The concept of working ‘on any device from anywhere’ is not new, but the Covid-19 pandemic brought the security challenges of remote working into sharp focus.
For many enterprises the immediate issue was enabling a suddenly home-based workforce (many of whom had no previous experience of working away from the immediate office environment) to stay connected and maintain their productivity, without compromising IT security.
The heightened complexity of providing access to both on-premise and cloud services, as well as on-device native mobile applications while employees worked at home meant a secure VPN on its own was no longer robust enough for day-to-day operations; it needed to be supplemented with additional tools and practices. (VPN servers can be a single point of failure on a network blocking remote access, while the need to install a VPN client limits the ability to switch devices. VPN clients can also be process intensive, meaning less memory is available to run apps and services.)
This highlighted the need for all organisations to adopt a zero-trust approach and the mantra ‘never trust, always verify’. Data is an organisation’s biggest asset, and zero trust principles protect it by using a layered framework made up of infrastructure, networks, applications, endpoints, and identity management.
Identity and access management (IAM)
Managed identity for all users is a fundamental principle of zero-trust, and the provision of single sign on (SSO) with multi-factor authentication (MFA) is a critical component. MFA requires that a user frequently confirms their identity via a one-time password, SMS, biometric, on-device authentication app, or voice recognition app. This needs to be handled sensitively if company smartphones are not available and identity needs to be confirmed on a personal device, which some users may feel crosses a boundary despite it being a necessity.
The concept of least privilege access authorisation ensures users are only granted the system access required to do their job; regular access and privilege reviews and recertifications ensure it is followed for every user. Exception access requests or firefighter logons may be required on occasion for inflated system access, but this should only be on a short-term basis.
IDAM tools can be configured to implement risk-based or policy-based access. Here, a user’s location or network access point can influence whether system access requirements are relaxed because the user is logging on from a secure office network, need MFA, or are blocked altogether, for example if public Wi-Fi, such as in a coffee shop or airport lounge, is being used.
Zero-trust principles also require the securing of all endpoints and applications throughout the organisation.
Endpoints can be user devices, IoT devices, devices attached to the corporate network such as printers and servers, etc. Applications are an intrinsic part of a workplace, from productivity apps such as email, spreadsheets, time recording tools, project management platforms and HR systems, through to specialised industry-specific apps (oil and gas, and public services, for example), as well as social media and streaming apps used by businesses and individuals.
The need to collaborate virtually while working from home required many businesses to implement collaboration software on devices (endpoints) for the first time. However, this was not always straightforward; the widely used Zoom application, for example had initial challenges with weak end-to-end encryption increasing the risk of, ’Zoombombing’ and the potential for user data to be exposed. CISOs were required to draft new terms of usage for collaboration software, that protected company data without compromising operational capabilities.
Company device management
Devices are either company owned or personal (Bring Your Own Device, or BYOD). Regardless of which category they fall into, all devices, whether desktop, laptop, tablet, or smartphone must have an up-to-date operating system, up-to-date applications, be managed securely, keep company data secure and be set up so that system access is dependent on location.
All company managed desktops and laptops require the installation of a VPN client to guarantee access from private or public wifi is channelled through a secure corporate VPN, and centralised software management tools can distribute operating system updates, application installs and software patching. Because it only takes a user to install software or an application from a public domain to introduce a virus or vulnerability that can be exploited by bad actors, many companies ‘lockdown’ desktops, and use the appropriate tooling to ensure any applications and services installed are company approved.
In addition to a secure VPN, mobile device management (MDM) is essential for company tablets and smartphones. This allows companies to register each device to a specific owner, ensure the operating system (OS) is kept up to date, block non-compliant devices from accessing company applications and services, control the apps that can be installed, whitelist approved versions of apps, and wipe devices if they are compromised or stolen.
BYOD challenges the boundaries of business and user responsibility for device and access security, with the protection of sensitive data downloaded to personal devices one of the biggest headaches. Security can be down to something as individual as how proactive the device owner is when it comes to installing OS patches and security, and the latest versions of applications.
Many enterprises will have a BYOD policy that documents safety measures such as: how personal devices can be used safely; prohibited applications; the policy on accessing company data; and the need to install the company VPN client to access on-premises services. But to be truly secure, investment in an endpoint management solution such as Microsoft Intune is crucial to manage all devices (desktops, tablets, smartphones, etc.) and ensure they are registered with named owners, as well as provide device governance across on-premise, cloud and hybrid estates.
Endpoint management solutions allow companies to control all devices that are accessing company applications and services. Device compliance rules can be set to ensure minimum OS levels (or maximum if the latest release of software is untested) are adhered to, as well as whitelist and blacklist application versions depending on whether they are required or prohibited. Other checks include minimum software versions, the deployment of security patches, and the installation of prerequisite software (such as a VPN client or monitoring tools that block the download of files from personal devices).
In addition, endpoint management solutions allow risk-based policies to be tailored to permit or block access, or challenge for MFA if compliance rules are not met, or access from a less trusted location is being requested.
A zero-trust mindset
The pandemic and resulting lockdowns put IT and cyber security in the spotlight. But regardless of where people physically work, cyber security teams continually face new challenges, with the move to the cloud, the exponential emergence of AI applications and increasingly complex distributed hybrid landscapes currently part of this evolution. With this context in mind, zero-trust policies and mindsets are a critical component to keeping an organisation’s assets safe and secure from a wide range of risks; their adoption is good business practice – and therefore essential.