After 2020 and the delivery of new vaccines for COVID-19, there are reasons to be more positive about the future of business. However, all the changes that occurred in 2020 have forced us to rethink how and where we work. These changes will be with us for the next several months, if not permanently. The change, triggered by COVID-19, will double the number of people who work remotely permanently to 34.4% of all employees according to Enterprise Technology Research. Tech companies are leading this movement: Mark Zuckerberg estimates that around 50% of all Facebook staff will be remote in the future, Twitter and Square have made their remote work approaches permanent, and Google will be remote until at least September. of 2021.
Remote work puts more pressure on companies’ technology and on the staff responsible for managing and protecting it all. For many IT teams facing a forced labor-from-home scenario, remote working had to be implemented quickly. Interim approaches and legacy implementations that were largely designed for on-premises security and access control suddenly had to scale far beyond what was initially implemented. The important thing for 2021 is that we analyze what went well, what needs to change and what lessons we can learn.
Identity management and consolidation
Usage patterns around remote working are very different in a remote / work-from-home world compared to more traditional office work. In the office, workers tend to be on a stable and secure network, and will use one or two devices. When working from home or remotely, the potential number of devices, locations, and networks used increases for each user. In addition, devices unknown to the company and therefore not compliant with corporate security standards can be used to access critical resources.
At the same time, remotely managing these devices in various forms will present unique challenges. Instead of the homogeneous IT environments of the past based on a standard set of operating systems, applications, and services, IT teams will have to work with and support a variety of different resources. These services, operating systems, and devices will come from a variety of different manufacturers and vendors; While the AWS / Google Workspace / MacOS cloud device trifecta is common for tech workers, there will be a host of combinations to support.
In practice, centralizing and managing a user’s identity across this disparate infrastructure is critical for organizations to onboard, disconnect, and control access to resources. Who someone is becomes the one constant when users work from their phones, tablets, personal computers, and work machines. The traditional approach to this would be to use a directory. However, this approach is getting more complicated to work.
Conditional access: should you be allowed in?
Instead of a binary approach to identity, for example you may or may not enter a resource with your password, administrators should be able to set conditions for accessing management based on situations. This involves analyzing policies on how and when to grant access to applications and data using a combination of factors.
The first one is the identity of the user: is the correct user trying to access the resource? This is the starting point for identifying a user, so the use of strong authentication and multiple identity-related factors should be essential. For example, a standard username and password combination should be supplemented by multi-factor authentication, such as a token or a phone app. When so much depends on identity, this should be as secure as possible by default.
The second item to consider is the device that an employee might use: is the correct or reliable device being used to access the resource? Having a list of devices that are known to be “good” along with a correct user identity can make it easier to ensure that someone is who they say they are. Even if someone misses a user’s identity through a combination of credential theft or poor password hygiene, using a “known device” approach means that an attacker cannot gain access.
The third consideration here is the network: is the user connecting to a resource through a known network? If you are in a company owned and managed network, then that acts as a form of authorization; after all, you must have access to the physical building to log in. Therefore, knowing through which networks and IP addresses users will communicate for work can be a useful additional factor today when workers are not entering the office. Therefore, verifying and ‘trusting’ home IP addresses along with user and device identities can ensure that people are who they say they are.
The combination of these elements can help employees flexibly work more easily when remotely while keeping security high. Policies can also be adjusted to support specific roles or behaviors; for example, someone who is expected to work from a home network may have a strict policy regarding the location that stops any access from unknown IP addresses. Meanwhile, someone who will be working from multiple locations may have more restrictions on the device they use and have to use multi-factor authentication, but will have the freedom to connect from different locations.
Getting the policy side here is about setting the right conditions to allow access, rather than blocking and restricting access. This should be to make it easier for IT to manage identities and keep things secure without interfering with people’s daily work.
Zero trust and identity
Setting the right conditions to allow verified access helps IT maintain control and establish a zero security approach. This involves having each component within IT treat the others as if they were not secure, rather than inherently relying on the network or a device to be automatically secure. Putting more emphasis on identity first helps with the “verify all” model at the heart of Zero Trust, as it can tie all activity and authorization to the user.
In practice, this should ease the process around security by setting up and defining policies to assist the user, as well as verifying that all necessary security rules are being followed.
In Zero Trust, all users and resources must be verified and authenticated in order to access services or applications. In addition to this, system data must be collected and analyzed to detect potential risks over time, while network access and traffic must be limited and monitored as necessary. While it may seem paranoid, Zero Trust’s security is based on the realities of today’s computing infrastructure. Since there is no longer a trusted perimeter, managing security means applying the same approach from any perimeter to central IT systems and across devices.
The challenge with # remote operation is that identity is the only point of consistency for # security over time. By observing policies and conditional access, you can apply the correct “never trust, always verify” approach. #respectdata
The challenge with remote work is that identity is the only point of consistency for security over time. By observing conditional access and policies, you can apply the correct “never trust, always verify” approach to user accounts and achieve consistent security.