As your workforce spreads across the planet, you must now support a completely new collection of networks, apps and endpoints. We all know this increased attack surface is more difficult to manage. Part of the challenge is having to create new standards and policies to protect your enterprise and reduce risk as you make the transformation to become a more distributed company. In this blog post, I examine some of the things to look out for. My thesis is that you'll want to match the risks with the approaches, so that you focus on the optimal security improvements to make the transition to a distributed staffing model.
There are two broad brush items to think about: one has nothing to do with technology, and one that does. Let's take the first item. Regardless of what technologies we deploy, the way we choose them is critical. Your enterprise doesn't have to be very large before you have different stakeholders and decision-makers influencing what gets bought and when. This isn't exclusively a technology decision per se – but it has security and risk implications. If you buy the wrong gear, you don't do yourself any favors and can increase your corporate risk profile rather than reduce it. The last thing any of us needs is to have different departments with their own incompatible security tools. This different stakeholder issue is something I spoke about in my last blog post on managing third-party risk.
Why is this important now? Certainly, we have had "shadow IT" departments making independent computer purchases almost since corporations first began buying PCs in the early 1980s. But unlike that era, where corporations were concerned about buying Compaqs vs. IBM, it has more serious implications and greater risk, because of the extreme connectivity businesses are now facing. One weak link in your infrastructure or one infected Android phone, and your risk profile can quickly escalate.
But there is another factor in the technology choice process: getting security right is hard. It isn't just buying something off the shelf; you will need several items and that means having to fit them together in the right way to provide the most protection to address all the various vectors of compromise and risk. This makes sense, because as the attack surface grows, we add technologies to our defensive portfolio to match and step up our game. But here's the catch: what we choose is as important as the way we choose.
Assuming you can get both factors under control, let's next talk about some of the actual technology-related issues. They roughly fall into three categories: authentication/access, endpoint protection and threat detection/event management.
Authentication, identity and access rights management.
Most of us immediately think about this class of problems when it comes to reducing risk, and certainly there are a boatload of tools to help us do so. For example, you might want to have a tool to enable single sign-ons, so that you can reduce password fatigue and improve on- and off-boarding of employees. No arguments there.
But you before you go out and buy one or more of these products, you might want to first understand how out-of-date your Active Directory is. And by this, I mean quantify the level of effort you will need to make it accurate and represent the current state of your users and network resources. A recent risk report found that more than half of the company's customers had more than a thousand stale user accounts that weren't removed from the books. That is a lot of housecleaning before any authentication mechanism is going to be useful. Clearly, many of us need to improve our offboarding processes to ensure that terminating access rights are done at the appropriate moment – and not six months down the road when an attacker has seized control of a terminated user with an active account.
This level of accuracy means that organizations will also have to match identity assurance mechanisms with the right levels of risk. Otherwise, you aren't protecting the right things with the appropriate level of security. You'll want to answer questions such as:
- Do you know where your most critical business assets are and how to protect them?
- How will your third-party partners and others outside your immediate employ authenticate themselves? Will they need (or should they use) a different system from your full-time staff?
- Can you audit your overall portfolio of access rights for devices and corporate computing resources to ensure they are appropriate and offer current context? At many firms, everyone has admin access to every network share. Clearly, that is a very risky path to take.
This topic understandably gets a lot of attention, especially these days as threats are targeting vulnerabilities of specific endpoints such as Windows and Android devices. Back in the days when everyone worked next to each other in a few physical office locations, it was relatively easy to set this up and effectively screen against incoming malware. But as our corporate empire has spread around the world, it is harder to do. Many endpoint products weren't designed for the kinds of latencies that are typical across wide-area links, for example. Nor can they produce warnings in near-real-time or handle endpoints as effectively without pre-installed agents.
That is bad enough, but there is another complicating factor. Few products protect mobile, PCs and endpoints running embedded systems equally. Many often need multiple products to cover their complete endpoint collection. As the malware writers get smarter at hiding their activities in plain sight, we must do a better job of figuring out when they have compromised an endpoint and shut them down. How these multiple products play together can introduce more risk.
Threat detection and event management.
Our third challenge for the distributed workforce is being able to detect and deter abuses and attacks in a timely and efficient manner. This is much harder, given there is no longer any hard division between corporate-owned devices and servers and employee-owned devices, including personal endpoints and cloud workloads. Remember when we used to refer to "bring your own device"? That seems so last year now: most corporations just assume that remote workers will use whatever they already have. This places more responsibility on their security teams to be able to detect and prevent threats that could originate on employee devices. Here is one suggestion on how to minimize BYOD risk, so you can have both security and privacy.
The heterogeneous device portfolios of the current era also place a bigger burden – and higher risk – on watching and interpreting the various security event logs. If malware has touched any of these devices, something will appear on a log entry and this means security analysts need to have the right kinds of automated tools to alert them about any anomalies.
As I have said before, managing risk isn't a one-and-done decision, but a continuous journey. I hope this blog stimulates your own thinking about the various touchpoints you'll need to consider for your own environment as you make your journey towards improving your enterprise security.
This post was sponsored by RSA, but the opinions are my own and do not necessarily represent RSA's positions or strategies.
# # #
David Strom is an independent writer and expert with decades of knowledge on the B2B technology market, including: network computing, computer hardware and security markets. Follow him @dstrom.
Join the #TalkingDigitalRisk conversation on Twitter and social media by following @RSAsecurity