Due to the pandemic of COVID-19 and the first symptoms of financial and economic crisis, the possibility of working remotely from home has become crucial.
Companies in SMB and Enterprise sectors are organizing remote workplaces for entire departments. The governments of some EU countries, e.g. Czech Republic and Slovakia, have given official prescriptions to companies to introduce methods of remote work for their employees in order to minimize physical contacts.
These working methods have their pros and cons for employers and employees. One of the most important troubles for employers is the difficulty of controlling labor ethics and data confidentiality.
Before considering technical issues of organizing remote workplaces we should define the range of employees that can work remotely without any harm to business processes.
The answer is simple: everyone with mouse, keyboard and display as the working tool and information as the working area. This counts for at least 90% of office staff: legal and financial departments, designers, marketing specialists, PR-specialists, system administrators. Besides technical, legal and other issues, the question of working time tracking arises: what is an employee doing at the remote workplace – is it a job task or a movie just downloaded from the Internet?
There are professions for which remote work is a common thing, for example, for journalists whose task is to meet a deadline with an article on some specific topic. Time tracking process is not important in this case: it’s made at the moment of fulfilling a task.
A united infrastructure should be created (or kept intact) in case of remote workplaces, with the ability to arrange meetings and conferences, share documents, provide employees with internal information resources. Information security issues should be taken into consideration: data leak prevention remains a relevant task, that’s why DLP systems (e.g. StaffCop, Searchinform, Teramind) should be implemented.
Let’s consider possible technical issues that may arise when arranging remote workplaces:
The easiest way of arranging seamless remote work is to keep the same information infrastructure that was presented at the office.
Employees connect to their workstations using common RDP means (for example, mstsc.exe from Microsoft) or with some third-parties’ solutions (TeamViewer, AnyDesk, etc).
The benefits of this scenario:
1. No need to transfer the equipment, as all of it stays in the office and employees work at their home PCs;
2. No need to make changes in the infrastructure – everything keeps working as if an employee is still in office.
The disadvantage of this scenario is that IT and IS services can’t work remotely – they must provide stable operation of the workstations in the office, stable connection between office workstations and home PCs, and even stable operation of employees’ home PCs.
Another serious disadvantage of this scenario lies in the fact that all connections with TeamViewer, AnyDesk or other similar solutions go through the servers of these applications which makes them inaccessible for IS and IT specialists of the company. Although, a company can develop its own version of TeamViewer, but it will take a lot of money and time.
Despite of having some PROs, the first scenario can’t be recommended for practical usage.
- IT department should configure VPN on all the workstations and the main corporate router in advance, as well as backup VPN channels.
- Additional logistics expenditures. In case a company has its own logistic service, that is not a problem. Employees with cars can take their workstations themselves, and help those without cars. Trust me, a lot of them will be glad to do that.
- The necessity of checking the operability of workstations. However, in 99 cases out of 100 such a check goes successfully: employees already know where to plug what, to get it working.
So, a workstation has moved to the employee’s home, an employee is working – and that’s when the issue of time tracking and data leak prevention arise.
Below you can see the implementation scheme of such a scenario with the help of StaffCop software system.
Office workstations connect to a VPN server on a corporate router and employees can access all the information and calculation resources exactly as if they were present in the office. StaffCop Enpoint agent can “see” the server and transfer information to it without any losses until the VPN connection is active: when this connection is broken, an agent will “lose” the server and will have to store data in its local database.
For IS officers, time lags in receiving the data may be inappropriate. In this case, StaffCop is a perfect solution. When VPN-connection is not active, StaffCop agent will “find” the server and transfer collected data to it, despite of the fact that office servers are unavailable!
- Employees work as if they were present in office, IS an IT specialists have the remote access to the workstations, as it was back in the office.
- No need to use personal devices for working purposes.
- No need to configure additional software.
For this, system administrators should configure some settings in advance:
- Make sure that the main corporate router has a white static IP address. It seems strange, but a lot of small companies don’t buy this type of IP addresses. However, it’s the only way to provide stable connection between the agents and the server. If a company doesn’t have this type of IP, it should be purchased beforehand.
- On the main corporate router, port forwarding should be configured in such a way so the traffic could go from a predefined external TCP/IP-port (we recommend taking something from the dynamic zone, but something that can be easily remembered, for example – 44344) to the IP-address of the StaffCop Server in LAN, e.g. 443 port which is used for transferring data from the agents (this port can be changed, if needed).
- Then you should specify the external IP address of the corporate router and the port chosen for StaffCop traffic on enpoint agents, either with a tool included in StaffCop distribution or by editing Windows registry. The settings of the remote tool should correspond to those on the screenshot below.
In this case stable connection to the StaffCop Server can be achieved, no matter if the VPN-connection is established or not, as endpoint agents can change from address to address and from port to port. Agent’s configuration can be changed ‘on-the-go’, and remote desktop can be viewed in real time.
When following this scenario, you should keep in mind that the corporate equipment is physically taken outside the corporate network. That’s why the IS specialists should make sure that the hard drives taken by employees don’t content any confidential data or trade secret. Be especially careful about personal data – sometimes workstations of specialists in finance and legal departments may contain reports with data on employees’ salaries or their home addresses. Getting this data outside the corporate network may lead to uncontrolled data leak.
Scenario #3 supposes that no workstation is taken out of the office. They get turned off in a way so they could be turned on remotely: the “Wake-On-Lan” function must be disabled.
Employees work from home, but on their personal workstations that are used as remote desktop terminals: all the work is carried out on the terminal server located in the company’s corporate network.
A simplified working scheme in this case can look like this:
It doesn’t matter, which way terminals are connected to the server: you can
- either arrange a VPN-connection, connect to the corporate router and after that – to the terminal server, using Microsoft RDP protocol
- or connect directly to the external (“white”) IP address of the corporate router using Microsoft RDP protocol and port forwarding of traffic to the TCP/IP port of the terminal server (default number of the TCP/IP-port is 339. For external IP address we can recommend taking port number 33933).
In this case, all the applications are installed on the terminal servers. The work processes can be organized with the help of remote desktop or with Microsoft RemoteApp. An endpoint agent is installed on the terminal server and sends data on users’ activity in the local network. In this case StaffCop Server may not have access to the Internet at all as the data being collected doesn’t leave the secured perimeter.
PROs of this scenario:
- All the work is being done in a single place, and is centrally controlled.
- Employees’ personal PCs don’t store any corporate data (it’s also monitored by an agent installed on the terminal server), personal PCs are used only as remote terminals.
- All the data collected by the agent doesn’t leave the corporate secured perimeter.
The main disadvantage of this scenario that a terminal server with a large amount of employees requires significant hardware capabilities and software licenses. It requires all the applications that are needed by users and the process of arranging remote work according to this scenario and the corporate router must be configured the right way: either with a VPN network or port forwarding.
We have considered the most probable scenarios of arranging remote workstations. Now a question arises, which of them should be chosen?
The truth is somewhere in between. For employees whose work doesn’t require any additional software besides common office applications, the most reasonable choice is the scenario #3: Microsoft terminal server is perfectly tuned for using shared software. But if employees need to work in specific resource-intensive applications (e.g. AutoCAD, ArchiCAD, nanoCAD, and similar ones), it’s more reasonable to follow Scenario #2: employees will work in the environment that they got used to, without consuming common resources.
When organizing remote workstations special attention should be paid to providing secured access to corporate resources. That’s why available connections should be limited, either VPN connection or port-forwarding is used; it’s also reasonable to arrange a similar limitation on the terminal server, to make sure that unauthorized connection from a workstation is impossible. Access should be arranged in such a way so connections and resources could be accessed only from specified workstations and IP addresses, access from all other workstations and IP addresses should be blocked – this can achieved by creating white lists of permitted connections on gateways, routers and servers.
One of the important factors of remote work is arranging stable connection between employees and customers. It seems easy as ABC: cellular communication providers provide connection in most of the places on the globe, and where it’s inaccessible – satellite phones can be used.
But this way of connection can be considered reliable as it’s very difficult to control this channel, even if employees use corporate phones and phone numbers as in this case it’s completely illegal to record and listen to the communication.
There is a possible way out of this: usage of IP-telephony and so called “softphones” – special applications (for example, Mango Talker, Zoiper) which are installed on workstations or smartphones. Voice communications are being recorded by a phone station which is monitor by both IS and IT departments. Management should issue a regulation that obliges to communicate on corporate issues only by the means of IT-telephony and warns employees about possible recordings of their communication.
Remote work has specific legal peculiarities.
If employees work on their office workstations, it’s necessary to document the transfer of equipment to employees for storing with hardware and software described in order to prevent abuse by disloyal employees. StaffCop can build hardware and software inventory reports to keep track of all installations and uninstallations.
Labor contract should be supplemented with a regulation on changing labor format from obligatory presence in the office to presence on demand. This will serve as a guarantee for employees that the time when they are not present at the office will be counted as remote work and not truancy and can’t be the reason to fire employees.
Psychological aspects of remote work should be considered as well.
Quite often employees look at remote working periods as at paid vacations. Here, the supervisor’s personality and weight in the eyes of the employees matter a lot. If employees working remotely feel that their supervisor is keeping abreast of them, they will spend working time on working tasks and not on their personal needs.
It’s very useful to implement software systems for tracking working time, projects and system resources, for example Microsoft Project or its free analogues.
Usage of remote workplaces increase the number of channels of potential data leaks. The IS department should be tasked with the following:
- IS department should make sure that all the remote connections (VPN, Microsoft RDP, etc.) are securely performed with the usage of relevant corresponding certificates, encryption, complicated passwords (for example, at least 8-16 symbols length), etc. If possible, a system of one-time passwords should be introduced or change them on a regular basis (at least once in a month, or more often, if possible) using technologies of complicated password generation;
- IS department should make sure that office workstations and data storage devices that are transferred to employees don’t contain data that can be classified as confidential (including employees’ personal data) or trade secret.
- IS department should make sure that agent configurations provide collection of the necessary data on users’ activity as well as blocking of prohibited web-sites and applications.
- IS department should make sure that live desktop view function is enabled as IS specialists don’t have the ability to look at employees’ screen as they could do while they were in the office.
Besides monitoring remote workstations, IS department along with IT department should arrange employee trainings on the issues of information security, including the ways of working with the application for remote work.
Employees should be warned about phishing attacks, most common cybersecurity frauds, the basics of Anti-virus security. Every employee should know the threats he or she can possibly encounter and have a clear understanding that in case of a cyber attack, not only this particular employee is at threat, but the entire company, as office workstations (or personal computers serving as remote terminals) represent a direct “bridge” to the corporate network.
Work secure. Even if you work remotely!