As the response to COVID-19 continues, many companies in America and across the globe are preparing to restart operations, but it won’t be business as usual.
“The workplace we return to is going to be dramatically different. The new reality will drive a different approach to the way companies think about their security architecture,” said Tony Buffomante, co-leader and principal of KPMGs global cybersecurity practice.
“To deal with immediate needs, some organizations are considering temperature checks and contact-tracing apps to keep the workplace safe,” Buffomante said. “But implementing these measures while maintaining legal requirements for privacy and security is a tough nut to crack. Unless they can overcome these hurdles swiftly, businesses may need to put screening programs on hold,” he said.
Organizations must also manage the security implications of a huge increase in remote work. In the wake of COVID-19-related business losses, many plan to switch more workers to permanently off-site positions. Those who do come in will be offered more remote options to accommodate for social distancing in once-crowded offices.
The shift to remote work has vastly broadened the attack surface, and cybercriminals have been quick to seize the advantage, luring worried and distracted home workers with COVID-19-related phishing messages and directing them to fake websites where they steal credentials, hoping to worm their way onto corporate networks.
These tactics and others will continue after the crisis. Like enterprises, hackers are employing automation to broaden their reach and increase their efficiency. To counter them, many organizations will need to rethink their security models.
Protecting Yourself in the Cloud
Even before the virus, the security paradigm was changing. “The network perimeter was already dissolving, and now it’s completely dissolved,” Buffomante said.
“Some organizations wrongly assume that by moving to the cloud, they’re outsourcing security. In reality, cloud security is a shared responsibility,” Buffomante said.
To protect themselves, companies must correctly configure firewall connections and align data access with their internal security policies, instead of going with the default of unlimited access to corporate data. They should also monitor for suspicious activity, so that if someone logs in from Chicago and tries again from Singapore an hour later, their identity can be verified or their access shut off before a breach occurs.
Moving to Zero Trust
Managing cloud settings gets complicated very quickly for enterprises using hundreds of outside apps, in addition to internal clouds. Managing employee devices does nothing to address the information access problem.
“We used to talk about devices as endpoints. Now, the human has become the endpoint,” Buffomante said.
Basing security on people instead of apps or devices is the idea behind zero trust, he said, a comprehensive security methodology that uses multifactor authentication to make sure users are who they say they are and follows the least-privilege principal to provide users access to all the tools and information they need to do their jobs, but no more.
“With zero trust, organizations categorize their information by risk and business value,” said Buffomante. They set up a governance system to enforce granular access rules automatically and in real time for every user, device, and application.
Centralized management means that when a user’s role changes, access permissions are adjusted once and propagate throughout the organization. The speed and agility of this approach closes security gaps and prevents hackers from breaching dangerous orphan accounts.
Monitoring is also used, not only prevent unauthorized access, but to collect information about user activity. During certification reviews, this information is passed to business managers. Instead of trying to decipher security hieroglyphics, they see a clear quantification of risk. “They also learn whether workers are really using the apps they’ve been assigned, giving them insight into how work is performed and improving business decisions,” said Buffomante.
There are many different ways to implement zero trust, which includes a mix of technologies companies can adopt at their own pace.
No matter how you slice it, an identity-based approach to security offers the best way to meet the future demands of an increasingly remote, multi-device, cloud-based workforce.