Recently, we’ve had an influx of people contacting us to urgently discuss how to meet their business continuity (BCP) needs. The COVID-19 Coronavirus pandemic is forcing organisations of all shapes and sizes to assess how they will continue to operate if (or perhaps when!) their employees must work from home to stop the spread of the virus.
To help with your business continuity planning (BCP) needs, we wanted to share a summary of the options we are already discussing with Kiwi organisations – from mid-size corporates to large NZ based enterprises with 10,000+ staff. We asked our partners at netQ to collaborate with us on this – thanks Aaron Cottew (sorry I couldn’t add all the amazing insights you provided!)
As you consider these options, remember that leveraging existing technologies may be the fastest option. It’s often easier to scale up or out an existing solution than building a new one. And while we’re very particular about ensuring employees have awesome technology experience, this time, you may need to settle for “good enough”. Mediocre performance when accessing a critical app from home is better than no access.
In the interest of getting this information published quickly, we have kept the details to a minimum. Just contact us if you want more info on any of these options.
So how can your organisation quickly scale up a solution which allows your people to securely gain access to the apps and data they need to be productive from ANY location?
VPNs (a virtual private network) have been around forever and remain a major part of remote access for most organisations. A VPN essentially allows your people to use their device as if it was part of your local network wherever they are. When it comes to rapidly increasing the usage of a VPN solution, organisation struggle for two reasons:
Many organisations are realising their current VPN appliances cannot meet the demands of their entire workforce working remotely. This may simply be due to insufficient VPN licensing or the VPN termination constraints of their firewalls.
Thankfully, nearly every security vendor globally is helping their customers by offering complimentary extended evaluation licensing, allowing customers to scale their existing solutions or, in some cases, building entirely new greenfield solutions.
Talk to your security partner or vendor about complimentary VPN client licenses to unlock your firewall’s maximum VPN capability. Often, these will also come with endpoint protection licenses helping you mitigate any additional security concerns of remote-working. Also talk to your security partner or vendor about complimentary Virtual Firewall licenses. This will allow you to spin up brand new virtual firewalls on any existing hypervisor and scale your VPN capacity as required.
Perform an inventory of your networking devices – you may have a device with VPN capabilities that are not currently used. For example, you may have Cisco as your primary VPN but also have a Citrix NetScaler which is not used for VPN which could already be licensed for SSLVPN functionality.
There is now a global shortage and long lead-times for new laptops, as such many staff sent home cannot connect via the existing corporate VPN solution. How do you provide a secure clientless connection for these staff to use on a family home PC? Keep reading for some options….
This is a loose categorisation for solutions which are similar to VPNs but are not traditional VPNs. Confused? Hopefully not for long. Two key technologies in this category are Microsoft DirectAccess and Clientless VPNs.
I like Microsoft’s description of DirectAccess: “DirectAccess allows connectivity for remote users to organisation network resources without the need for traditional VPN connections. With DirectAccess connections, remote client computers are always connected to your organisation – there is no need for remote users to start and stop connections, as is required with VPN connections. Besides, your IT administrators can manage DirectAccess client computers whenever they are running and Internet-connected.”
DirectAccess is supported by Windows 7 on the desktop and from Windows Server 2008 R2 on the server-side. DirectAccess is simply a server feature that you can choose to enable – it’s there ready for you to use. We’ve seen that smaller deployments are fairly simple, but larger deployments can be complex. Firewall changes will be required, there is IPv6, and certificates may be required.
Also, note there is Microsoft Always On VPN which is a newer option which supports only Windows 10 and Windows Server 2012 R2 or newer.
Many firewall vendors support several Clientless VPN options which can be implemented very quickly.
WebVPN – A web VPN allows users to authenticate to an HTTPS page on the firewall and be presented with web-links to internal web applications based on the users AD Group permissions. This fills the void for many organisations but may not work for legacy Client-Server apps and can have a heavy impact on firewall CPU and memory.
IP Tunneling VPN – Allows trusted users to authenticate to an HTTPS page on the firewall and subsequently be granted an SSL encrypted IP tunnel between their device and any permitted corporate destinations based on their AD Group permissions. As the client is connecting from an untrusted device, careful consideration must be made as to their permitted destinations – do not allow them to connect directly to application services, instead allow RDP connectivity.
Zero-Trust Architectures allow access from trusted users on untrusted devices through reverse-proxy services. This type of architecture should be every organisation’s long term strategy, however, these solutions may not support legacy client-server based applications and the integration journey can be time consuming. There are several vendors with Zero-Trust services offerings/products such as Zscaler, VMware, DUO, and Microsoft.
Zscaler is well known for its Internet Access (ZIA) product, but they also have Zscaler Private Access (ZPA) which is a VPN alternative based on zero trust network access principles. ZPA takes a user and app-centric approach to app access where users only gain access to the specific apps they are authorised to access. Zscaler talks about “application segmentation” rather than “network segmentation”. No servers or appliances are required; instead, connector agents communicate back to the Zscaler control plane – this means less of an attack surface as there are no open ports into your data centres.
Duo and Microsoft have Zero-Trust solutions with the Duo Network Gateway and Microsoft Azure AD Application Proxy. Both of these solutions allow access to internal web apps with conditional and contextual authorisation based on device health, device location etc.
If you already have Azure Active Directory P1 or P2 licensing, start with Microsoft’s Azure AD Application Proxy to see if it meets your needs.
Most of our customers have an existing Microsoft RDS, Citrix Virtual Apps (XenApp), or VMware Horizon environment, or in some cases, all three. Scaling out an existing virtual desktop platform is one of the first options we discuss. At a technical level, scaling out is often quick and simple, especially if you are using a provisioning solution like VMware Instant-Clone or Linked-Clone, or Citrix Machine Creation Services (MCS) or Provisioning Services (PVS).
In the last week, we have helped several customers quickly scale out their virtual desktop environments to cater for hundreds of more users. There are some barriers we see with this approach:
Windows Virtual Desktop (WVD) is a fairly new offering from Microsoft. It is an Azure cloud service for running desktop and app virtualisation in Azure. The last part is important: “in Azure”. You cannot run your workloads in any other data centre or public cloud so if running virtual desktop or apps from Azure doesn’t work for you, stop reading now!
WVD provides a multi-user Windows 10 experience (think RDS for Windows 10), dedicated Windows 10 VDI, and Windows Server RDS for virtual desktops and virtual apps. Note that Azure Active Directory (AAD) is required and that the WVD VMs must be either standard domain-joined or Hybrid AD-joined.
If you meet the eligibility requirements for WVD, there is no cost for the WVD service; you pay for the WVD workloads in Azure only (that is, your Windows 10 or Windows Server VMs). If you have Microsoft 365 E3/E5/F1 or Windows Enterprise E3/E5 you’re covered for Windows 10 WVD. And if you have RDS CALs with active SA, you’re covered for Windows Server 2012 R2 or newer WVD. Check out the full eligibility criteria if you want to know more.
Windows Virtual Desktop could be a great way to prepare for a mass work-from-home/remote-work situation during a pandemic such as COVID-19. There’s no additional cost for the WVD service and you only pay for the VM usage so few costs until you start consuming the service.
A lot of our customers are licensed for Microsoft Intune which is bundled with Microsoft 365 and Microsoft Enterprise Mobility and Security (EMS), so a discussion around how we can utilise this investment makes sense. Intune can be used to quickly and easily provision or re-provision Windows, iOS, or Android devices and deploy apps to those devices. Add in EMS, and you’ve got security controls wrapped about your users and devices too.
Using Windows Autopilot, it’s possible to take any off-the-shelf Windows 10 Pro device and quickly convert it to a managed device, but IT does need to get the device hardware details to add the device into Autopilot. If the device has come off a retailer’s shelf, then that means getting the device into the hands of an IT person. If the device has been ordered from the original equipment manufacturer (OEM), they may be able to add the device info directly into Autopilot for you. The good thing about Autopilot is that IT does not need to create an image; you just use the OEM image and deploy your configuration and apps on it.
Ignoring Autopilot, it’s also possible for a user to enrol any Windows 10 Pro device (or Mac OSX, iOS or Android) device into Intune. Once enrolled, device configuration and applications can be deployed to the device. Of course, a big concern for many of the organisations we work with is security – so to wrap some security around this, conditional access policies can be created. These enforce a minimal level of device compliance and use multi-factor authentication to strengthen this security.
If you can get your hands on more devices, using the Microsoft Modern Management capabilities you are already licensed for may make sense. Using personal devices (BYOD) is another option, and an easy option if you mostly use the Office 365 suite and cloud/SaaS apps. For personal devices, we recommend using a Mobile Application Management (MAM) approach so that IT doesn’t have rights to perform a full device wipe of the user’s device. Microsoft Information Protection and App Protection Policies can be used with Conditional Access and MFA to help secure your data when accessed from personal devices.
However, once you have a device ready to go, how will your people access your systems? If you’ve got that far, I assume you are fairly well down the Office 365 deployment path so users will have access to email, SharePoint, Teams, OneDrive, etc. directly from the Microsoft cloud. To access other legacy or on-premises apps, consider the other options discussed in this blog. Also, consider Azure AD Application Proxy (as discussed above) to gain access to on-premises web applications.
When your team is working remotely, whether that’s short-term due to a pandemic or other business continuity event or that’s your usual mode of work, then having the right communication and collaboration tools in place are necessary.
At Deptive, we live in Outlook and Teams, and we know many of our customers do too. If you have not jumped into Teams yet, now may be a good time – and if you’re licensed for Office 365, you’ve already got Teams. In a few minutes, you can have a collaboration space set up with chat, video calls, meetings, integrated SharePoint sites, document libraries, wiki, planners, and all manner of other third-party add-ins. Go on, give it a crack.
Whatever you do, don’t become complacent about security. If I was a bad guy, now would be the perfect time to launch an attack as organisations are focused on dealing with a crisis. The focus may be on providing remote-working capability, but it can’t be at the expense of security.
Make sure you have good web and email filtering, end-point security, and multi-factor authentication (MFA). Then consider conditional access, CASB, and information protection. Whatever you do, ensure you’re using tools that are always secure, and tapping into the resources and people that can help you ensure that (let us know if this is something you need help with).
There’s a lot of doom and gloom at the moment due to COVID-19. A lot of organisations face a lot of uncertainty over the following months and times could be tough for some of us. The good news is that we have many technology solutions to choose from which could prove to be the backbone of survival for many organisations – and now is a much better time to get them set up than later.
The ability to keep people productive and data secure are critical for the survival of all organisations; hopefully, the work-from-home and remote-working solutions discussed in this blog will help you keep your organisation humming over the coming months.
If you would like to know more about creating a secure digital workspace, download our free ebook: Your Digital Workspace: The Ultimate Guide to Creating Digital Experiences Your Employees Will Love
Level 13 (Regus)
92 Albert St
We also have a virtual office in Wellington.
0800 000 141
PO Box 34797,
Birkenhead, Auckland 0746