8 Steps to Keep Remote Development Teams Secure
As the coronavirus forces more companies to turn to remote work, see how developers can prepare their work securely while working from home.
Join the DZone community and get the full member experience.Join For Free
There is no doubt that the world's workforce is becoming more remote, particularly in tech as developers can now work from any location in the world. But there are a large number of new obstacles that come with this. The most pressing is security.
Take the current COVID-19 health crisis. From one day to the next, countries are going into quarantine and forcing companies and developers into working remotely. I for one am writing this from my home office in Paris, sipping filter coffee while looking onto the empty streets in a complete lock-down that started last week (April 2020).
We are all trying to rapidly adjust to a new workflow from our makeshift workstations. As this crisis unfolds, we are seeing a drastic change in the remote infrastructure as it is pushed to its limit. This is creating an unprecedented security challenge that may not be a priority for many companies.
I recently got an alert to say that Microsoft Teams, a platform to help manage remote workers and collaboration, crashed under the new pressure of millions of users. Likewise, the video streaming company Zoom, which is now facing serious security breaches, went from 10 million daily users in December to 200 million daily users in March! These are obvious signs of the strain we are putting on digital infrastructure as this crisis unfolds. Teams that were only familiar with being centralized on a secure network are now at home on private WiFi networks trying their best to keep websites, services, platforms, and apps functioning.
Image taken from Downdetecter, 16 March 2020
Why Remote Work Presents a Security Risk
Remote working is not necessarily less secure if done right. It is extremely important for remote teams to have operational frameworks and tools in place to deal with the challenges that are unique to remote teams. Especially when it comes to issues as urgent as security.
If you make secret management too painful for developers, it becomes all too tempting to circumvent the restrictions. Now let's add to this balancing act different geographies, time zones, and unreachable co-workers. The temptation to send a secret over Slack, email, or to quickly hardcode secrets into the source code becomes increasingly hard to resist.
In addition to internal operational control, we must now also consider external factors, such as unsecured personal wifi-networks and personal machines. These all add to the potential of secrets being leaked into unsecured locations.
The once clear delineation between personal and professional activity suddenly becomes blurred when you are sharing a single machine and mixing personal git repositories with professional repositories. You can easily find yourself in the worst case (yet common) scenario of mistakenly uploading secrets and corporate code into personal repositories. All these factors combined increase the attackable area of the organization when secrets that were once secured to a central location are now sprawled across multiple platforms and tools.
Unsecured messaging systems like Slack and email are known to be high-value targets for attackers through phishing campaigns. Once an attacker has admin access to your company's Slack, they are a simple search away from gaining access to your sensitive information. The normal conditions that could help identify an external threat also begin to unravel, as IP addresses of all developers can change daily. Currently, the number of reported phishing campaigns has drastically increased with the COVID-19 crisis unfolding as attackers piggyback onto public panic.
8 Steps to Making Remote Work More Secure for Development Teams
1. Get Visibility Over Secrets Shared in Your Repositories
Repositories are not appropriate places to store secrets, it is important that you have complete visibility of not only public repositories but also of your private repositories. Having secrets in private repositories increases the chances of a secret ending up on a public repository. Perhaps more importantly though, now that employees are increasingly working from home, it is more likely company code will end up on unsecured personal workstations or be transiting through unsecured networks, meaning secrets within that source code could be accessible by a malevolent actor.
2. Establish Best Practices Sharing Sensitive Information
For a helpful guide on best practices for securing and sharing API keys, you can check out a GitHub cheatsheet here. It’s a great document to share with your staff to make sure they are using the best practices.
3. Know How to Remediate Compromised Credentials
Make sure the steps on how to revoke a credential for each external service are documented along with the impact revoking each credential will have. You can find here an article about revoking and removing compromised credentials.
4. Invest in Multi-Factor Authentication on All Services
2-factor authentication improves security drastically when it comes to services and assets you want to protect. Make sure 2FA is set up on all seed accounts like company emails.
A seed account is an account that can grant access to other services. Email and social media accounts are examples of seed accounts (i.e. “log in with Gmail”).
5. Work Towards Implementing a Zero Trust Framework
Depending on the organization, it may be appropriate to implement a Zero Trust framework beyond multi-factor authentication. Complete implementation is always a process and a considerable investment but introducing additional Zero Trust measures like SSO and introducing policies to block/limit/approve access decisions to enterprise resources can strengthen security significantly, particularly for remote teams.
6. Encourage a Culture of Self-Education
By providing clear and basic information, including how to protect devices, you will help yourself and other employees stay ahead of threats.
Remote workers have access to data, information, and your network. This increases the temptation for bad actors. Warn your employees to expect more phishing attempts, including targeted spear-phishing aimed at high-profile credentials. Now is a good time to be diligent, so watch out for urgent requests that break company policy, use emotive language, and have details that are slightly wrong. And be sure to provide guidance on where to report those suspicious messages.
7. Practice Good Security Hygiene
Good security practices always go back to basics. Practicing good security hygiene means rotating vulnerable access credentials regularly and restricting permissions associated with your keys with role-based access controls.
8. Be Prepared for a Breach
Regardless of whether your team is working remotely or not, it is important to have an action plan in place in case secrets get shared. Make sure the whole team understands what that plan is and implement a culture of open, transparent communication.
Published at DZone with permission of Mackenzie Jackson. See the original article here.
Opinions expressed by DZone contributors are their own.