Audit and Assurance

Expand all | Collapse all

BCP TO BE INVOKED DURING THE PANDEMIC COVID – 19 OUTBREAK

  • 1.  BCP TO BE INVOKED DURING THE PANDEMIC COVID – 19 OUTBREAK

    Posted 26 Mar, 2020 11:03
    Dear Members,
    Our Organisation intends to set up a VPN  to enable it's employees to work form home during this Pandemic COVID 19.IAD has been called upon to validate this kind of connection to ensure that there are no security gaps.

    How is it deployed as per IT 

    ''A Mobile Access enabled Security Gateway is setup at the network perimeter that inspects all traffic, including all Mobile Access traffic. IPS and Anti-Virus can be active on all traffic as well.

    A separate virtual local area network will be created for this purpose. Once a remote client connects to the secure web access portal and is fully authenticated, they will be leased an IP address within the VLAN. This VLAN will be allowed access to defined corporate IT services as per business and operations requirements.''

    Below figure show a high-level network diagram for this deployment.



    Key

    1. Internal Services
    2. Security with Mobile Access enabled
    3. SSL Tunnel over Internet
    4. Remote User with an Internet Connection



    Qn
    1. Is the above secure enough.
    2. What are the key things to consider when setting u this network, how can we ensure that the  network is reasonably secure.
    Requesting for your advise

    ------------------------------
    Rita Kobusinge
    MANAGER SYSTEMS AUDIT
    ------------------------------


  • 2.  RE: BCP TO BE INVOKED DURING THE PANDEMIC COVID – 19 OUTBREAK

    Posted 27 Mar, 2020 09:40
    Hello Rita,
    It has been quite a while (> 4 years) since I have looked at VPNs, but here are some thoughts.  Practising experts should be able to provide more advice.


    I can't comment on the high-level diagram because there must be a lot underpinning security and operations so, focusing on question 2,  consider:
    • that if you already use VPN, what has the experience been so far?  What lessons were learnt?  What lessons have been applied? Is current security and usability of sufficient quality to act as a base-line?
    • whether risk appetite/tolerances have changed because of COVIT19, that might influence the type and level of access being granted?
    • what training is being given in both the use and protection over VPN usage, from End Users to Technical Support?
    • ensuring your policies, standards, procedures, practices are updated, and compliance and assurance requirements are factored-in from the start.
    • using layer 2 tunnelling protocol in preference to point-to-point tunnelling protocol.  The main advantage of the former is that the end points can  remain isolated from the other traffic by existing on a different packet-switched network.  The advantage of the latter is  that, although less secure, is simpler to implement.
    • checking you are using TCP/IP internet-based remote access, checking that your VPNs comply with the Internet Engineering Task Force's' Internet Protocol Security (IETF/IPSec) and understanding where the difficulties lie if needing to trouble-shoot.
    • understanding how VPNs increase the potential for security breaches, e.g. because a weakness when connecting to a VPN might introduce malware/unauthorised activity, which is hidden within the encrypted.  Make sure things like Intrusion Detection Systems can decrypt traffic prior to allowing it into the internal networks, and both decrypt and re-encrypt when sending traffic out to the end point.    
    • what might cause misconfiguration of comms software and devices within the ecosystem which, as a result, hackers could take advantage of around the VPN connection.
    • building awareness of the common risks to mitigate: denial of service at the remote user end, poor physical security over remote end users' equipment.
    • the impact on BCP.  If remote working is the new norm, what happens if people can't work remotely for whatever reason?
    • when returning to normal work practices, will you want to retain or remove the level of remote working?  
    I hope that helps.

    ------------------------------
    Sue Milton
    Adviser
    ------------------------------