Over the past several years, we have seen many organizations focus on the race towards digital transformation. However, up until now, the move towards digital and cloud-based services has been seen as a journey. There is no denying the events of 2020 have acted as a watershed moment and kicked many organizations into overdrive. As we head into next year, digital transformation will no longer be an option, and most organizations will have implemented and embraced remote working in some form.
More people than ever before need access to corporate data from their homes and from personal devices. And employees expect the same level of access and user experience as they would in the office. There’s never been a higher demand for remote access, and therefore never a greater need for strong access security.
Remote access and cloud-based applications can bring clear benefits to the workforce when it comes to increased flexibility, and there are savings to be made for businesses too. While working remotely due to the pandemic, many employees have found they are able to work in a more agile away, and have gained a better work-life balance with the commute now cut to a simple walk upstairs, or sat a kitchen table or even the sofa. However, there are also inherent security risks, and the reality is that remote working and both the challenges and benefits it can bring is not going to fade away anytime soon.
As we emerge from the global pandemic and the world starts to open back up, change is unavoidable, and some organizations and employees will want to embrace new ways of working. Perhaps this comes as no surprise given the gains that both employers and employees have experienced this year through remote working. Some businesses may have had little need for remote access in the past, so will have been scrambling to put frameworks in place over the past few months. Others will have had external access structures in place for some time – but may have needed to scale up to meet demand. However, a distributed workforce means a broader attack surface and businesses are going to face a rising number of challenges and risks on the security front. Even when time is of the essence, and despite the pressure, many organizations felt during the pandemic security needs to remain a key consideration. With more people and more devices accessing corporate networks, IT teams are defending a broader and more diverse attack surface than ever before.
Zero trust
In a traditional IT environment, employees’ workstations remain safely within the corporate security perimeter, benefitting from its full corporate protection. However, in today’s “digital transformation” context, user endpoints may be located anywhere around the globe, exposing them to a wide variety of external threats. When each remote employee or external contractor represents a new vulnerable entry point, a powerful endpoint privilege management strategy is essential to effectively secure remote access.
The fact is that remote workers carry risks that traditional office-based workers don’t. They have local admin rights over their personal devices, meaning they can freely download applications and tools that would otherwise not be supported by an organization’s IT department. In addition, users are more likely to need access to cloud-based apps, and we are seeing both personal and work devices becoming intertwined. This all adds to the growing challenges of cybersecurity compliance and managing privileged access. In order to truly evaluate just how exposed the business is, organizations need to move security away from the perimeter and instead to the endpoint.
The rapid change towards digital transformation acts as a perfect moment for organizations to evaluate and adjust their security strategies accordingly. Traditional solutions simply cannot fully support the ‘new normal’ of a dispersed workforce. These types of solutions were not designed to secure against external and remote access, giving organizations an insufficient level of control and insight over who is connecting into which data/assets.
If businesses are to successfully support today’s remote workforce, it is imperative to implement a robust solution that will always incorporate the concept of Zero Trust and limit privileged access. The Zero Trust model rests on the principle that no user is trusted implicitly when connecting and accessing critical data. In addition, by monitoring and limiting who has elevated rights or administrative access to critical systems, businesses will naturally have an increased level of control and insight – two vital aspects to bolstering any cybersecurity strategy.
Securing VPN access
In a traditional IT environment, employees’ workstations remain safely within the corporate security perimeter, benefitting from its full corporate protection. However, in today’s “digital transformation” context, user endpoints may be located anywhere around the globe, exposing them to a wide variety of external threats. When each remote employee or external contractor represents a new vulnerable entry point, a powerful endpoint privilege management strategy is essential to effectively secure remote access.
Securing VPN access has also been another pressing concern facing the new remote businesses. VPNs are still the most common way to create a ‘data tunnel’ between corporate networks and their users. While data can be protected through encryption, VPNs still carry inherent risks and drawbacks. They can work well enough for internal employees, where IT teams have defined identities and roles for everybody accessing a system. However, this can become problematic when they need to open up access to 3rd party vendors. Therefore, even if employees are using VPN access, it is important to an extra layer of protection in case a password for a VPN is compromised. For example, by making a vendor authenticate themselves via multi-factor authentication (MFA). However, it is important to note that this alone will stay not go far enough, businesses should also ensure they have granular control needed to monitor and restrict where a vendor and employee can go or what they can do within a network.
In addition, another best practice is to look at complying with cybersecurity regulations and standards – especially when managing critical resources or manipulating sensitive data. Organizations should already have this as a focus point, but it is critical to ensure that compliance and regulation are not broken when it comes to accessing data remotely. These policies and requirements drastically reduce system vulnerabilities even when open to external access, ensuring business and, of course, avoiding hefty fines for non-compliance. Proper tools can save organizations and third-party providers significant time and stress by illustrating exactly what actions have been taken on a system, eliminating long recovery analysis, and allowing actions to be monitored and audited in case of a security breach.
As we head into a world where remote access is no longer a ‘nice-to-have’ and is instead a necessity, organizations cannot afford to rush ahead with dispersed workforce plans and leave security as an afterthought. Know that hackers won’t stop searching for the cracks in your armor. So, there’s never been a better time to invest in strong access security.
Rashid Ali, Enterprise Solutions Manager, WALLIX