Conferences, music festivals, sporting events, parades— every event imaginable from coast to coast is either already cancelled, postponed, or has attendees at the edge of their seats waiting for the latest update. Hospitals and healthcare systems are sending thousands of non-essential employees home to work remotely. Universities and K-12 school districts are also shutting down all over the world, affecting 300 million students globally.
Health Department officials in Washington D.C. have now officially recommended postponing or cancelling “non-essential mass gatherings, including conferences and conventions.” A growing list of companies including Amazon, Google, Microsoft, Apple, Facebook, and Twitter have asked employees to work from home.
Today, it’s COVID-19, a disease caused by Coronavirus. But tomorrow, who knows what the reason could be?
Organizations must be prepared for the unplanned— including pandemics, like COVID-19, natural disasters, and more. Even here at Identity Automation, headquartered in Houston, TX, we have been through multiple hurricanes in recent years that have forced our employees to temporarily work from home.
Most organizations use a variety of technologies, such as virtual private networks (VPNs) or virtual desktop infrastructure (VDI) to provide remote and third-party users the access they need to do their jobs. Although these technologies can be a boon to productivity and collaboration, they can also introduce significant risk to your organization due to a greater attack surface with less IT oversight and control.
So, how can you keep your organization secure when sudden events force your staff to work from home?
Adopting a Zero Trust Model
We are all familiar with the classic network perimeter strategy, where trust is based on location and network. You focus on defending the network perimeter and assume that everyone and everything already inside the network is friendly. Users inside the network have private IP addresses and are “trusted,” while remote users employ virtual private networks to access a private IP address on the network. The problem is that this model was created when employees used corporate computers, on corporate networks, within company walls.
Many companies try to solve the problem with a partial solution: applying additional layers of protection to only certain critical systems. However, this only serves to create a false sense of security because hackers can and will exploit security gaps and weaknesses in the other, less protected systems.
Because the security perimeter in today’s digital world is porous, your organization must adopt a zero trust mindset. The zero trust model doesn’t distinguish between internal and external users or devices. It treats everything as external and operates under the assumption that all users, endpoints, and resources are untrusted and always need to be verified.
The key to this approach is to only deliver applications and data to authenticated and authorized users and devices.
How Identity and Access Management Secures Your Organization
When situations like Coronavirus arise, it is more important than ever to have a solution in place that is able to give users access to the data and systems they need, in a manner that is secure enough to keep out attackers.
The zero trust model begins with identity-driven security that puts a modern identity and access management (IAM) system at the core of your organization’s security program. Key components of an effective IAM system include automated lifecycle management for both internal and external users, comprehensive identity governance, privileged access management, and integrated multi-factor authentication (MFA) capabilities.
Modern IAM enables organizations to adopt bring-your-own-device (BYOD) strategies that help employees be able to work from home seamlessly. Instead of IT building out a laptop or desktop from a single image, many employees today are simply given a stipend to buy their own workstation. IAM systems can provide secure access control for a large number of diverse users and devices, allowing organizations to identify every user and every device attempting to access the network. This granular control at the user and device level protects against unauthorized access to an organization’s resources.
In addition, modern IAM enables organizations to effectively enforce least privilege access that restricts access to only what is absolutely required for an employee or contractor to perform his or her job for the right amount of time. This starts with implementing role-based and attribute-based access controls (RBAC and ABAC) to help ensure that users have access only to appropriate permissions.
The other part of this equation is preventing unauthorized access in the first place. When your workforce is working remotely, the need for robust yet user-friendly authentication is even more crucial. With users having access to so many devices and systems, password management becomes a challenge as well.
Of course, we’ve long known that passwords are a weak link in the security chain. Single-factor authentication simply isn’t enough, especially given the known weaknesses of traditional username/password authentication. Implementing MFA, especially on all privileged accounts and business-critical systems, is a must.
Modern MFA solutions safeguard your enterprise from unauthorized access resulting from stolen credentials by adding a second or third verification method in addition to passwords, rendering attacks harmless. Even better, MFA can replace passwords altogether.
Of course, not every situation requires the same level of authentication. That’s why it’s important to have an MFA solution that allows for flexible authentication policies that both enhance security for your organization and ease of use for your users.
A crucial part of this is taking contextual factors into account, and adapting the level of authentication required based on the risks involved. The most common criteria is where you’re coming from, or the device source location. So, whether you are in the office, working from home, or in another country altogether— this data is contextual, and as a result, different authentication policies may apply.
The Time to Act is Now
When a sudden event occurs like the COVID-19 pandemic, it shines light on how imperative it is to ensure robust IAM tools are in place at your organization.
To ensure that your enterprise is prepared for employees to work remotely and efficiently, while limiting the opportunities for attackers to access your valuable assets, it’s crucial to adopt a zero trust model that puts a robust IAM solution with integrated multi-factor authentication capabilities at the core of your security program.
Furthermore, combining the zero trust model with automated lifecycle management that enforces least privilege access, MFA capabilities, and risk-based authentication will ensure your organization remains secure, no matter what sudden event occurs next.