A few months ago, it was almost unthinkable that the widespread shift to work-from-home arrangements would still be in place by summer. But here we are.
Work looks very different now than it did when 2020 began, but one thing that is unlikely to change is the remote workforce. According to a recent survey, 41% of employees are "likely to work remotely at least some of the time post-coronavirus pandemic." A separate survey found that 74% of companies plan to shift “at least 5% of their previously on-site workforce to permanently remote positions post-Covid 19.”
Remote support and security continue to be critical now and will be in the future as more employees transition from temporary to permanent off-site arrangements. The dynamic, distributed workforce is not a passing phase. It is here to stay.
But many of the tools and technologies deployed during the rush to stand up large-scale remote workforces were not designed for long-term success. In organizations without a progressive work-from-home culture, there were many so-called “band aids” used to get staff up, running and productive during the business disruption. Now, it’s time to consider what is required for best-in-class security in this new reality of working from home.
Phase Two: Lock Down Identity and Access
As many organizations enter into phase two, a future that includes a high proportion of teleworkers will require new ways of thinking about security, productivity and identity and access management (IAM).
While your authentication capabilities may offer visibility into who remote workers say they are when they log in, what information are you still missing? What applications and assets are employees accessing? As budgets tighten and workers are asked to do more, what privileges have they been given in haste that need a closer look?
There are three goals to consider in the effort to evolve an IAM strategy for a large-scale, long-term dynamic workforce:
- Detect and prioritize identity risks with visibility.
- Reduce risks with new identity and authentication approaches.
- Ensure your IAM strategy complies with data security and privacy laws and regulations by leveraging tools like automation.
Visibility: Can You See Clearly Now?
As we've seen in many headlines in recent months, cybercriminals wasted no time taking advantage of the current health crisis. They found ways to exploit remote workers who are outside of the confines of office network security. With remote workers using every type of endpoint device these days, it is essential for security teams to distinguish legitimate devices and users from malicious ones.
The blending of personal devices for work, and work devices for leisure, only further complicates the issue. It is now overwhelmingly complicated to centrally view and manage identities across the devices and SaaS applications that remote workers are using to get work done. And, it is equally difficult to know if the devices are compliant.
It’s also important to have full visibility and management of devices and identities. Devices should undergo regular compliance checks, and security teams should aim to minimize identity vulnerabilities associated with employee access by using metrics, like separation of duties violations and excess privileges, to evaluate risk and prioritize requests.
The Future Looks Passwordless
As dynamic workforces continue to evolve, many predict the end of the traditional password for authentication going forward. Many of the major tech vendors, including Apple, Microsoft and Google, have joined the Fast IDentity Online (FIDO) Alliance, an authentication standards group that aims to replace passwords with a more convenient and secure method for logging into online applications and services.
FIDO authentication is continuing to gain ground as the alternative to passwords for devices and cloud applications. Solutions like YubiKey for RSA SecurID® Access act as a first step to realizing this future state, because they provide a positive user experience while defending against phishing, eliminating account takeovers and reducing IT costs. As we settle into a global, remote workforce, passwordless authentication may help us move forward with a more secure, and empowered, distributed workforce.
Lean on Automation
Security is only as good as its ease of use. In lieu of a seamless experience, end users may work around security controls, rendering efforts futile.
Automation – particularly with risk-based analysis and machine learning – can be a game changer in allowing organizations to institute flexible, policy-based access rules that won’t get in the way of productivity. Automated conditional access requests and self-service password reset capabilities can keep employees from having to lean on an IT Help Desk for simple needs and saves your organization time and money.
Tools that automate the credential lifecycle are also worth considering for best-in-class remote support. The current economic climate means the dynamic workforce is constantly changing. Turnover and hiring necessitates automation in order to ensure appropriate access for new or departing users, and also maintains a continual state of compliance.
Certainty in Times of Uncertainty
There are so many uncertainties right now about what businesses will be expected to navigate in the months ahead. Relying on core strategies and the tools outlined in this post can help you sharpen and refresh your IAM approach so your remote workforce technology will stand the test of time and be flexible enough to address future challenges.
This post was sponsored by RSA, but the opinions do not necessarily represent RSA's positions or strategies.
Joan Goodchild is an award-winning, veteran writer, editor, content strategist and speaker with an expertise in security, risk and enterprise technology. Follow her on Twitter at @joangoodchild.