During the COVID-19 pandemic, organizations' switch to a remote workforce has, in many cases, left employees working from home without the tools or training required to protect the organization. This served to highlight the need for identity management and governance for telework security.
While enforcing the use of a virtual private network (VPN) when working remotely is a good first step toward security, it isn’t enough to protect telecommuting employees from myriad threats roaming in the wild.
A secure connection between the employee’s device and the enterprise network does little good if the employee isn’t the person at the keyboard.
The Identity Management Challenges of Telework
When its employees are working from the office, securing access to sensitive data is a lot easier for an organization. Achieving a direct connection to the corporate network tends to be more difficult for an attacker, so authenticated users on the network are likely to be legitimate employees.
Identity management is more difficult for an organization with employees working from home because it requires, at minimum, the integration of the identity and access management (IAM) solution with the secure connectivity solution used by the organization. Often, the organization must be planning to integrate a variety of solutions across a spectrum of controls including privileged access management (PAM) and network access control (NAC) to adequately secure the environment.
Further, if the organization is a heavy cloud user, it may rely upon the cloud platforms’ authentication systems to uniquely identify the user, potentially creating an administrative nightmare with many different user IDs across many different platforms, each one presenting its own risk surface.
Additionally, devices in home offices are more likely to be used for both work and personal reasons, shared with other family members, or even lost or stolen. A few minutes’ inattentions by an employee could allow a toddler – or even worse, a teenager - control over sensitive corporate assets.
The organization must be able to identify the user through means above and beyond traditional user IDs and passwords by layering behavioral and contextual analytics to provide access to corporate resources.
Even if a user is who they claim to be, many employees are teleworking from personal devices. These devices are unlikely to be compliant with the organization’s security policies like complex passwords, antivirus, patching, and configuration hardening. If an antivirus solution is not running and up to date on an employee’s personal computer, a missed update or a successful phishing email can result in stolen credentials or malware infection.
Either of these would allow a cybercriminal to masquerade as the employee when trying to access the corporate network.
Related Reading: The Business Continuity Shift: Ensuring Telework Security
The Risks of Failing to Properly Manage Identity
In the rush to transition the company to telework in the midst of COVID-19, security was often overlooked in favor of ensuring employee safety and continuing business operation. However, the risks associated with poor identity management and governance for telework security can be significant and should be corrected once the business is settled.
Data Breaches
Many employees require access to sensitive information to perform their job duties. In order to work effectively while teleworking, these employees require the same level of access to data as they have in the office. Within the perimeter of the corporate network, associated risks can be managed through layered security controls. However, in the age of work-from-home, the corporate perimeter no longer exists.
Traditional controls like Data Loss Prevention (DLP) focused on perimeter egress points aren’t equipped to work in many work-from-home architectures. Accessing sensitive data from a remote device on an unknown and potentially unsecured network dramatically increases an organization’s risk of a data breach.
The direct costs of a data breach average approximately $3.92 million, and this does not include secondary impacts such as reputational damage and lost future sales. With lost or misplaced devices representing a leading cause of data breaches, the cost of failing to appropriately control the data accessible to teleworkers’ devices can be significant.
Regulatory and Contractual Non-Compliance
During the COVID-19 pandemic, many data privacy laws, such as the Payment Card Industry Data Security Standard (PCI DSS) and the Health Insurance Portability and Accessibility Act (HIPAA), have relaxed some of their requirements. However, these changes are large to reporting requirements during the crisis. After “business as usual” has resumed, organizations will be expected to demonstrate how they maintained compliance during the crisis.
Identity and access management is essential to properly securing data protected by regulations. For instance, using multi-factor authentication (MFA) is part of PCI DSS guidance for remote workers. Failing to do so could jeopardize an organization’s next compliance audit.
However, the legal risks of poor identity management are not limited to regulatory compliance. Non-disclosure agreements (NDAs) and similar contractual agreements require an organization to protect access to sensitive data provided by their partners. Failure to implement proper identity management for remote workers could put a company in breach of contract.
Related Reading: 4 Security Precautions Before Reintroducing Devices to the Network
A New Security Model Is Needed
The legacy perimeter-based security model, where anyone with access to the corporate network is trusted, is not applicable to teleworkers. Any employee can be connecting from anywhere, and differentiating legitimate users from attackers can be difficult or impossible without the correct solutions in place.
As companies increasingly support remote work, a switch to a zero-trust security model is needed. Under a zero-trust model, access to corporate data and resources is only provided when a user’s identity can be authenticated through multi-dimensional analytics.
Once authenticated, access is dynamically provisioned to needed resources, reinforcing the critical access control concepts of least privilege and need-to-know. This requires a re-think of the organization’s IAM program from end to end, including network segmentation. However, the benefits of implementing zero-trust security are significant, enabling an organization to dramatically decrease its risk of data breaches or regulatory non-compliance.
If you'd like help ensuring your telework security, know that we're here for you. Reach out to start the conversation.
Check out our webinar-on-demand, “Key Shifts in Identity Management and Governance”, to learn more about identity management and governance for telework security so you can Show No Weakness.
Paul Caiazzo, Senior VP of Security and Compliance
Paul brings his wealth of cybersecurity experience to guide Avertium customers through challenging security problems while keeping business goals and objectives at the forefront. His primary focus is on business development, partner and client engagement, and other strategic initiatives.