, like most businesses, has to secure and protect business operations from the public internet, while providing a path for employees to remotely access data. Some common methods to achieve that include the following:

  • Use of perimeter firewalls as a trust boundary between public and private networks.
  • Limit sensitive resources to private networks that are routable only from corporate offices.
  • Use of an on-premise VPN concentrator to provide remote access to private networks.
  • Use of an on-premise identity service for centralized login to all resources.
  • Use of company-owned endpoints that are configured and provisioned on-site.
  • Minimizing the use of video conferencing tools for confidential communications.

Modern Perimeter Security

Despite the advantages to these traditional methods, they don’t account for some differences in modern-day infrastructure that need to be considered, such as the following:

  • SaaS applications and public cloud services being directly routable on the public internet and do not need a VPN for routing purposes.
  • Internet services and protocols are often encrypted by default, or offer sufficient integrity checks and don’t need a VPN to supplement these shortcomings.
  • Authentication logic to Identity Providers (IdP) taking place in a browser (e.g., SAML, OAUTH) independently of on-premise protocols and directory services.
  • Endpoints being remotely configured and provisioned via internet accessible MDMs and hardware-supplier workflows rather than needing on-premise build labs.
  • Strong user and device authentication capabilities, including MFA and Mutual Authentication (mTLS).
  • Meetings occurring virtually via cloud conferencing rather than physically.

Aligning perimeter security practices to modern infrastructure

Salesforce found that by aligning perimeter security to modern infrastructure practices we were able to achieve better performance and higher availability without compromising security or incurring significant additional infrastructure cost. Below are some examples of remote office challenges we experienced, along with secure solutions that enabled our remote workforce:

 

Remote office challengeSecure Solution
Corporate network is not accessible due to DDOS or outageLimit what services route through your VPN to only those that are absolutely necessary (i.e., only services that are on non-routable private networks).

If a service is already on the internet, uses encryption in transit (e.g., TLS), and has strong multi-factor authentication, consider what additional benefit you get from re-routing that service through a VPN.

Enable QoS when bandwidth quotas exceed 80% of capacity.

Deploy redundant VPN concentrators on separate internet providers, if possible across multiple geo-locations. Consider implementing break-glass functionality if needed for emergency scenarios.
VPN bandwidth is insufficient for large volume of remote workers
VPN latency is too high for video collaboration
VPN concentrator isn't available at my remote location
Private networks are not remotely accessible
Endpoint devices are on untrusted networks raising attack surfaceConfigure host firewalls to block all inbound traffic.

Ensure that internet-interfacing software such as browsers leverage sandboxing techniques and are running the latest update.

Require HTTPS for all browser traffic and disable the ability to bypass certificate warnings.

Train users to be wary of phishing and adopt safe-browsing techniques.
Endpoint devices cannot be identified by IP address for authentication logicDeploy x509 client certificates to managed devices that are used in authentication logic flows such as accessing your VPN or IdP. Adopt mTLS as an alternative to source IP mappings.
Endpoint devices aren't physically securedDeploy a hardened endpoint security policy that limits unnecessary interfaces, requires code signing for approved hardware, and sets a screen inactivity lock.

Enable full disk encryption with hardware-backed keys.

Enable secure boot and lock firmware interfaces.
SSO login is not remotely accesibleAdopt a SAML or OAUTH identity for all cloud services and enforce multi-factor authentication. If access must be restricted to managed devices, use mTLS to validate client devices on authentication intead of IP allowlists.
SaaS applications arent directly accessible as they were in the officeIf application leverages IdP authentication flows that already perform multi-factor authentication, rely on the IdP for authentication validation instead of IP allowlists.
Cannot provision or configure endpoints remotelyLeverage internet-accessible mobile device managment platforms to remotely provision, configure and update your endpoint fleet.

Leverage hardware-supplier based MDM enrollment functionaility to automatically associate purchased infrastucture with endpoint managment toolsets.
Cannot perform software deployment or updates without corporate network
Video conferencing tools aren't suitable for confidential communicationsEnforce secure defaults to require authentication to an IdP. If authentication is not possible, prevent public sharing of unique links or meeting IDs.


Please note, Salesforce cloud products are directly accessible over the internet under our customer 360 model for SaaS (https://www.salesforce.com/saas/).

Additional resources:

Numero articolo Knowledge

000380748

 
Caricamento
Salesforce Help | Article