The recent COVID pandemic has enveloped organisations with unknown security posture and undue risks along with the task of keeping the lights on. Most organisations were not acclimatised with all employees and 3rd parties working remotely and are unfamiliar with the complexities that come along. Many are just thrown off guard and are looking for quick and immediate remediation. They are posed by three most important decisions in order for their businesses to run uninterrupted, in a secure fashion.

  1. How to provide remote access to users in a compliant and secure manner?
  2. How to ensure that the user connecting remotely is who they say they are?
  3. How to grant privilege access to administrators and operators remotely?

You can take the following steps to make the address current situation and provide access to remote users securely:

1. Enabling remote access with device trust

In the current situation, it is important for organizations to give secure access to their employees so that they can quickly get access to enterprise resources and are able to run day-to-day tasks and operations. Many organizations may not have been ready for such a scenario and can’t have exposed internal resources to be accessed from the Internet. They now need to provide a quick way to open up internal applications to the remote users. And this is not only for applications, but also for different file shares which are not exposed on the Internet.

In this situation, employees want to get access to enterprise resources through their one or many personal devices. However, without knowing the security posture and trustworthiness of these personal owned devices, it can be risky to provide access to them from Internet by using a VPN solution.

The easier approach here is to use a unified endpoint management (UEM) system that can open up the intranet web applications over a secure browser to the remote workers along with the file shares that they need to perform their day to day activities. Even when a VPN is used, UEM will help by providing a whitelisting of applications that the users can access remotely and help reducing the risk of overexposure through a VPN access. The UEM solution can manage mobile devices, Windows laptops and MacBooks and provide a basic level of compliance and security policies to ensure the trustworthiness all of these unmanaged devices.

2. Enabling access with identity assurance:

After the intranet web applications are exposed externally through a secure browser and users start interacting with the web applications by using the username and passwords, it becomes more and more difficult to really establish who the user is and the accounts, he/she is using. This is difficult because of the inconsistent access policies across the various applications and lack of single identity.

Having a single sign-on (SSO) solution will help create consistent access policies and a single doorway for the users to access all the applications that are exposed on the Internet, have access policies to make sure right user is getting access to the right application. The SSO dashboard is for both intranet web applications and SaaS services to provide seamless access with enhanced security. To improve user identity assurance and to make sure that it is the same user who is authenticating, leverage on multi factor authentication (MFA) for critical applications and provide additional factors. You can apply MFA to the VPN access, instead of just having username and password; this will prevent credential compromise concerns. In case you do not have a standardized MFA solution, you can choose a one provided as SaaS and get started immediately.

The user experience and security can be further improved by using adaptive access and passwordless authentication based on biometrics, Touch ID, Windows Hello and FIDO2 compliant devices.

3. Enabling secure access for privilege users

As you are taking care of normal users’ access to continue day to day activities, it is more important to also focus on the privileged users both employees and 3rd party, who are managing, monitoring and maintaining your critical information technology resources. These privilege users are at a much higher risk of targeted attacks through phishing etc. especially when working remotely. If their credentials including VPN access is compromised, this can further disrupt organization operations and cope with a cyberattack.

Having a privilege account management (PAM) solution as a SaaS solution that requires a single on-premise component for full privilege credential management will help to quickly get started in matter of days. This can help to automatically identify privileged account risk by continuous monitoring of suspicious behaviour and secure storage of privileged accounts.

You can add in MFA to create an additional layer of security for the most critical assets.

You may find it interesting that IBM Security products like IBM MaaS360 (UEM), Cloud Identity (SSO and MFA) and Secret Server SaaS (PAM) can help protect your organization and enable your remote workforce to work securely and these products are currently being offered as no-charge access.

Join my workshop on 12-May, where I will be addressing this topic and answering queries related to enabling digital trust among WFH users. Click here to register and join me in this interactive session: https://ibm.co/2WDrHBZ