Telework: how to access your enterprise IS securely from home?

On my way to telework, I got telepunched for over speeding on the information highway… and it cost me a hell of a telefine!
Philippe GELUCK (“Le tour du chat en 365 jours”)

telework
Starting with the Macron Ordonnance of September 2017, any employee can request to telework in France. Besides revolutionizing managerial rules, telework allows an adapted organization of professional time by and for an employee. It should be reminded that, by definition, telework is performed outside the employer’s premises (in a coworking area or more often at home) on a regular basis or occasionally, and  voluntarily.
Together with some people from my close circle (state officials and engineers from the private sector), we were discussing telework and, like any form of work, there are obvious positive and negative points  (non-exhaustive list):

  • Positive points: efficiency at work, increased motivation and creativity, adapted schedule, no waste of time in transports, etc.;
  • Negative points: less or no team/human relationship at all, loneliness, lack of information circulation, high level of individualism, diminished right to disconnect, etc.

These feedbacks are troubling because their objective was only the efficiency and especially the personal well-being. Indeed, the secure access to the company’s information system (IS) or the complete professional work environment have never been mentioned.
The previous observation is based on two facts which seem to me essential in teleworking, for both the employer and the employee:

  • First, a teleworker accessing the organization IS will potentially manipulate data considered sensitive for his organization. It is therefore the duty of the organization to ensure an adequate and proportionate protection of this data while also allowing the telework.
  • Secondly, in order not to disturb or modify the employee’s way of working, it is essential that the teleworker has the same work environment and in particular his professional applications, both remotely and at the office.

As noted in [01], IT security must be a matter of major interest and therefore governance for any organization.
Secure access
The Systancia Gate, formerly IPdiva Secure solution of Systancia meets naturally and perfectly the need for secure access to an enterprise IS in the context of teleworking. Indeed, Systancia Gate provides controlled access to the internal resources of an IS for all types of users located on an uncontrolled network. As mentioned in [02], Systancia Gate also includes a functionality for monitoring and auditing actions performed by users from outside.

To date, Systancia Gate is the only qualified solution and therefore recommended by the ANSSI (Agence nationale de la sécurité des systèmes d’information) in the field of “identification, authentication and access control”.
Systancia Gate allows a total partitioning between the application servers located on an internal network and the external network (considered by default as uncontrolled). In this way, the internal resources are never directly exposed on the Internet.
As the ANSSI notes, one of the main shortcomings identified by the Cyber Defense Center is also the excessive opening of uncontrolled external access to the information system [03]. This deficiency can be completely controlled by a solution such as Systancia Gate.
Finally, we should also remember that, after the user authentication, Systancia Gate can also perfrom additional controls on the connection environment. These controls may relate to the OS, the serial number of the connecting PC, the authorized days or hours of connections, the presence or not of antivirus, etc. Systancia’s solution thus offers the possibility of filtering connecting environments but also respects the right to disconnection.
Same work environment
The Systancia Workplace solution of Systancia also meets the need to provide a set of Windows applications and desktops as a service. To cover the application publishing and desktop virtualization needs, two modes are available: “standard VDI” to meet most users’ needs, and “extended VDI” available for those more complex, such as training rooms.

Thanks to the combination of “application virtualization” and “desktop virtualization” technologies, Systancia Workplace is capable of virtualizing all desktop applications. This solution eliminates desktop adherence no matter what access strategy is used, guaranteeing support for all applications regardless of their prerequisites (dongle, graphics card, workstation, etc.).
This solution allows to use on a user’s host machine, one (or more) application (s) executed remotely and whose data arrive through the network. Systancia’s solution overcomes the hardware constraints associated with users’ workstations, provides flexibility and mobility for users, and reduces IT system administration costs.
In conclusion
For Systancia, telework must be secure and provide the same work environment, which implies the combination of its two key products: Systancia Gate and Systancia Workplace. As a reminder, the Ministry of Labor specifies that telework cannot be improvised (Human Resources component) and requires the use of information and communication technologies (technical component).
The combination of Systancia Workplace and Systancia Gate (both from the Alsatian and Breton R&D departments of Systancia) meets the telework needs for any organization; i.e. the provision of a specific work environment as well as secure and controlled access.
To conclude, since technology doesn’t do everything, it is also important to remind teleworkers of the essential rules to guarantee a secure telework; i.e. it is also the responsibility of the company to carry out or ensure regular awareness campaigns for users in order to adopt the good practices.

References

[01]       How to secure IT administrators’ desktops? (https://www.systancia.com/en/how-to-secure-it-administrators-desktops/)
[02]       Feedback on the ANSSI’s qualification of IPdiva Secure (https://www.systancia.com/en/feedback-on-the-anssis-qualification-of-ipdiva-secure-8/)
[03]       http://www.ssi.gouv.fr/entreprise/principales-menaces/comment-se-premunir-de-ces-menaces/