Remote Citadels:

Thoughts on remote work security from the Halo Privacy team

Much is being said about the “new normal.” It’s clear at this point that we will see societal shifts, some of them seismic, as we adjust to, and hopefully come out the other side of, the current public health crisis. The subjects deserving of the most time and resources, health care, hygiene, and the economy, for instance, won’t soon leave the national consciousness. There will be other challenges. One thing that my colleagues and I have been talking about is resilience. Nearly every system, resource, and structure is being tested as we speak. Some will collapse and disappear, some will collapse and be rebuilt stronger, and some will adjust and survive. The question is: how do we enable survival?

I’ve had the good fortune of working from home for close to a decade now. I recall it took some getting used to, and I still probably avail myself to the kitchen pantry more than I should. There are advantages in that I don’t have to commute and I generally get a pass on my questionable wardrobe choices, but for a few glances askance from my wife. One challenge, though, has been on the security front. At Halo Privacy we are entirely remote except for a few core sys admin and engineering functions. Even those are optionally remote and well tested since for the last five years we’ve covered night and weekend operations remotely. I’ve been with the company since day one and have only been to the “office” in Seattle five or six times. I’m sure the guys there think that’s plenty. Our CEO, Kevin Kelly, and I were just commenting on the fact that we talk to each other near continuously across a variety of channels and techniques, but much like with the cadence of office visits, we’d probably barely recognize each other if we passed each other on the street. Obviously, that’s hyperbole. I’d easily recognize Kevin on the street since I have a shrine to him in my basement and it’s covered in glamor shots.

Despite being spread out across miles and time zones, Halo operates extremely smoothly, maintains high assurance over data in motion and at rest, and has had very few misunderstandings or miscommunications. This doesn’t just happen. It requires effort, leadership, culture, and tools. As a remote company we have a head start on all of these and given the recent, sudden, national decampment to work from home (WFH), my colleagues and I thought we’d share some comments from the peanut gallery. I don’t use the phrase “lessons learned” since it, along with all the other tired business speak, needs to go crawl under a rock and die. But, our point here is to share some thoughts, not because we have it all figured out, but because we think that now is the time to build resilience in our economy and we want to contribute. Take it or leave it, but here’s what we know. I’ll start:

Alec Harris — Managing Director

Personal OPSEC is paramount. You have to be your own CISO if you work from home. I’m lucky since the big brains in our engineering shop send me the best kit we have, but good tools are only part of the solution. I have to take responsibility for my own security posture. A great example is that I use our proprietary VPN. It’s amazing, it works everywhere and doesn’t get blocked, tagged, or throttled the way other VPNs do. It also ingests and obfuscates advanced cryptography. VPNs are just one part of good OPSEC though and I think people overestimate their utility. More is required. Over time I’ve built up a strong home cyber hygiene routine to complement my home security suite. I’ve hardened my device security, ratcheted privacy settings to the max, eliminated unnecessary access and applications and installed our industry grade security appliances at the edge of my home network. To work from home successfully you have to take personal responsibility.

Kevin Kelly — CEO

To me culture is at least a, if not the, cornerstone of a successful remote work company. My partners and I try to lead by example. At Halo we have two verticals in our culture. First, security takes primacy. If we can’t do something securely, we don’t do it. You’ll never find one of us switching over to WhatsApp because its more convenient than setting up one of our secure channels. One of the things we discuss with new hires is that security and convenience live on a broad spectrum, for now. If we can start to collapse the two so that they become equally attainable, well, that’s a worthy goal. Until then, though, we live on the security side of the spectrum. As a decentralized workforce, it’s difficult to enforce security, so we don’t do it as much by edict or decree, but rather, as part of our culture. We volunteer for security and we do it together. It’s our privilege, not our burden. The second vertical in our corporate culture is our culture of blame where no decision is made without first deciding who to blame if things don’t go well. Its usually whoever isn’t on the call to defend themselves. They teach courses on our culture of blame at all the top business schools, or they should.

Lance Gaines — CTO

Listen, while my non-technical colleagues pontificate about culture and their own ideas around what it means to have good OPSEC, the reality is that some central enforcement of rules and implementation of security tools is required to make this all work. My engineering team works seven days a week to deliver and sustain network and endpoint security to the whole Halo team. We place emphasis on secure communications, as you might expect. To that end, we look at the threat landscape and try to mitigate against a host of vulnerabilities. What we’ve learned is that if we can deploy strong cryptography to protect payloads, manage the attribution of the users in our ecosystem, and sever our adversary’s ability to perform link analysis against us, we can reduce our attack surface to something we can manage with conventional security techniques.

Seth Rodin — Project Manager

I spend a lot of time with our customers. Sometimes it feels like I spend all my time with our customers. I get to see how companies deploy technical resources and policies to enable their own remote work capabilities. Few companies are similar enough that we’ve found a one-size fits all solution. My approach has been to leverage modular capabilities to build solutions that fit the use case as opposed to taking something off the shelf and trying to shim it in regardless of the requirement. The tech I get to work with is great for this since everything we do is a custom build. That started as a necessity since we were our own first customer and given that we all worked from home the tech team needed to build something that would flex to suit different threats, levels of user sophistication, geographies, hardware, operating systems etc. We’ve been able to take those same modules and refactor them to suit our customer’s needs as well. Hopefully that doesn’t sound to self-congratulatory but, hey, I am the one out here every day actually doing work for our clients unlike some people who have commented above.

Jeffrey Mader — Director

My default setting in my personal life is max privacy, max security and I had already been working from home so joining the Halo team was a pretty easy transition for me. What I found that really upped my remote work defenses through Halo was the layer of managed attribution built into all of our remote capabilities. It’s a lot harder for the bad guys to target your work from home set up if they can’t find you in the first place. When you work from home its usually the case that you don’t have the same level of intrusion detection, malware protection, firewall, and other edge defenses that you might find in a robust corporate office environment (though you can still do pretty well if you put in some extra effort). A lot of people work from home off of their standard issue routers from the ISP and some don’t even change the default passwords. If attackers know where you are, they will be able to take advantage of common exploits against home network appliances. If you can find ways to hide your identity, location, and project false attribution at the same time you’ll give the bad guys a hard time before they even have a chance to come after your home network. Plus, all the managed attribution dark arts is pretty fun when you get into it — just remember to be consistent about it. Some discipline is definitely required.

Derek Odom — Director

I have guns. Come at me.

Kevin Casey — Product Manager

So, I had an advantage in all this in that I got to see everyone else’s responses before writing mine. My first thought was that I work with a bunch of paranoid freaks. Admittedly, I’m of the same ilk and I generally think that most people aren’t paranoid enough. The rate and velocity of cyber-attacks is ever increasing. Some of it is targeted and some more opportunistic. Product is a unique role at Halo since I deal with sensitive company intellectual property. We are a small company though, so while we reserve the most sensitive development and integration as in-house functions, we use outsource teams too. My concern is data loss or product road map leaks based on the network of 3rd party resources with whom I communicate. If someone had an aerial view of all the types of developers that I communicate with, just that would give big clues about where we are taking the next generations of Halo product. I use my Halo suite and some tricks I came up with myself to fragment my external communications across different channels. It would be really hard to map my communications given the variance I’m able to inject. It keeps our vendors on their toes too.

Okay, I’m back. Hopefully the above is useful to our friends and colleagues. Despite what I’m sure would be objections and eye-rolling from the luminaries above, I’ll attempt to summarize. Working from home securely is absolutely attainable but it does require some extra steps and tools. I’m so used to it now that it would be off-putting to do anything less than what we currently do, but a lot of America, (and the world), is just now making the WFH transition so take what you can and leave the rest. Trying to implement too much, too quickly, might overwhelm your workforce. Some alacrity is merited though since we know that attackers are already taking advantage of the chaos. At least a couple banks have already been hit hard in the last week, and that’s just what we’ve learned about anecdotally.

In summary and not in order of the comments above:

· Build a culture of security in your company and lead from the top. Great leaders act with conviction during times of uncertainty.

· Enforce strong security policies and deploy security tools from the CISO & CTO level. Don’t assume that everyone knows what to do and how to do it.

· Pair strong central mandates with personal responsibility and OPSEC. People should want to be contributors to the company’s security posture because they care personally, not because its forced on them. Make it fun, make it cool. Incentives might be better than warnings.

· Deploy network security tools to home networks — this won’t be free but it’s essential.

· Use secure communications tools to encrypt data in motion. Use file and disk encryption to secure data at rest.

· Develop a managed attribution program to hide your employees in the noise — be a needle in a stack of needles.

· Avoid patterns. Don’t always use the same methods and tools. Being predictable is almost as bad as being insecure.

· Keep it lighthearted. Being separated creates more room for error and misunderstanding. A sterile or humorless corporate culture will suffer in a WFH environment. At Halo we laugh a lot — mostly at each other’s expense.