It is clear that businesses are scrambling to balance remotely connecting its workforce while producing revenue and supporting clients at the same time. Companies are rightfully more concerned with making sure operational capabilities are in place first before trying to lock down any security risks.
As the world moves at Internet speed, it can be easy to prioritize ease of use over cybersecurity gaps, risks and concerns. But it does not have to be that way. Making sure users securely access data and systems can also be enabling remote workers.
IAM and security can enable, not just secure
Already working with a client on their security risk program, we needed to quickly enable their 65-person small business workforce to work from home and get it done in less than seven days. The challenge was that half of their team worked in the office, on desktop computers, taking help desk calls from clients.
They quickly ordered the needed laptop computers for their employees, increased VPN licenses and capacity, loaded up mobile security with endpoint threat detection and ensured that these workers could access critical SaaS applications. The safety of the internal perimeter was now gone, and users were enabled to access data, systems and applications remotely.
Companies today can take advantage of built-in security features and capabilities as part of their remote workforce enablement. It's not an afterthought, but an integral part of the rollout of these new programs: a way to enable secure access, secure applications and secure sharing of data.
The IAM "AAA" planning for remote work
When your workforce is enabled to access corporate resources, the first step is to validate the user’s identity. Authentication has a spectrum of risks related to the method of access, from simple passwords to a layered approach with 2-factor, VPN and threat detection.
Companies have implemented Network Access Control (NAC) systems at corporate offices to ensure that a bad actor cannot just walk in, sit down, plug in a laptop and get access without vetting the user and device identity. This now needs to be done for any remote worker, on a remote device, through policy and visibility. There are a few things to consider when enabling authentication for users:
- Do you already have strong authentication in place today? Protect that investment and expand its capability by getting more licenses, capacity and management.
- Identify critical applications and make sure passwords are secure. If you have apps that your business needs to function and will be accessed remotely, add layers of authentication to these first.
- If users only use passwords to access applications, add another layer: Multi-Factor Authentication tools such as RSA ID, DUO, etc.
- For many applications it will be hard to implement an MFA on the application, so utilize a captive portal technology from a NGFW like Palo Alto Networks which can proxy an MFA connection for all the protected applications, prior to allowing connectivity to the application.
- Force a password change more often, especially when users go remote. Update your company password policy to show users what they need to do, and increase the password requirements to make them stronger.
- Create network/location aware remote access policies that ensure stricter passwords or host information profiling to gain access.
- Monitor user access to critical systems. Make sure you can identity who is logging into your systems so that you can prevent threats.
Once a user is authenticated, what should they have access to? This is the most critical layer to IAM and can be the most difficult. Each company should have a different way they authorize users based on their industry, business model and even culture. But there are some basics that should be considered to make sure remote workers are enabled and secure:
- Make sure you have an approved corporate policy in place that spells out what employees should have access to, including data classification and what data can and cannot be shared or stored on remote devices.
- If you have an identity governance tool in place, such as RSA, IGL or SailPoint, use those tools to enforce roles and what applications users should have access to.
- Centralize your identities into one directory infrastructure for better control. If you use Active Directory for authentication, make sure your Group Policy Objects (GPO) is configured correctly and not just the default implementation. Harden those policies.
- Identify critical applications and harden their operating systems using CIS Controls.
- For more mature organizations, start to create a Zero Trust architecture and program. This means that not only users need to be authenticated and authorized, but applications, systems, networks, IoT devices and data need to be as well.
- Implement Privileged User Management (PAM) and Databases Access Management (DAM) to lock down those critical administrator accounts. Enable them with tools, but secure them with controls.
- Stop “make me look like Bob” processes. For new users, do not just copy the rights of a similar worker. Create their application entitlements based on their role, specific to their needs.
The daily disciplined administration of users is usually the first mismanaged area in IAM when a crisis hits. IT teams become reactive to “fires” and simply do not proactively manage some of the most critical aspects of operations, such has who has access and why. The best solution to this type of situation is to try and automate administration as much as possible, so that enforcement and security risks do not get overlooked that may increase security costs and risks:
- Try some similar “firewall logic” to identities of critical systems. Create a “deny all, allow some” policy to user access. Force users who need access to a critical system to formally request that access. Do not just give them access based on tribal knowledge.
- Force all access requests through a help desk ticket. If you cannot control all aspects of the administration of a user request, at least you will have a record of it for auditing and reporting.
- Update your firewall policies with the service ticket number and review by date.
- Audit what a user has access to before you allow them to work from home. Have the user (or their manager) justify what access they have and remove anything they don’t need. We call this the concept of least privilege in IAM.
- Set up a “break glass” process for privileged users who may need to get access in an emergency. PAM tools have this feature out of the box, like CyberArk and BeyondTrust.
- Send all logs to a centralized Security Operation Center. Access to critical applications and data needs to be managed in a proactive way to ensure that threats are discovered and handled.
- Deploy a SOAR tool for running playbooks against critical system logins, such as logging in from different sides of the country within a few minutes, commonly called faster than light login.
Security is a program, not just a project
Now that you have started to enable your remote workforce with IAM, you can start adding the layers you need to mature your defense-in-depth strategy. Security concerns and risks will change over time, which make it important to continually evaluate your attack surface, threats to users and data, and modify and implement new controls. Here is a list of other considerations you can add as you mature your program:
- improve security operations for increased visibility with SIEM, logging and SOAR;
- update your Asset Management and CMDB with new tools and controls;
- update your security policies and procedures to reflect new programs;
- implement and use vulnerability scanning of new cloud infrastructures;
- perform third-party security assessments;
- new SaaS apps and vendors need to be secure and validated;
- deploy Mobile Device Management controls like Airwatch;
- consider deception technology, like honeypots, to keep hackers occupied; and
- securely segment your network and data to prevent the spread of a different kind of virus.
There's one last piece you need to do as a final step, but as an ongoing program: document everything. We need to make sure that as we enable workers with new technologies, provide new access to data and spread out our assets, to document all aspects of the security program so that another team can step in and help when needed. Storing this information as “tribal knowledge” inside the heads of our IT professionals will not protect us from future needs. Documentation is our friend.
As we embrace change, incorporate new processes and controls and enable users and our remote workforce, let’s make sure as IT professionals that we include security as an enabler all along the way; not just as a lock-down mechanism or a second consideration. Our employees, clients and partners expect that of any world-class organization.