Authored by: Morey Haber, CTO/CISO at BeyondTrust
I love buzzwords and hype cycles. There are so many that have come and gone and so many that have been revitalised that they feel blissfully new again. Let’s consider remote workers. In the last six months we have gone from remote workers, to distributed workforce, and now workforce transformation. What’s the difference?
The passage of time has helped clarify what they mean, but most importantly we have gone from the initial COVID-19 situation, to the management of untrusted devices operating outside of the perimeter, to now a potentially permanent model that needs a comprehensive approach using strategies like zero trust and universal privilege management. The buzzword changes now accommodate the potential for a long-term persistent presence of employees working outside of the office. There are three primary strategies every executive, IT professional, and information security team should consider for their success:
Passwords are Not Good Enough: If remote workers are only using single-factor authentication (username and password) to initiate a VPN session or remote access, then your security posture is not sufficient to support remote workers for the duration. Simple credential theft is rampant across the Internet and any leaked credentials could be used by a threat actor to spoof a remote workers connection. Consider using a multifactor authentication solution (MFA) to protect remote authentication of workers. Also make sure you train employees on the risk of phishing when using MFA. MFA alone cannot protect against a phishing attack that poses as a legitimate MFA login. In fact, it will give away the user’s credentials, and if the user approves the MFA challenge response, then the threat hackers have access into those resources. Passwords are not good enough and MFA is a best practice secondary layer. However, do not be fooled. MFA is not bullet proof and social engineering attacks can still render it useless. However, it is better than a password alone for authentication.
Never Connect as an Administrator: It goes without saying that all privileged access should be guarded. And, for a distributed workforce, remote access technologies should never by initiated by users operating as a local or remote administrator (or root). All remote access sessions should be started as a standard user and using a privileged access management solution, any tasks or applications that require administrative rights should automatically be elevated. This includes any additional remote sessions that may be established after the initial connection is made. With a distributed workforce, it is now more important than ever to enforce a least privilege model and passwordless administration. Privileges while operating remotely should be monitored, managed, and documented for inappropriate activity since after all, a threat actor will most likely be operating remotely as well, and distinguishing them from a remote worker is key to any threat identification process.
Manage the Asset: The workforce transformation has taught us one critical thing. Regardless if the device is bring your own device (BYOD) or corporate owned, the device needs to be managed. Whether this is using an MDM solution for BYOD or other endpoint security technology for corporate owned devices, they need to be under the organisations control. While BYOD has its own challenges, corporate devices should not be so complicated. Organisations need to consider the following aspects for persistent remote devices:
How they are assessed for vulnerabilities
How they are patched
How they are configured
How software is deployed
How they receive policy updates for endpoint security solutions
How they can be supported by service desk personnel
In fairness, this list goes on and on. With on-premise infrastructure, these items were rarely questioned. Scan the device, install an agent, or launch an RDP session to gain access. With a workforce transformation, relying on VPN technology to tunnel all this traffic is simply unrealistic. The device is not protected when the VPN is disconnected and frankly unmanaged in this state. This is where workforce transformation can have the biggest impact.
Consider the cloud for all your endpoint security and global endpoint management needs. As soon as a device is powered on and connected, it can be managed by the cloud and all policy, events, alerts, and updates do not saturate a corporate VPN infrastructure. The cloud is the perfect deployment mechanism for managing remote worker endpoints and a necessary strategy for workforce transformation. Frankly, there should not be any good reason--except for air gapped networks--that endpoint security and device management should not be done from the cloud.
If we consider buzzwords will always morph and go away, hopefully one day the coronavirus will do as well. But, one thing is certain, many buzzwords, like viruses, are hard to avoid and for now, are here to stay. Since we are living with a pandemic and have a workforce transformation occurring as a consequence, we should consider the risks to the business, people, data, and our assets. These top three recommendations should help ensure that they never get out of control and we can adapt to these changing times.