Saryu Nayyar | forbes.com »
Many believe the COVID-19 crisis will serve as a tipping point for the more permanent adoption of remote work practices, especially now that companies around the world have experienced remote work’s benefits. According to Global Workplace Analytics, 25%-30% of the workforce will be working from home multiple days a week by the end of 2021. Meanwhile, a Gallup study revealed that remote workers were substantially more engaged in their jobs.
Despite these advantages, remote work creates new security challenges for organizations that are used to managing risk within the confines of a traditional office environment. In remote work scenarios, security must shift its focus to data and users’ interactions with it.
For example, in the traditional workplace, IT departments are concerned with company-owned devices, networks and employee activity within the organization’s four walls. Remote work, meanwhile, necessitates the monitoring of personal devices and employee behavior outside the corporate network. It also requires companies to adapt and extend their existing risk management and security technologies in light of this new extended perimeter.
Take access control to IT resources, for instance. Remote work forces organizations to make significant changes to security policies and controls, all of which can introduce unintended risks. Consider the following questions. Does your organization:
- Provide users access to anything they request to keep the business running?
- Extend emergency privileged access to employees or third-party service providers to support remote work requirements?
- Create new cloud application accounts without enforcing security policies on privileges, roles and entitlements?
Left unchecked, unnecessary and overprivileged access expands an organization’s attack surface in ways that are hard to monitor and defend. In the average midsize to large company, the sheer number of users and resources (applications, systems, data stores, etc.) makes access and identity management virtually impossible using traditional human-directed tools and approaches.
Keeping tabs on access risks was hard enough when workforces were largely confined to corporate offices. With remote work, the scale of the challenge is elevated to a whole new level. Enforcing the appropriate level of access and privileges requires routine assessments to determine if:
- Project priorities have changed and, if so, whether access needs should also change.
- Employees have taken on new or added roles, necessitating corresponding access changes.
- All granted access and permissions are necessary and being used and whether some should be revoked to reduce risk.
- Orphaned accounts exist that should be deleted.
- Departing user accounts have been deprovisioned.
As organizations prepare for the end of work-from-home mandates, they should use the current situation to shine a light on their identity and access risk management capabilities. For many, assessing and documenting both internal and remote access risks will exceed the reach of their current monitoring and control systems.
Fortunately, a new breed of tools is available that uses analytics to automate the mapping of all identities, both human and machine, and their privileges to expose risk. With this visibility and intelligence, organizations can proactively eliminate access risks on a continuous basis and reduce their attack surface.
Working with one large health insurer, we developed a system that applied analytics-based processing to more than 40 million identities belonging to employees, partners and customers. The goal was to identify outlier access, undocumented privileged access, orphan and dormant accounts, excess access, and misaligned access. Among the initial findings, 70% of existing privileged accounts were unclassified (and unprotected) and were subsequently vaulted to isolate them from attack.
There are also other ways to reduce identity and access risk without adding new tools.
At a minimum, start with a cursory review of existing roles, policies and procedures, and understand how they are applied. Make adjustments as necessary to reflect the current conditions for remote work access requirements and how they may have to change once workflows return to a more normal state.
After the policy review is complete, a quick audit will help you know what it will take to implement those updated policies. Don’t forget to review access changes for individuals that may occur when changing roles or moves within the organization. Rubber stamping access requests may leave people with far more privileges than they currently need, which should be pruned where appropriate.
Also, remove access for employees who’ve been released or furloughed. Even if they are not fully deprovisioned because they’re expected to return, they should only retain minimal access.
The current health crisis has reminded us that without secure access to business applications and data, business grinds to a standstill. It has also exposed the complexity and scale of the challenge we face in monitoring and managing identities and their permissions to prevent data breaches.
Going forward, organizations should leverage their existing tools and processes to monitor compliance with new access policies. While this approach may not be as fast and efficient as using a dedicated analytics tool, it can help mitigate the risks associated with a sudden shift in access and work patterns imposed by a crisis like COVID-19 — or any other crisis, for that matter.
Saryu Nayyar is CEO of Gurucul, a provider of behavioral security analytics technology and a recognized expert in cyber risk management.
External Link: What A Health Crisis Can Teach Us About Access Risks