Security Tips for Working From Home
*This post originally appeared on the MobileIron blog prior to the acquisition in December 2020, when MobileIron became part of Ivanti.
I’ve had the good fortune of working for companies that allow me to work from home on occasion. Several years back, I lived in Sacramento and worked for Cisco Systems in San Jose. My former director made the decision to allow me to work from home rather than spend most of my time commuting back and forth to work. Later, I moved back to the Bay Area, but my current job is still 30 miles from home. Even on the best commute days, I easily spend two to three hours on the road going to and from work, so I often work from home to increase productivity.
Now, due to COVID-19 concerns, a lot more companies are encouraging their employees to work from home. Since I’ve had a head start working from home, I’ve implemented the following practices to ensure that I am both efficient and secure when I’m collaborating with teammates who are spread out throughout the United States and the world.
Here’s what I do:
I have a dedicated work laptop and mobile device that encrypts all of the data at rest stored on my devices. Both devices also have a VPN client installed that connects to a number of secure gateways distributed around the world to protect my data in transit. Since my laptop is always connected to electrical power at home, I opt to have my VPN connection always-on, so as soon as the operating system boots up, I am securely connected to work.
My company implements a split-tunnel VPN policy that allows me to connect to my work resources and cruise the Internet at the same time. Because of that, I also have Safe Browsing enabled on my Chrome browser. Safe Browsing sends URLs to Google to protect me from dangerous sites. My laptop also has an anti-virus agent always running and updated. Additionally, my operating system is updated as a company security policy. I use DuckDuckGo as my default search engine. All these settings can be configured by MobileIron’s unified endpoint management (UEM) platform.
My home wireless router points to the free (Cisco) OpenDNS servers 22.214.171.124 and 126.96.36.199 that block known phishing sites by default. There are other free public DNS servers that block malicious sites, and most home wireless routers have Parental Control options that allow you to block known malicious or porn sites.
If you have a newer home wireless router, you can enable Wi-Fi Protected Access 3 (WPA3) security that features a more secure handshake for WPA3 Personal to protect against dictionary and brute force attacks, replace Wi-Fi Protected Setup, and allow unauthenticated encryption so connections to public hotspots are still protected. WPA3 also uses longer session key sizes (128-bit for WPA3-Personal and 192-bit for WPA3-Enterprise) and provides protection from the KRACK and Kr00k exploits that plagued the WPA-2 protocol. MobileIron UEM can now enable WPA3 on iOS, iPadOS, and macOS devices.
My laptop and iOS mobile device both implement strong biometrics to access them, and have the Microsoft and Google productivity suite of apps that I need to work remotely. I am also able to safely store my work onto cloud-based storage like OneDrive or Google Drive to share content with my teammates.
My mobile device also has MobileIron Threat Defense that protects it and my data from device and network level threats, leaky and malicious apps, and phishing attacks. All these were provisioned by MobileIron UEM.