The VPN is necessary but not sufficient
When organizations shifted to remote work, most focused on connectivity. VPNs were deployed, remote access was configured, and business continued. But VPNs solve a network problem, not a security problem. They extend your perimeter without extending your controls.
Today, remote work is permanent for many organizations. Security teams need to think beyond the VPN and build controls appropriate for a perimeter that now includes thousands of home networks, personal devices, and coffee shop WiFi connections.
This post covers the security controls that matter for distributed teams.
The endpoint is your new perimeter
When users work from home, their devices sit outside your corporate network. The endpoint becomes the primary control point.
Device management: All corporate devices should be enrolled in mobile device management (MDM) or endpoint management. This enables remote configuration, software deployment, and security policy enforcement.
Disk encryption: Full-disk encryption should be mandatory on all laptops. If a device is lost or stolen, encryption prevents data exposure.
Patch management: Remote devices often miss patch cycles. Implement automated patching for operating systems and critical applications. Track patch compliance by device, not just by network segment.
Endpoint protection: Modern EDR (Endpoint Detection and Response) tools work regardless of network location. They provide visibility and protection even when devices are offline.
For organizations looking for endpoint security solutions, Discover our approach to distributed workforce protection.
Identity and access for remote workers
Network location is no longer a reliable indicator of trust. Identity becomes the primary access control mechanism.
Multi-factor authentication: MFA is non-negotiable for remote access. Passwords alone are insufficient when attackers can phish credentials from anywhere in the world.
Conditional access: Implement policies that consider device health, location, and behavior. Require MFA from new devices, block access from high-risk countries, and step up authentication for sensitive applications.
Privileged access: Administrative access should require additional controls: dedicated privileged access workstations, just-in-time elevation, and enhanced monitoring.
Session management: Remote sessions should have timeouts appropriate to risk. Users should re-authenticate for sensitive operations even within an active session.
Securing home networks
You cannot control home networks, but you can influence them and protect your data in spite of them.
Split tunneling considerations: Full tunneling sends all traffic through the VPN. Split tunneling sends only corporate traffic through the VPN. Split tunneling reduces bandwidth costs but exposes users to local network threats. Most organizations benefit from full tunneling for high-risk users.
DNS protection: Configure remote devices to use DNS services that block malicious domains. This provides protection even when the VPN is disconnected.
Home router guidance: Provide users with guidance on securing home routers: changing default passwords, enabling automatic updates, and disabling remote management.
Guest network isolation: Recommend that users put work devices on separate networks from personal IoT devices. Smart home devices are frequent targets and can serve as entry points to other devices on the same network.
The remote work security checklist
- All corporate devices enrolled in MDM with remote wipe capability
- Full-disk encryption enabled on 100% of mobile devices
- Automated patching configured for OS and critical applications
- EDR deployed and reporting regardless of network location
- MFA enforced for all remote access, no exceptions
- Conditional access policies based on device health and risk
- VPN configured with appropriate tunneling strategy
- DNS protection enabled on all remote devices
- Data loss prevention policies configured for cloud applications
- Secure collaboration tools provisioned and enforced
- Remote work security policy documented and acknowledged
- Incident response plan includes remote device compromise scenarios
Collaboration and data protection
Remote work means data lives in more places: home drives, personal cloud accounts, email attachments sent to personal addresses.
Approved tools: Establish and enforce approved collaboration tools. Shadow IT is harder to control when users work from home.
Data classification: Classify data by sensitivity and apply appropriate controls. Highly sensitive data should not be downloadable to remote devices.
DLP controls: Deploy data loss prevention tools that monitor and control data movement to personal accounts, USB drives, and unapproved cloud services.
Backup: Ensure remote devices are backed up. Ransomware that encrypts a remote laptop is just as damaging as ransomware on a server.
Monitoring and visibility
Remote work reduces visibility. You cannot walk the floor and notice suspicious activity. You need technical controls that provide equivalent visibility.
Centralized logging: Remote devices should send security logs to a central SIEM. This includes authentication events, process execution, and network connections.
Behavioral analytics: Use UEBA (User and Entity Behavior Analytics) to detect anomalies: unusual login times, impossible travel, access to unusual resources.
Regular access reviews: Review access rights quarterly. Remote workers accumulate access over time. Regular review prevents privilege creep.
The distributed security mindset
Remote work requires a shift in security thinking. The old model of "trusted internal network, untrusted external network" does not apply when your internal network is thousands of home routers. Adopt a zero trust mindset: verify every access request, regardless of source.
The organizations that succeed with remote work security are those that accept the new reality and build controls appropriate to it. The VPN was step one. Steps two through twenty are what separate secure organizations from breached ones.
Disclaimer: This post is for educational and informational purposes only and does not constitute legal, compliance, or professional security advice.