by Tim Rowan, Editor
Eleven months into the pandemic, remote work is with us again as the number of infections climbs to levels higher than last spring's peak. As before, working from home is as dangerous as it is necessary, especially in healthcare. (See sidebar for our previous articles on the cyber security issues when working from home.) Because many of the resources needed to secure patient personal health information use are on servers in corporate data centers, healthcare IT security teams need to provide secure access from home PCs over the public internet. And they need to ascertain whether each home Wi-Fi is properly configured for security.
Remember the findings from a survey by NetMotion that we reported on in August ("Will Working From Home Become the New Normal?")
"NetMotion recently aggregated a sample of anonymized network traffic data, searching specifically for evidence of users attempting to access flagged (or blocked) URLs, otherwise known as risky content. The analysis, which is derived from data gathered between May 30th – June 24th, 2020, revealed that employees clicked on 76,440 links that took them to potentially dangerous websites."
That means setting up, running, and managing VPNs. Some are easier than others.
In home health and home care, remote working has been the rule rather than the exception, but field devices for nurses, therapists, aides, and personal care workers have always had built-in features to protect patient data. Sitting in a kitchen, doing billing, payroll, QA and other office tasks on one's personal computer through one's home Wi-Fi connection poses completely different cyber security challenges. It has been described as "a hacker's delight." We offer below a summary of a new Microsoft VPN by cyber security consultant Simon Bisson, writing in the November 19 edition of TechRepublic's "Security" column.
Microsoft's Endpoint Security, in conjunction with Azure Active Directory and Intune, offers a set of conditional access tools that set policies to control network access for both corporate fleets and BYOD hardware. They are policies that cover more than PCs. They work with Android and iOS, set standards for device security, for supported versions, and manage a wide selection of security scenarios, like "the impossible traveler," or ramping up and down security settings by log-on location.
While the default Windows Server VPN works well with most operating systems, and is ideal for use with Windows clients using tools like conditional access and modern authentication, you do not get that same level of control with mobile devices. With the shift to remote working, those devices are an increasingly important part of a blended work environment, allowing users to quickly access mobile versions of key applications or work with tools like Teams and the Power Platform.
Microsoft is currently previewing an alternative to the Windows VPN, Microsoft Tunnel, aimed at iOS, iPadOS, and Android Enterprise devices. It is a policy-driven VPN that allows you to lock down access to devices that comply with your security policies, reducing the risk of intrusion from bad actors and of data leakage through mis-configured devices that do not have appropriate separation of work and personal content.
Tunnel is provided as a container running on a Linux host. That host can run on-premises or in the cloud, and once installed is managed from Microsoft Endpoint Manager using Intune device profiles to control device access. Cloud-hosted servers do need a direct connection between the cloud and your on-premises network, unless you are working with a cloud-hosted virtual infrastructure.
Microsoft recommends using its MPLS Express Route service for site-to-cloud connections, as you are likely to want a connection with the lowest possible latency. Although you could use a point-to-point VPN connection, the overhead associated with this approach could add significant lag to connections, as well as struggling to carry all the traffic.
Multiple servers can be linked as a "Site," with server configurations that are applied when servers join a Site using prepared scripts. These can be used with a load balancer to manage access and can link users directly to specific applications, rather than providing a general-purpose VPN. Per-app VPN policies can be applied, as well as rules for working with open VPN connections.
There are some pre-requisites before you can start using Tunnel. Currently only four Linux host OSs are supported, with Docker installed for the Tunnel container. They can either be standalone servers, or you can run them as virtual machines on Windows Server. Microsoft also suggests CPU and memory sizes based on the number of connections you expect to manage. You must have a TLS certificate for your servers that is assigned to the either the Tunnel endpoint IP address or its fully qualified domain name.
Client devices need to run the Microsoft Tunnel app, which is available from both the Apple App Store and the Google Play Store. You can use Intune to manage installs where necessary, pushing the Tunnel client to managed devices. The Microsoft Endpoint Manager dashboard provides monitoring for Tunnel, with tools for handling configuration and displaying server health.
Once installed, Microsoft Tunnel operates as a managed solution. You do not need to manage it beyond managing policies, and all updates are managed from Microsoft 365, even when using a set of Tunnel containers configured as a site. Brad Anderson, Microsoft CVP for Microsoft 365, notes: "We built it in a way where, if you've got multiple of these gateways to handle the load, when we go to update we do it in a rolling pattern so that you have always got devices online."
Tools like Microsoft Tunnel open up access to applications and services beyond PCs, allowing remote workers to use Android and iOS devices with the same level of assured security. By bundling the service as a Linux container, Microsoft makes it easy to get started: drop in a container, connect it to a Microsoft 365 Endpoint Security subscription, and away you go.
Anderson describes this approach as enabling access to services like Office 365 in a way that is enterprise-friendly: "In order to understand 'is it really a trusted session?,' you have to have a point of view on the trust of the identity, on the trust of the device, you have to take into consideration things like physical location, their network location -- all these things have to come in. That literally was the genesis of what we now know is conditional access, which is the most implemented zero-trust model on the planet."
Having a zero-trust approach to a VPN appliance like Microsoft Tunnel is important, as it ensures that you are thinking in the right way about modern security, with a focus on protecting data and applications, and not on hardware or clients.
©2020 by Rowan Consulting Associates, Inc., Colorado Springs, CO. All rights reserved. This article originally appeared in Home Care Technology: The Rowan Report. homecaretechreport.com One copy may be printed for personal use; further reproduction by permission only. firstname.lastname@example.org