Got DNS?
So, my first answer to address this challenge often surprises them; does your agency have DNS for your remote workforce? Talking it over, most agree that many remote employees consume web and cloud applications without turning on their VPN. This means that roaming users will likely be at the mercy of a random, unknown DNS provider. Why would anyone accept this risk?
Enhancing your agency’s endpoints with DNS security should be a no-brainer. Cisco Umbrella Roaming protects employees when they are off the enterprise VPN by:
◉ Blocking malicious domain requests and IP responses while DNS queries are resolved
◉ Enforcing security at the DNS-layer so malicious connections cannot be established and malicious files will not be downloaded
◉ Preventing malware from infecting laptops and command & control (C2) callbacks, or phishing from exfiltrating data over any port
◉ Plus, any infected laptop that exhibits any C2 activity can be immediately identified.
Hence, with an integrated, security-minded approach to DNS, Cisco Umbrella protects users from malicious Internet destinations whether they are on the enterprise VPN or roaming off the network. Delivered from the cloud, Umbrella makes it easy to protect users everywhere in minutes – without any performance degradation. Even better, Umbrella Roaming is fully integrated into AnyConnect client for Windows or Mac OS X.
How to secure endpoint access
After my friends pull me down off my soapbox about needing DNS for your remote workforce, our discussion changes to what you should expect from your VPN. It’s one thing for a VPN to simply enable an employee to work outside the office and provide the means to securely connect to the corporate network. However, any modern, security-minded VPN should enable a wide range of security services—to include functions such as remote access, posture enforcement, web security features, and roaming protection.
For government customers whose endpoints must maintain a level of posture compliancy, advances in VPN technology now enable security checks to be conducted on endpoints to ensure they meet posture requirements before connecting to the enterprise.
In the context of Department of Defense (DoD) Comply-to-Connect (C2C) efforts, I have previously discussed the need to think “bigger picture” in terms of adopting a Zero Trust lifestyle. Much more than a VPN, Cisco AnyConnect VPN Client, among its security capabilities, contains an endpoint compliance module that includes significant functionality essential to Federal C2C efforts and taking a Zero Trust approach. The Federal government can take advantage of a Remote Access VPN that enables the very foundation of C2C endpoint compliance and an essential Zero Trust capability via the same desktop application.
Simply put, far more than a VPN, Cisco AnyConnect Secure Mobility Client empowers remote working from anywhere on government laptops or mobile devices; whether connected to the enterprise or when needing roaming DNS protection. It also provides visibility and control for Federal agency enterprise operators and security teams to identify who (what devices and the compliance status of those devices) is accessing the enterprise infrastructure.
Remote working needs multi-factor authentication
It almost goes without saying, but multi-factor authentication is a must these days, especially for remote working. It is a must to verify the identity of all users with effective, strong authentication (two-factor authentication) before granting access to your agency’s enterprise VPN, applications and data resources.
Duo Security enables agencies to verify users’ identities and establish device trust before granting access to applications and data. By employing a Zero Trust model, Duo decreases the attack surface and reduces risk by helping to define and enforce policies that limit access to the users and devices according to a Federal agency’s risk tolerance levels.
Cybersecurity for remote working
Although it may sound daunting, when it comes to remote working, Federal agencies must be able to defend against threats, no matter where they are and no matter where their employees are working. This can be done using:
◉ Duo’s adaptive multi-factor authentication (MFA) provides the means for verifying user identities in order to gain secure remote access
◉ Cisco Umbrella Roaming, extends protection when employees are roaming off the enterprise VPN
◉ Integrated with Cisco AnyConnect Secure Mobility Client, employees can not only securely access enterprise resources, but network security teams can also prevent noncompliant devices from accessing the network in accordance with C2C Policy and according to a Zero Trust lifestyle.