Remote worker - IT research

Mark M

Mark M

Mark M

Soldato
Joined
6 Jan 2006
Posts
3,413
Location
Newcastle upon Tyne
I run a tiny business with 5 users (all office based) and I'm looking at the option of a remote worker (possibly overseas). We currently use M365 for Exchange and SharePoint for centralised document storage. All other programs are cloud based with the exception of 1 windows based software that the files are saved in a SharePoint folder. We don't have a local server/NAS. All passwords are stored in BitWarden with a private and shared vault.

One thing that has came up in conversation is what do I need to implement in the way of IT security for a remote worker. I'm planning on speaking to a couple of IT companies but I'd like to have some knowledge of what is best practice in this situation.

A couple of things I can think of include:

Password policy (unsure if the version of Bitwarden (Teams) we have can do this or if I need to upgrade to the Enterprise version)
2FA options and implementation
Active directory, we don't have anything in place currently. Everyone just has their own laptop with their own account on.
Someone said we'd need a VPN but I'm not sure as we dont have anything on-premise?


Thanks
 
what license level of o365 are you using Mark?

You can implement device posture and conditional access for accessing your tenant (license dependent) but it is tricky without a domain as such, you could look at intune as well which would allow you to push policies.

you only really need a VPN if you are accessing onprem services, it sounds like almost all your infrastructure this person would need to access is MS, sharepoint/email/teams etc.
 
Mark M said:
I run a tiny business with 5 users (all office based) and I'm looking at the option of a remote worker (possibly overseas). We currently use M365 for Exchange and SharePoint for centralised document storage. All other programs are cloud based with the exception of 1 windows based software that the files are saved in a SharePoint folder. We don't have a local server/NAS. All passwords are stored in BitWarden with a private and shared vault.

One thing that has came up in conversation is what do I need to implement in the way of IT security for a remote worker. I'm planning on speaking to a couple of IT companies but I'd like to have some knowledge of what is best practice in this situation.

A couple of things I can think of include:

Password policy (unsure if the version of Bitwarden (Teams) we have can do this or if I need to upgrade to the Enterprise version)
2FA options and implementation
Active directory, we don't have anything in place currently. Everyone just has their own laptop with their own account on.
Someone said we'd need a VPN but I'm not sure as we dont have anything on-premise?


Thanks
Click to expand...
If everything is in the "cloud" (Or rather, Microsoft 365 for yourself) then remote workers become a much easier concept to work with.

Asside from all the compliance stuff which will vary for whatever industry it is that you work in the advice you have been given is valid but I would expand on it with the following:
  • Password Manager - BitWarden/1Password/#Other - All are entirely sufficient, you might want to go for one of the plans that allow SSO with your Entra/Microsoft credentials as you can then use Conditional Access policies to secure access further (E.g. require compliant device, MFA, specific forms of MFA, location lockdown etc)
  • 2FA - Conditional Access - 100% a must but I would go further with location restrictions, potentially session time restrictions and requiring device compliance/AppProtection policies for the different assets you are working with. Good practice is requiring compliance or "MAM" (Mobile App Management) policies when accessing stuff like files, emails or sensitive data
  • Directory - Entra ID - Not Active Directory but Entra where your corporate systems are joined to Microsoft cloud directory, it makes it easier for logging in with one set of credentials and for users to safely share systems but not credentials
  • MDM - Intune - With Entra that is only half of the battle, an MDM is the tool that plugs into Entra and between the two you get a single set of credentials to login to services/devices but also you can secure devices with encryption, AV, and other policies etc
  • Defender - Comes with the Business Premium version of 365 and will secure your devices and emails, not necesarily remote related but handy nonetheless
  • Virtual Desktop - Depends how far you want to go but you could use a Windows 365 license to provide your remote worker with a remote system they can use to login to your services with, that way you need to worry less about their own device etc
Imho a lot of the above is just good practice when it comes to access and security in general but it definitely applies to remote workers as well as internal. In terms of licensing most of the features (as @mrlizard put) require a Business Premium license which I see as the minimum when it comes to a good M365 experience

For the VPN side of things unless you have corporate apps onsite this is less necessary, you can use something such as "Microsoft Global Secure Access" to route all 365 traffic via their servers or even if you wanted to host your own endpoint and route traffic out of that but normally that is only when you have restrictions e.g. an app requiring users to appear from a specific IP etc. It's not super critical in my opinion based on the info you've provided :)
 
Last edited:
You can do everything you need with your M365 subscriptions. You just need to setup your environment, users, and devices in the right way. A half decent IT company or one man band can do this for you.

As this business is probably for your livelihood and that of your 4 employees, get someone in and make sure it's done right. It will pay dividends in the long run. Don't get in a mate's mate who works on an IT service desk or some infra team, and don't go solely with the advice given on a forum and have a go yourself.
 
mrlizard said:
what license level of o365 are you using Mark?

You can implement device posture and conditional access for accessing your tenant (license dependent) but it is tricky without a domain as such, you could look at intune as well which would allow you to push policies.

you only really need a VPN if you are accessing onprem services, it sounds like almost all your infrastructure this person would need to access is MS, sharepoint/email/teams etc.
Click to expand...
We currently have Business standard editions for all users but happy to upgrade them if need be.
 
Mark M said:
We currently have Business standard editions for all users but happy to upgrade them if need be.
Click to expand...
Ah ok - so in order to get InTune you need Business premium, however that would also include Defender (the good/enterprise version, not the free one) - also you could then setup user accounts for your employees, get them to sign in on their laptops to this and it should auto add their laptops to the domain, you can then use permissions and posture management to manage access and device health etc. Slight caveat here is that the Home edition of windows doesnt work, needs to be pro/business - i think you can swap versions fairly easily though
 
are you supplying company devices to employees? or are you expecting them to use Virtual machines.
im thinking of device return if/when they leave employment. making sure the devices are bitlockered and the recovery IDs are in InTune as examples
 
Last edited:
LostCorpse said:
are you supplying company devices to employees? or are you expecting them to use Virtual machines.
im thinking of device return if/when they leave employment. making sure the devices are bitlockered and the recovery IDs are in InTune as examples
Click to expand...
We supply devices to employees currently but I'm not sure what to do for a remote worker. For an overseas employee it feels like it could get difficult to get the laptop back if they stop working for us but I guess thats just something we would need to factor in. For an overseas role it is likely to be in South Africa due to the quality and availability of workers there.

Someone above mentioned remote desktop which might be something to consider for an overseas worker.
 
yep, agreed a virtual machine might be the best approach but you'll need to watch costs as it can be the same cost of a latop every year dependingon the tier you go for.

Getting machines back from staff in the same contry is a problem, let alone a remote contry, you have all the issues of getting them a replacement machine if it breaks or stolen as example as well.

you can secure the machines with bitlocker, usernames passwords on domain, deploy something like "absolute" (formerly computrace) to try and disable machines if stolen, bios passwords to prevent usb booting, and enable anti-tamering in case the case is opened, but theres no guarantee any of that will work 100%
its all a lot of extra cost and work for a small team of people.
 
You must log in or register to reply here.
Back
Top Bottom