Remote work has quickly become the new norm for businesses regardless of their size or industry. Though COVID-19 is a very extreme case, other natural disasters such as hurricanes or tornadoes can force employees to relocate. Some just choose to work from home to gain a better life balance or avoid the long commute.
It’s the last-minute moves that tend to go awry. Business leaders may choose to make quick fixes, haphazardly implementing solutions to protect their staff without realizing the repercussions. Cutting corners in areas like cybersecurity is ill-advised since it raises risk and could lead to significant headaches and business disruptions. For example, improper implementation and usage of VPNs and VDIs can actually increase the attack surface and hinder centralized controls.
Yet, it’s clear that when going remote, things cannot remain the same, as you can no longer base trust on a network or the user’s location. The perimeter no longer exists. If an attacker were to gain access to the system through a remote employee’s device, they could quickly move laterally, infecting servers, and wreaking havoc. Those situations will be tough for any business to overcome.
When it comes to supporting an out-of-the-office workforce, implementing a zero-trust methodology is critical for creating higher levels of security. Rather than trusting users by their ability to enter the network, these methodologies treat each person and device as potential breaches. The principles of zero-trust include authentication and authorization based on data points, limiting user access with just-in-time (JIT) and just-enough-access (JEA) policies, and minimizing the attack surface.
With remote work becoming the new norm, meaningful conversations must take place between MSPs and their clients on data protection and privacy. What measures can you take to boost their cybersecurity posture? Use this opportunity to talk to your clients about the benefits of adopting a zero-trust approach and focus on the following areas:
Least Privileged Access (LPA) minimizes the number of systems each user can access based on individual job requirements with prescribed timelines. When the clock runs out, their “keys” no longer work. Manually managing that process can be quite the challenge, so consider using automated solutions and self-service options where employees can request access through applications that administrators can approve or deny.
Privileged Access Management (PAM) provides specific protections for certain types of accounts. This term usually refers to users that need access to a broad majority of databases and applications. Even with this kind of system, MSPs need to enforce rules such as the use of password vaulting — a process that safeguards and continually upgrades credentials.
One cannot discuss zero-trust without mentioning multifactor authentication. We are all aware that passwords, even when following best practices, are not an effective defense against today’s cybercriminals. MFA allows staff to authenticate in a user-friendly way. Examples include one-time passwords (OTP), push notifications, and soft tokens.
Information is the bloodline of many organizations, and compromising that data can be detrimental to its operations and reputation. As often is the case with remote workers, the tools provided by their employers can be challenging to use, cause frustration, and inhibit workflow. Those employees will typically find ways to get around the systems and expose themselves and their companies to additional risks.
For example, the employer assigns laptops that seem slow and hindering the ability of remote staff to complete their assigned tasks. In these cases, they may end up using personal devices, which are guaranteed not to be as secure as corporately managed systems.
Job number one is adequately protecting the data. Employees must understand the importance of using approved devices and following security measures meant to protect their privacy and the business. Defending the data also means maintaining its integrity. For remote workforces, that process involves adequately securing all the endpoints and controlling access so that no attacker can get ahold of valued company information.
A zero-trust framework inherently challenges every process, continually monitors for abnormalities or known bad behaviors, and acts quickly to remediate potential threats. These systems watch how users interact with applications, identify the devices and networks in use, and measure other variables. Artificial intelligence helps create behavioral profiles for each user and detect abnormalities.
As we discussed previously, passwords alone are insufficient for securing a network, and MFA can be problematic once the authentication process is complete since there are no other safeguards after that point. IT professionals need to authenticate every action and monitor each step to ensure proper protection.
Tighten the Controls
Implementing zero-trust across an entire network can be difficult, especially when the timetables are short as they have been over the past couple of months. Start with a pilot program to change policies, integrate different applications, and train employees. These endeavors require a lot of time, effort, and patience.
Here are a few key things MSPs can implement for their clients to get them on the right track.
- Start by implementing privileged access management
- Clarify policies between corporate-owned and personal devices. Securing a BYOD environment is inherently more challenging, which means, at the very least, MSPs should be implementing effective mobile device management (MDM) programs for their clients with remote workers.
- Utilize zero-trust access gateways to monitor the operating system and other software.
While these processes and technologies are more challenging for MSPs to implement and for users to follow, the risks of remote work require tighter controls. With the right approach and tools, that job can be a lot easier for everyone.