How to: Secure remote work
Remote work has been around for a long while, steadily crawling up people’s attention. But the recent months have brought it to a peak, with a 130% increase in interest between end-February and mid-March 2020. Some have been praising it for a while (e.g. Jason Fried and David Heinemeier Hansson -creators of Ruby on Rails, Basecamp, Hey- wrote a #1 bestseller book about it, in 2013!); others see it as blowing-up the very base of technological innovation (see John Hagel’s How Remote Work Could Destroy Silicon Valley).
At Berg Software, we take a rather pragmatic approach on remote work. We’ve “been there, done that” since mid-1990s, as quality providers of outsourced, custom-made software:
- Our staff have adopted, rolled and mastered remote work processes. This brings a special kind of resilience and tight integration with clients’ projects, processes, work modes, deadlines etc. (Oh, and birthdays!)
- We have strong proofs that remote work increases talent pool, reduces turnover, and improves our ability to conduct business across multiple time zones. For developers it means having access to the best job regardless of location, better work-life balance and higher productivity.
Remote work comes with a huge range of topics to be discussed. We think we’re mostly qualified to talk about your benefits and the security-related challenges, so let’s keep it focused:
Remote work basics
Whether you want to expand your own remote work system beyond lockdowns, or looking into long term outsourcing / nearshoring solutions, we think you will benefit from:
Lower costs — Increased efficiency by eliminating commute time. — Less office space and real estate-related costs. — Improved employment flexibility. — Higher sustainability / lower environmental impact.
Access to skills — Wider talent pool: you can recruit from virtually anywhere. — Lower competition for talent. — Happier and more autonomous employees.
Security-related challenges of remote work
The first prerequisite for remote software development is your partner’s environmental security (i.e. everything from processes, flows, data, communications etc.). Regardless of your company’s focus, we strongly believe you should go past the mere antivirus coverage, and dive deep into:
Protection of transferred data and communication
You will want to make sure that “data in transit”* is secure. Your suppliers and / or employees should protect data while transiting networks, against tampering and eavesdropping, by using a mix of network protection and encryption. Never allow for any HTTP connections to be used. Please insist on any other used protocols to be secured and encrypted.
* “Information that flows over the public or untrusted network such as the Internet and data that flows in the confines of a private network such as a corporate or enterprise Local Area Network.” (via Wikipedia)
Asset protection and resilience
Request your suppliers (and support your employees) to protect the assets / physical support of your data, in order to make sure that it’s not tampered, lost or damaged. Depending on your business’ specifics, you can make sure that some or all of these actions are applied:
Data at rest protection: security procedures around data that is being stored in a stable medium; ensure that stored data is not vulnerable to hacking or other unauthorised access.
— Physical access to data: deny unauthorised persons’ access to data equipment. — Data sanitisation: whenever needed / requested, destroy the data stored on a memory device to make it unrecoverable. — Equipment disposal: valuable equipment housing confidential data should not reach unauthorised persons and result in data breach or identity theft. Measures can vary from equipment tracking to refurbishing and complete destruction.
Physical resilience and availability: make sure there are mechanism to cope / backup / compensate in the event of an outage.
Physical location: prevent any unauthorized individuals from gaining physical access to the data devices / data center.
Data center security: avoid unauthorized access and manipulation of your data center’s resources (e.g. denial-of-service (DoS), theft of confidential information, data alteration, data loss etc.)
Separation of data
Request your supplier (and / or employee) to separate different data involved in a service, in order to prevent malicious or compromised users from affecting the service or data of another service.
Insist that your suppliers’ software development lifecycle processes integrate best practices for confidentiality, integrity and availability protection.
Take precautions that any own, 3rd party or open source software used for providing the Supplier services do not contain known backdoors, viruses, trojans or other kind of malicious code.
Established clear and strict processes and procedures to ensure the operational security of services, including:
— Security patch management: the ongoing process of applying updates to solve code vulnerabilities / errors of applications across your system. — Protective monitoring: alert on individual and broader malicious events, in order to mitigate risk and speed-up remediation. — Configuration and change management: all requests are reviewed and managed in a secure manner; — Secure decommissioning: applications and systems are safely removed from use. — Vulnerability management: identify, classify, prioritise, remedy and mitigate software vulnerabilities.
Personnel security screening and / or security education is performed regularly and is adequate for all resources utilized.
As you have just figured, at Berg Software we’re a bit of security geeks. Whether it’s NDA, VPN or GDPR, we take it personally. In all our partners’ remote teams, we act like their own employees, both when it comes to integration *and* security protocols. The result: quick, efficient software that just works!
Do you do it differently? Let us know!