There is no doubt that the concerns over Covid-19 have created an overwhelming shift to a distributed workforce. All signs (and surveys) indicate the current remote working environment is here to stay. According to a recent Gartner HR Survey, 41% of employees are likely to work remotely at least some of the time post-pandemic. With a substantially larger remote workforce, there is a greater risk for a security incident related to a compromised identity. Contributing factors include:
● A disrupted work environment that makes employees more vulnerable to a wide variety of attacks including phishing and social engineering since the remote environment (home) is not fully manageable.
● More employees are using personal and BYOD methods to connect to corporate assets, potentially accessing sensitive data with some form of privileged access.
● A greater chance that employees are using an unprotected home Wi-Fi connection that could lead to a variety of attacks vis-à-vis man-in-the-middle, unpatched vulnerabilities, poor encryption, and inappropriate lateral movement.
● Corporate VPNs are not bulletproof; extending trusted networks into untrusted zones (home) and RDP connections leaves remote workers vulnerable to a myriad of attacks.
● Remote work means remote communication, and a greater risk that sensitive information and credentials are being communicated to remote employees, vendors, and contractors using insecure communication methods such as instant messenger, text messages, and email.
Organizations are struggling to educate, train, and penetration test their newly minted home users with security best practices because the concerns of working from home are unfortunately oddly dissimilar to working from within the traditional office environment.
To address the changing risk landscape and threats that have been amplified by remote work, the Identity Defined Security Alliance (IDSA), a nonprofit composed of over two dozen identity and security vendors, solution providers, and practitioners, has compiled five identity-centric security outcomes that organizations should adopt. (Full disclosure: I am a member of the IDSA.)
1. Grant user access rights according to principle of least privilege
The principle of least privilege is the concept that any user, program, or process should have only the basic access rights required to perform their job function. These access rights take into consideration segregation of duties, job-based roles, policy-based access, and administrative access and entitlements for privileged users, applications, and automation. In many ways, this concept is foundational for zero trust. Following this principle prevents users from having excessive privileges beyond their role and reduces the threat landscape should credentials be compromised.
2. Implement multifactor authentication (MFA)
Relying on username and password alone (single-factor authentication) has proven to be a significant risk due to password sharing, weak passwords, and compromised credentials. Implementing MFA as an extra layer of protection for privileged accounts, VPNs, remote access, and in conjunction with SSO (single sign-on) mechanisms can reduce the risk that a compromised identity can get access to corporate systems. However, be aware that this increases confidence in the user's identity but does not fully mitigate the threat as seen in recent Twitter attacks.
3. Use device characteristics for authentication
Additional access protections can be put in place by taking into consideration information about the device that is being used, specifically if the device itself has been compromised or violates corporate policy. This context helps prevent the spread of malware and limits lateral movement by denying infected or vulnerable systems access to corporate resources. This also limits access to company issued or company managed devices. This security outcome can be achieved through sharing of the user's identity across identity access and security technologies — for example, access management and unified endpoint security platforms.
4. Revoke user access upon detection of a high-risk event
Security-related alerts or events captured through technologies such as a security information event manager (SIEM) or user behavior analytics (UBA) can indicate that a potential breach of policy has occurred within an environment. These alerts can be used to automatically trigger deprovisioning, block access, or generate a service-desk ticket for remediation or escalation. This security outcome can be achieved through sharing of identity context and alerts across UBA or SIEM (or other tools), to systems that initiate or act on the request, such as identity governance and administration, access management, IT service management platforms, and network access control systems.
5. Trigger reattestation based on high-risk events
An alternative to automatically removing access, which could present problems if it is a false positive on a high-profile resource, is to initiate an access review. Similarly, a security-related alert or event generated through UBA or SIEM indicating a potential breach of policy could result in an immediate and full reattestation of the offending identity’s access. This would result in a recalculation of the identities confidence for accessing resources and utilize all the solutions controlling identity governance and administration including access management, SSO, MFA, and privileged access management.
It is a foregone conclusion the remote workforce is here to stay, at least for the foreseeable future, and with it an increased risk of identity-related security incidents. A focus on these five identity-centered security outcomes can help organizations stay secure while also focusing on the longer-term problems of building a universal approach to identity-centric security management, identity governance and administration, and best practices for remote workers.