July 14, 2020//Tony HowlettLast Updated: November 24, 2020
The COVID-19 pandemic continues to affect the world in many ways, both health-wise and from a business standpoint. As we adjust to what is likely a new normal for many organizations with an increased number of remote workers, we have to start rethinking the way we secure those employees and the data and systems they work with.
The first step is to stop thinking of them as remote workers. The future reality may well be that most workers will be “remote”—that is, from a traditional office infrastructure that we have relied on in the past to protect our companies from cyberattacks. The whole concept of endpoints is indeed likely archaic.
Endpoint assumes that an employee’s workstation is a dead end, which is not at all the case. In fact, it is often the starting point for a successful cyberattack. Hackers are going after these “endpoints” more so than the servers in the first phase of an attack. This is because they know that most servers are well-protected from outside attack. Employees’ home workstations, however, are often lightly protected—behind ISP routers with limited firewall protection and possibly out of date anti-virus software, if any at all. Remote access traditionally has been an exception to the use case; most employees worked from a desk in a corporate office and occasionally would venture out into the world, so a safe way to protect those communications when they connected with the mothership was needed. With the ongoing dissolution of hard network perimeters and the likely reality of remote access being the norm rather than the exception, we need a new paradigm for corporate security and securing these distributed networks. The old model of handing everyone who needs remote access via a VPN simply isn’t going to cut it.
VPNs are one-size fits all type of remote access technology for a simpler time. They were originally designed to extend an organization’s local area network to areas beyond where physical cabling could reach. Basically it was like adding an ethernet port onto the corporate network from your employees’ home, hotel or coffee shop where they were working temporarily. Also, the main function of a VPN is to encrypt the communications between two points. It doesn’t really deal with protecting access to that endpoint.
Some VPNs have improved a bit and added a few additional controls, but keep in mind what they were designed for: generic employee access. I’m not saying you should run out and rip out your VPNs right away because they do a good job of encrypting data in transit across the internet. But, you should really consider adding more controls and technologies to your corporate security setup to protect the points at either end. And you want to think about securing the activity as well as the device.
Here are a few areas to look at when looking to upgrade the remote access part of your corporate security strategy for whatever the future may bring:
The routine of employees using whatever free antivirus they might decide to download on their home machine is not going to be enough in the work from home (WFH) future. Let’s start with not letting them use their home machines. To truly secure WFH, you need to have company-owned equipment for them to work on with company-managed endpoint protection. This will certainly increase capital infrastructure costs for those companies not already providing this, but think of all the money you’ll be saving on office space!
And while we are at it, let’s talk about cell phones. Those endpoints need to be protected also, given that more and more vital corporate communication is being done via mobile phones. Mobile email often uses single sign-on (SSO) passwords, which if pilfered off a phone could be used to access other corporate systems. File stores and SaaS apps (such as Salesforce) might be used to access valuable information. And woe to the administrator who gets their phone hacked and their privileged credentials are leveraged for a broader attack.
Speaking of administrator credentials, you are going to have to up your game when it comes to protecting these ultra-valuable logins. Hackers are after these like Indiana Jones went after the Holy Grail. The fact is that administrator privileges are used in 74% of successful breaches. You need to put an extra protective ring around these kinds of credentials because administrators often do remote work, and this will only increase in the future. Treating administrative logins as different from regular ones is one of the best ways you can prevent hacks from starting and prevent minor hacks from becoming major breaches.
Privileged access management (PAM) creates several additional levels of protection for these types of credentials. With a PAM system, admin users never have the actual privileged password; they simply check them out from a central encrypted vault when they need them. The actual passwords are extremely long and complex and changed very frequently, more than a human could ever handle. And all privileged credential use is logged and tracked so that anomalous activity can quickly be discovered and dealt with.
If you are going to implement additional protection for administrator privileges, you should also take extra care with remote access for vendors and other third parties, especially if they are using administrator privileges. This combination creates a perfect storm for opportunistic hackers that even regular PAM can’t protect against. That’s where you should consider a similar technology to PAM called vendor privileged access management (VPAM). This type of system has all the benefits of PAM for protecting privileged credentials while adding additional protections and controls around the vendor activity. It typically has vendor onboarding and offboarding to securely and efficiently get vendors access to your systems and granular logging capabilities around their activities up to and including full keystroke logs and/or video captures of screen activity. These features can combine to put a bulletproof shield around remote access given to third-party vendors, another major attack vector for hackers.
There are many other things that will be needed to evolve your IT security to deal with the changing times, including possible multi-factor authentication for all (MFAFA), intrusion detection and prevention using artificial intelligence and machine learning, and, most importantly, better and more frequent user education. All of these should take into account that the home working environment is a lot different than the old office environment model. The future of corporate security will rely on adapting to this new reality.