The Covid-19 pandemic has forced organizations around the world to transition to a remote work paradigm. A move that introduced collaboration tools, VPN connectivity, chat apps, and video conferencing to employees who were historically working together in person. This work from anywhere transition is very likely to continue in full or in a hybrid model into the future. Organizations and people have adapted and started to find a new normal.
This article will explore four considerations that cybersecurity teams should be thinking about while working with a largely remote workforce.
Devices and VPN
The move to a remote-first posture likely changes the way services are accessed. No longer is everyone on the corporate network from headquarters. A VPN connection to a trusted network is a solution that’s been around for some time now. In this remote-first paradigm, discussions around bring-your-own-device (BYOD) are also quite prevalent. Should personal devices be allowed to connect to your VPN? How does your preferred security model extend to the consumption of SaaS/PaaS solutions? If SaaS/PaaS solutions are not integrated into a single-sign-on (SSO) that enables managed device checking, the security model may fall apart, depending on your needs. This is expanded on in the next section on authentication.
One other core consideration for device security is whether managed devices are configured and set up to withstand use within expected untrusted spaces. There has been a fairly dogmatic view over the use of “coffee-shop WiFi” or the equivalent untrusted network. This is our new reality, however, so our devices need to be in a position of resilience.
Authentication is and has always been a fundamental element of cybersecurity. Gaining access to resources for a distributed remote workforce doesn’t have to be challenging with the rise of robust SSO solutions. Integrating authentication flows into managed devices or BYOD policies adds more complexity, but it can be worth the work. Additionally, setting overarching authentication policies, geared around geolocation, MFA flows, device configuration checks and session limits can help reduce risk. Further, some integrated apps may even benefit from application-specific security policies, which some SSO providers allow you to set up.
The world has changed rapidly since COVID-19 first hit. Compliance standards that inform policy and procedures at most organizations have not changed quite so fast. There are controls still that emphasize practices like secure data rooms, trusted networks, and secure physical working spaces. Virtual equivalents are still finding their way to market. Compliance standards from SOC2 to NIST 800-53 have not yet fully incorporated zero trust principles into control language.
Heavily regulated or regulated by extension organizations must strike a delicate balance. Embracing a fully remote workforce is not impossible, but it does mean that security teams need to build the controls and the risk management narratives to accommodate compliance needs.
Improper Use of Collaboration Tools
A user putting sensitive data into SaaS or PaaS tools is one of the most commonly cited concerns associated with the adoption of cloud services. It’s not that these solutions aren’t secure enough to deal with sensitive data. The problem arises when a solution is set up to support one set of use cases or data types and instead gets used for something much more sensitive. This gap creates residual risk.
Security teams need to be thinking about the tools being introduced and the shadow IT that users are standing up to solve their needs. Depending on the kind of data your organization is working with, configuration and data security monitoring needs will change.
Remote work at scale has had its benefits and its drawbacks. Security teams need to balance data security, accessibility, user experience, and reliability across their organizations. All of this is happening while security teams are also changing the way they work, their tools, and their collaboration patterns.
While the risks and landscape have changed, the opportunity to lean in fully is also tremendous for security teams.