March 20, 2020
PrimeKey on working securely from home
At PrimeKey, we have offices in four continents and time zones and our professional services team travels often to customer sites. Therefore, we already have all infrastructure in place to assure our distributed team can work in an efficient way and that everyone, no matter where they are, feels included in the team.
The PrimeKey management team assumed severe disruptions before these became self evident, so we decided to adjust our working practice, taking into consideration safety of our people, assuring infrastructure capacity, looking at how our supply chain may get affected and how we can act as responsible corporate citizens. We would like to share some experiences regarding how we at PrimeKey have set up processes to facilitate collaboration between multiple sites and “working remotely”.
Business continuity planning
Apart from the conveniences and inconveniences of remote working, there are important aspects that have to do with business continuity planning – while we prepared for various cases of disruptions, a global pandemic was not on our top 10 list. Two decisions that we made many years ago seem to pay off very well today – first, we set to assure maximum possible availability of support services to our customers, and second, we wanted to avoid relying on external services when possible.
Platforms based on open standards
Additionally, we are proud to be a multi-culture organization, both literally and in terms of platforms – we have many colleagues using Linux and Mac platforms, hence whenever possible we look for open-standards based solutions. Some of the tools we use are perhaps not the most well-known, but they are good and secure, and we think it is fair to give credit where credits are due. Broadly speaking, at PrimeKey we looked at assuring three main areas of IT infrastructure services:
- Communication tools, such as telephony, email and instant messaging.
- Collaboration tools, such as all kinds of documentation (various projects, activities, groups), file sharing, as well as facilitation of online meetings.
- Production tools, in our case, this has mostly to do with software and hardware development and product support.
For the purposes of this blog, we will share experience on communication and collaboration. Production (back-end) may be too specific to what we do, but the infrastructure and basic principles would apply in many other organizations. It goes without saying, we wanted to make sure secure access to all these services. Therefore, we have the policy of certificate-based authentication for email clients, and everything that is on the intranet must be accessed trough a VPN (also certificate based, two-way authentication). Virtually all modern email clients and servers support IMAP authentication over TLS protocol, so this is easy to enforce. For the VPN, there are many commercial VPN client providers but there are a number of free and open source that are quite good. We use OpenVPN clients such as Viscosity and Tunnelblick, that are supported on all major platforms. In our internal documentation, the instructions how to configure and use are just a few lines per platform, so anyone with basic computer skills is able to do this on her own. For the instant messaging and for the above mentioned BCP decision, we wanted to host ourselves, and we opted to use Mattermost. They have a nice client software, or you can use it directly from a web browser. It is possible to create multiple public channels, private channels as well as instant messaging. Once your organization has a VPN infrastructure in place, adding Mattermost is easy and your communication is secure. The main collaboration tool at PrimeKey is Confluence by Atlassian. We have many different “spaces” and it is possible to categorize different types of content. In the present situation, where most all our colleagues are working remotely, it is worth mentioning that we use Jitsi, a multi-platform open source video conferencing tool. It is WebRTC compatible, meaning there is no need for heavy client software. Again, once you have VPN infrastructure, access to both tools is over a secure channel.
EJBCA to manage certificates securely
Finally, we do as we preach, so we use our EJBCA to issue certificates to users. In fact, we use EJBCA on our PKI Appliance, since it also delivers HSM management, backups and upgrades. Another quick alternative would be to use EJBCA in AWS or in Azure. Either way, it allows full control over who gets certificates and, if needed, to revoke certificates.