Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10:00 AM
Morey Haber
Morey Haber
Connect Directly
E-Mail vvv

Top 5 Identity-Centric Security Imperatives for Newly Minted Remote Workers

In the wake of COVID-19, today's remote workforce is here to stay, at least for the foreseeable future. And with it, an increase in identity-related security incidents.

There is no doubt that the concerns over Covid-19 have created an overwhelming shift to a distributed workforce. All signs (and surveys) indicate the current remote working environment is here to stay. According to a recent Gartner HR Survey, 41% of employees are likely to work remotely at least some of the time post-pandemic. With a substantially larger remote workforce, there is a greater risk for a security incident related to a compromised identity.  Contributing factors include:

Related Content:

Why Threat Hunting with XDR Matters

In a Cybersecurity Vendor War, the End User Loses

● A disrupted work environment that makes employees more vulnerable to a wide variety of attacks including phishing and social engineering since the remote environment (home) is not fully manageable.

● More employees are using personal and BYOD methods to connect to corporate assets, potentially accessing sensitive data with some form of privileged access.

● A greater chance that employees are using an unprotected home Wi-Fi connection that could lead to a variety of attacks vis-à-vis man-in-the-middle, unpatched vulnerabilities, poor encryption, and inappropriate lateral movement.

● Corporate VPNs are not bulletproof; extending trusted networks into untrusted zones (home) and RDP connections leaves remote workers vulnerable to a myriad of attacks.

● Remote work means remote communication, and a greater risk that sensitive information and credentials are being communicated to remote employees, vendors, and contractors using insecure communication methods such as instant messenger, text messages, and email.

Organizations are struggling to educate, train, and penetration test their newly minted home users with security best practices because the concerns of working from home are unfortunately oddly dissimilar to working from within the traditional office environment.  

To address the changing risk landscape and threats that have been amplified by remote work, the Identity Defined Security Alliance (IDSA), a nonprofit composed of over two dozen identity and security vendors, solution providers, and practitioners, has compiled five identity-centric security outcomes that organizations should adopt. (Full disclosure: I am a member of the IDSA.)

1. Grant user access rights according to principle of least privilege
The principle of least privilege is the concept that any user, program, or process should have only the basic access rights required to perform their job function. These access rights take into consideration segregation of duties, job-based roles, policy-based access, and administrative access and entitlements for privileged users, applications, and automation. In many ways, this concept is foundational for zero trust. Following this principle prevents users from having excessive privileges beyond their role and reduces the threat landscape should credentials be compromised.

2. Implement multifactor authentication (MFA)
Relying on username and password alone (single-factor authentication) has proven to be a significant risk due to password sharing, weak passwords, and compromised credentials. Implementing MFA as an extra layer of protection for privileged accounts, VPNs, remote access, and in conjunction with SSO (single sign-on) mechanisms can reduce the risk that a compromised identity can get access to corporate systems. However, be aware that this increases confidence in the user's identity but does not fully mitigate the threat as seen in recent Twitter attacks.

3. Use device characteristics for authentication
Additional access protections can be put in place by taking into consideration information about the device that is being used, specifically if the device itself has been compromised or violates corporate policy. This context helps prevent the spread of malware and limits lateral movement by denying infected or vulnerable systems access to corporate resources. This also limits access to company issued or company managed devices. This security outcome can be achieved through sharing of the user's identity across identity access and security technologies — for example, access management and unified endpoint security platforms.

4. Revoke user access upon detection of a high-risk event 
Security-related alerts or events captured through technologies such as a security information event manager (SIEM) or user behavior analytics (UBA) can indicate that a potential breach of policy has occurred within an environment. These alerts can be used to automatically trigger deprovisioning, block access, or generate a service-desk ticket for remediation or escalation. This security outcome can be achieved through sharing of identity context and alerts across UBA or SIEM (or other tools), to systems that initiate or act on the request, such as identity governance and administration, access management, IT service management platforms, and network access control systems. 

5. Trigger reattestation based on high-risk events
An alternative to automatically removing access, which could present problems if it is a false positive on a high-profile resource, is to initiate an access review. Similarly, a security-related alert or event generated through UBA or SIEM indicating a potential breach of policy could result in an immediate and full reattestation of the offending identity’s access. This would result in a recalculation of the identities confidence for accessing resources and utilize all the solutions controlling identity governance and administration including access management, SSO, MFA, and privileged access management.

It is a foregone conclusion the remote workforce is here to stay, at least for the foreseeable future, and with it an increased risk of identity-related security incidents. A focus on these five identity-centered security outcomes can help organizations stay secure while also focusing on the longer-term problems of building a universal approach to identity-centric security management, identity governance and administration, and best practices for remote workers.


With more than 20 years of IT industry experience and author of Privileged Attack Vectors and Asset Attack Vectors, Morey Haber joined BeyondTrust in 2012 as a part of the eEye Digital Security acquisition. He currently oversees the vision for BeyondTrust technology ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Vulnerability Management Has a Data Problem
Tal Morgenstern, Co-Founder & Chief Product Officer, Vulcan Cyber,  1/14/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This is not what I meant by "I would like to share some desk space"
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-01-20
OpenMage is a community-driven alternative to Magento CE. In OpenMage before versions 19.4.10 and 20.0.6, there is a vulnerability which enables remote code execution. In affected versions an administrator with permission to update product data to be able to store an executable file on the server ...
PUBLISHED: 2021-01-20
Weave Net is open source software which creates a virtual network that connects Docker containers across multiple hosts and enables their automatic discovery. Weave Net before version 2.8.0 has a vulnerability in which can allow an attacker to take over any host in the cluster. Weave Net is suppli...
PUBLISHED: 2021-01-20
A vulnerability in the CLI of Cisco SD-WAN vManage Software could allow an authenticated, local attacker to read sensitive database files on an affected system. The vulnerability is due to insufficient user authorization. An attacker could exploit this vulnerability by accessing the vshell of an af...
PUBLISHED: 2021-01-20
Multiple vulnerabilities in Cisco SD-WAN products could allow an unauthenticated, remote attacker to execute denial of service (DoS) attacks against an affected device. For more information about these vulnerabilities, see the Details section of this advisory.
PUBLISHED: 2021-01-20
Multiple vulnerabilities in certain REST API endpoints of Cisco Data Center Network Manager (DCNM) could allow an authenticated, remote attacker to execute arbitrary SQL commands on an affected device. For more information about these vulnerabilities, see the Details section of this advisory.