As cities locked down almost overnight to fight the coronavirus in recent months, many businesses scrambled to fire up their virtual private networking (VPN) ports and accounts to let in not just the usual portion of travelling workers in but nearly everyone that needs to connect.
The danger to that kind of rush is that the effort is not built with scalability and security in mind. With remote working come heightened risks, such as compromised devices, password stuffing and phishing efforts that exploit people’s need for information during a crisis.
Businesses need to find a way to make apps easier and more secure for remote workers to access, said Mark Johnston, head of security, networking and collaboration specialists for Google Cloud in Asia-Pacific.
In a Q&A with Techgoondu, he points to the cloud as the answer, for example, in more secure videoconferencing tools.
NOTE: Answers have been edited for brevity and style.
Q: Many businesses are starting to realise that security has to be beefed up along with remote working. How prepared are Asia-Pacific businesses in the region when it comes to security?
A: As the number of remote workers increases drastically in a short period of time, one thing we’ve heard repeatedly is that organisations need an easier way to provide access to key internal applications.
Workers can’t get to customer service systems, call center applications, software bug trackers, project management dashboards, employee portals, and many other Web apps that they can normally get to through a browser when they’re on the corporate network in an office.
Companies have also had to pivot quickly to enable staff to collaborate securely via video conference and at scale. They also need the right solution that is secure, reliable and scalable.
Q: Specifically when it comes to video conferencing tools, what measures are key to keeping out uninvited guests?
A: Google Meet employs a vast array of counter-abuse measures to keep your meetings safe. These include anti-hijacking measures for both Web meetings and telephony dial-ins.
For example, our meeting codes are 10 characters long, with 25 characters in the set. This makes it harder to brute force “guess” meeting codes.
Requests for external participants to join a meeting must be sent and they must be admitted by a member of the host organisation.
We also limit the ability of external participants to join the meeting more than 15 minutes in advance, reducing the window in which a brute force attack can even be attempted.
Q: What have been the security challenges of Google Meet users so far?
A: Meet takes advantage of Google Cloud’s secure-by-design infrastructure to help protect your data and safeguard your privacy. Meet’s counter-abuse and security features are on by-default so you can be sure the right protections are in place for your organisation.
For users on Chrome, Firefox, Safari and new Edge, we don’t require or ask for any plugins or software to be installed, Meet works entirely in the browser. This limits the attack surface for Meet and the need to push out frequent security patches on end-user machines.
On mobile, we recommend that you install the Hangouts Meet app from Apple App Store or the Google Play Store. This has been instrumental in enabling companies to securely scare their remote work or work from home strategies.
Additionally, Meet users can enroll their accounts used to access Meet in Google’s Advanced Protection Program (APP).
APP provides the strongest protections available against phishing and account hijacking and is specifically designed for the highest-risk accounts, and we’ve yet to see people successfully phished if they participate in APP, even if they are repeatedly targeted.
We also support multiple two-step verification options for Meet accounts that are both secure and convenient – hardware- and phone-based security keys, as well as Google prompt.
Q: What precautions would you expect businesses to take eventually after the pandemic eases?
A: One thing that businesses need to take now and eventually after the pandemic eases is an easier way to provide access to key internal applications.
We’ve been big supporters of this zero-trust access approach for many years, we know it’s not something that most organisations will deploy overnight.
So going forward, I’d say businesses will need a strategy to roll out remote access today while enabling a more secure foundation for a modern, zero-trust access model.
We recently introduced BeyondCorp Remote Access. This cloud solution —based on the zero-trust approach we’ve used internally for almost a decade— lets your employees and extended workforce access internal Web apps from virtually any device, anywhere, without a traditional remote-access VPN (virtual private network).
Over time, we plan to offer the same capability, control, and additional protections for virtually any application or resource a user needs to access.