The widespread shift to work-from-home arrangements was not deemed to be in place still. But it appears to be heading towards becoming the new norm.
Work patterns have changed so much since 2020 began, with one that is unlikely to change is remote working. According to a recent survey by Gartner, 41% of employees are “likely to work remotely some of the time post-coronavirus pandemic.” A separate survey found that 74% of organisations plan to shift “at least 5% of their previously on-site workforce to permanently remote positions post-pandemic.”
Remote support and security continue to be critical now and will be in the future as more employees transition from temporary to permanent off-site arrangements. The dynamic, distributed workforce is not a passing phase. It is here to stay.
But many of the tools and technologies deployed during the rush to implement large-scale remote workforces were not designed for long-term success. In organisations without a progressive work-from-home culture, there were many “band aids” used to get staff up, running and productive during the business disruption. Now, these organisations are considering what is required for the best security in this new reality of remote working.
As many organisations enter into a future that includes a high proportion of remote workers, they will require new ways of thinking about security, productivity and identity and access management (IAM). While simple authentication capabilities may offer visibility into who remote workers say they are when they log in, what information is still missing? What applications and data are employees accessing? As budgets tighten and workers are asked to do more, what privileges have they been given in haste that need a closer look?
There are three goals to consider in the effort to evolve an effective IAM strategy for a large-scale, long-term dynamic workforce:
- Identity risk needs to be validated with visibility
- Reduce risks with new identity and more robust authentication
- Ensure IAM strategy complies with GDPR by leveraging tools like automation
As seen in recent months, cybercriminals have wasted no time taking advantage of the current health crisis. They found ways to exploit remote workers who are outside of the confines of office network security. With remote workers using every type of endpoint device these days, it is essential for security teams to distinguish legitimate devices and users from malicious ones.
The unification of personal devices for work, and work devices for leisure, only aggravates the issue. No longer is it easily possible to centrally view and manage identities across devices and applications that remote workers are using to get work done, and equally difficult to know if these devices are compliant.
Gaining visibility and control of the dynamic workforce
Given the new, more dynamic workforce, here are some recommendations to consider in gaining the appropriate security assurances by deploying good identity authentication:
- Run regular and automated certifications to ensure the right people have the right access to IT resources, enforcing policies such as segregation of duties, and providing reports and dashboards to prove compliance
- Automate processes, to help scale across the organisation to meet rising demands
- Minimize helpdesk costs through task automation like password resets
- Implement user self-service capabilities to keep pace with requests from the new mobile workforce needing remote access to resources
- Centrally manage changes in the mobile workforce and enforce a sound Joiner/Mover/Leaver policy to adjust orphaned or over-privileged users, and provisioning and de-provisioning of remote access quickly
Reducing identity risk for VPN Access
For years, organisations set up network perimeters to keep the bad guys out and let the good guys in. Virtual Private Networks (VPNs) offered a safe remote connection for safe access from unsecured networks to corporate systems, applications, and data.
With a rapidly growing mobile workforce and open business environment, the requirement for remote access is necessary beyond employees to include contractors, vendors, customers, audit teams, and partners. In order to do business, stay competitive, and maintain agility, modern companies are opening their networks to this broader user base.
In doing so, boundaries blur – and traditional perimeters dissolve. The emergence of identity as the new perimeter – as well as a major threat – places a premium on ensuring that your remote access is secure.
VPNs and firewalls continue to be the stalwarts for critical and secure anywhere-anytime remote access. But in the current business environment, it takes a little more effort to ensure that users really are who they say they are.
Username and passwords are not enough – According to the 2016 Verizon Data Breach Investigations Report, “63% of confirmed data breaches involved leveraging weak/default/stolen passwords.” Username and passwords simply don’t provide enough protection – and expose systems and data to cyber threats. What to do? Add strong authentication. Two-factor authentication (2FA) methods require users to have two forms of identification – something they know (e.g. username and password) and something they have (e.g. a hardware token) – in order to achieve VPN access. Multi-factor authentication (MFA) tools extend this concept with a third identifier – something the users are (e.g. unique physical or behavioural characteristics) – and provide convenient security for remote users with a variety of authentication options such as push notification and biometric (e.g. fingerprint).
Assuring identity and appropriate access – Knowing that users really are who they say they are, is critical for any organisation. In addition, it’s important to ensure that users have the appropriate access to systems and applications – and that this access is managed consistently in order to meet compliance and governance demands. A security solution that provides convenient and strong authenticated access based on risk analysis and contextual awareness, and that automates processes to manage which systems and resources users can access is crucial to securing remote gateways.
Setting the standard – The variety of types of users introduces other variables. A vendor’s security standards, for instance, may not be the same as yours. In its March 2016 research report, the Ponemon Institute reported “a lack of confidence in third parties’ data safeguards, security policies and procedures.” While you have no control over other organisations’ policies or the behaviour of external users, 2FA or MFA allows enforcement of security standards that grant vital remote VPN access to corporate systems and resources to authorised users only.
Securing credentials – High profile data breaches further underscore the importance of securing network access to third-parties. Whilst the environments, behaviours, and devices, are beyond internal control, ensuring the security of the remote user access to systems is.
VPNs and firewalls continue to be effective remote access gateways. To assure that users are who they say they are, though, you must protect access with strong authentication. Modern identity and access assurance solutions provide multiple secure and convenient ways to authenticate all of the users, analyse their behaviour and context, and assure that the right individuals have the right levels of access – from anywhere and any device.Free consultation (worth £300) – eliminate passwords without compromising data security – BOOK NOW to find out how
- Identity and access management and adopting zero trust - June 5, 2021
- Is your short-term remote workforce technology in for the long haul? - March 3, 2021
- Why should we use multi-factor authentication? - October 7, 2020