The sudden shift to remote work exposed the limitations of traditional, domain-based security. The castle-and-moat security approach is obsolete, having given way to a kitchen-table-and-home-office norm. Employees are accessing IT resources—distributed across on-premises servers and private and public clouds—from anywhere and everywhere.
Security teams need to be increasingly vigilant about monitoring and managing identity, from the devices employees log into, the networks they traverse, and the files and applications they access. The pandemic prompted a significant uptick in security threats as bad actors seek to take advantage of the new work ecosystem. ESG research found that exploiting a user’s identity has become the most common attack. This includes outsiders seeking to exploit a software vulnerability or commit targeted penetration attacks, but also risks from the inside: compromised user credentials, spearphishing of privileged credentials, and overly permissive privileges.
The vulnerability of identity is obvious when you consider the number of points an employee navigates daily across devices, applications, files, and networks, especially in a distributed context. With nearly two-thirds of remote workers reporting they’d like to continue doing so, it’s imperative that security adapt to what will likely be the new normal.
Securing diverse and distributed IT environments starts with the identity plane. Modern and evolving security threats are best prevented by securing identity through many layers relying on a Zero Trust model. Zero Trust, by which I mean “trust nothing, verify everything,” can serve as a foundation for the evolution of a modern security perimeter, one virtually drawn around each individual user, from anywhere they log on. By following Zero Trust principles and establishing user identity across devices, programs, and networks, modern enterprises can pursue a security program that is adaptive, contextual, and robust enough to defend against modern threats.
Whether a laptop, tablet, or smartphone, the device is part of the user’s identity in securing access. A good start is to ensure that basics—such as disk encryption, an active firewall, and a robust antivirus program—are running from the get go. Beyond basic device security, verifying that the device is listed as a “known” or “trusted” device in a corporate fleet offers additional protection. If not recognized, access from that device can be denied, mitigating the threat of lost or stolen credentials.
User Authentication and Authorization
Once a device is verified, users need to be authenticated and authorized. Traditional means of authentication in a physical workplace—key cards, work terminals, on-premises access control—offered layered identity verification. Remote work demands the same layering through different measures.
Password only systems are notoriously weak. These should be supplemented by multi-factor authentication (MFA), like a one-time password; better yet, a key, an authenticator, or biometrics. These layers ensure not just that someone is presenting the right credentials, but that the right person is presenting the right credentials.
After verifying users on a trusted device, identity can be further managed through conditional access. For general tasks, a single log in may be adequate. But as users seek out more sensitive resources, roles and permissions are more important; these may require adaptive and step-up authentication. In the context of remote work, this is an especially crucial element. Considering that 30% of organizations report their cloud identities are overly permissive. admins should be even more conservative about granting access and disciplined about rescinding permissions in order to minimize outside risk. Implementing a least privileged access approach and revisiting it regularly can help ensure rigorous compliance for high security.
Network identity is a final layer of securing remote work. Given the new “work from anywhere” landscape, it’s not tenable to whitelist each individual’s home network, but there are alternatives to ensuring that each location functions as part of the trust ecosystem. In part, location trust comes from monitoring the signals that a worker sends out, evaluating consistent behavior and flagging anomalies (e.g., what time of day they’re active, what applications they log into, where they log in from). Businesses can also restrict employees to a VPN, which ensures they are using a secure tunnel rather than an insecure public network, and adds another layer to prevent devices with no VPN from gaining access. Another approach is to geofence particular regions and set alerts around geovelocity, which analyzes the time and distance between logins, flagging inconsistencies (for instance, logging in from Boston at 10pm, then logging in from Paris two hours later).
Remote work highlighted the need for a new security paradigm. Adaptive, contextual, and continuous management of identity across devices, applications, and networks can be an effective security model—no matter where your employees log on.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.