Protecting the Remote Workforce
Highlights from Simeio’s August 26th “Ask Me Anything Coffee Talk Series”
This week we bring you another timely and informative Coffee Talk session. Last Wednesday’s topic was “Protecting the Remote Workforce.” The session hosts were Vikram Subramanian, Vice President of Solutions at Simeio Solutions, and Mark Whitesell, Senior Manager, Solutions Engineers at Okta. Here are some session highlights.
What are the basics surrounding a remote workforce?
The remote workforce has changed dramatically with COVID-19. We’ve gone from a small subset of users accessing a limited number of applications, to a vast populace now working remotely. Unfortunately, there wasn’t much time for companies to prepare for this shift. Supporting the remote workforce is about giving users the ability to operate their applications from anywhere and from any device securely. It’s about providing remote workers with an experience similar to what they have in the corporate office.
A protected remote workforce keeps the emphasis on how an organization enables a trusted individual with access to trusted systems and applications. The keyword is trust. Guidelines for this have been published for quite some time. It’s up to each organization to take those guidelines and implement the right elements for their business.
The industry as a whole is paying close attention to the user experience. Just as retail customers expect to quickly and effortlessly find the items they want and complete the purchase process; remote employees expect quick and seamless access and use of their applications. If the organization tells them they must remember their usernames and passwords, then connect their phones to the ODP platform, they’ll become frustrated, and productivity will suffer. There needs to be a balance between security trust principals and providing a great user experience.
Beyond MFA, what else can we do to protect and support our remote workforce?
Multifactor authentication is just a starting point. The evolution of software tokens and phone push notifications have changed the model. The expectations beyond MFA, are layering MFA onto everything you do. It’s one thing to have MFA on VPNs that have turned into cloud apps. Now, we can layer MFA on top of delta.com, marriott.com, or any other login that workers need throughout the day. Rather than having fifteen different ways to login, with different usernames and text confirmations, they can have one login. That’s where MFA is evolving for Okta. It’s about creating a better user experience with the same MFA protection organizations need for their applications.
Organizations can’t rely upon users to put in correct usernames and passwords. So, what else can they depend upon to increase the level of trust? NIST has established standards, with assurance levels like identity and authentication assurance. Organizations need first to figure out their application risk ratings, and then establish the authentication and identity assurance trust levels for each application. Once this is complete, they can determine how to approach MFA, always keeping the user experience in mind. The next evolution is building intelligence into MFA. This allows us to accomplish several things. You can evaluate where the user is coming from and what they want to access. By taking a proof of identity and layering multiple factors like DLP on top of that, you have all of the data; you need to decide to allow or disallow user access.
Just as WAN connectivity has been moving to software-defined networks and the cloud, and away from hardware-centric, manual configurations, identity has been moving to software-defined perimeters. Secure tunnels are established to specific assets, with layered capabilities on top of MFA, single-sign-on, and intelligent authentication.
Risk-based authentication is evolving quickly. In the not too distant future, we probably won’t require passwords. We’re seeing the use of AI to figure out different user risk scores. That fingerprint of the user, how they got there, and what they’re doing becomes more of a guarantee of the user’s authenticity than a password that anyone can enter. This is the future for both corporate and retail authentication, replacing passwords with adaptive user profiling.
How would you suggest handling BYOD?
BYOD has been around for a long time, yet its usage has changed a lot. A company-issued laptop can be used for many purposes and other people, like other family members, for any number of non-business activities. IT needs to protect devices within its network, as well as outside the corporate network. Zero trust and BYOD have become a real focus for organizations. It’s evolving, even as the complexities are increasing.
Employees can access Outlook from any device, anywhere, and anytime. Organizations simply can’t trust their workers to secure their smartphones, laptops, and tablets. That’s where requiring access with a layered fingerprint for authentication comes in and proves the user identity.
What do you do for life-cycle management?
As we consider how to handle remote users, we must contemplate how we get them into and out of our applications and the systems. Are users going to be removed entirely? Are they going to be locked out of a particular application? How we handle different scenarios of remote provisioning and de-provisioning is very important. When we build in a zero-trust environment, applications and systems need to have multiple authentication capabilities and a layered approach across everything. While it is a difficult task, it’s getting easier as we move more apps to the cloud, with just-in-time provisioning.
For disgruntled workers that have been laid-off or fired, a layered approach allows you to off-board them quickly. If they are required to authenticate through AD or a single-sign-on platform, they won’t be able to come in and do damage.
Let’s consider how we give users access, or off-board them, during this time of such an extreme remote workforce. The “how to” of remote on and offboarding has become the big question, and there aren’t many solutions. The answer is a combination of life-cycle management solutions, where there are connectors, applications, governance, and identity-proofing with authentication. All this needs to be implemented with the user experience in mind.
We’ve just touched upon some of the conversation. If you want to learn more, you can watch this and other on-demand Coffee Talk sessions at https://www.brighttalk.com/channel/17142.
We hope you can join our next Coffee Talk, where you can chat with IAM experts, ask questions, and gain insights into how you can lower operational costs and achieve greater security and privacy using IAM. Click here to sign-up.