At first glance, when Ontario’s waste recycling regulator told its staff to start working from home March 17 due to the COVID-19 crisis, it didn’t appear to be a problem for CIO John Pinard.
After all, the staff had corporate-issued laptops, so there wasn’t a rush to buy PCs.
But, he told a webinar on Tuesday, “it was an eye-opener” with a range of challenges. Some staff didn’t have a desk in their residences. Others didn’t have a safe enough router for protecting their home computers from a cyberattack, let alone protect their organization-issued computer.
Fortunately, he said, as a young agency — the Resource Productivity and Recovery Authority is only three years old — all of its applications were cloud-based. For accessing the main application, Salesforce, the staff was told to use a virtual private network (VPN).
However, that had its own challenges. “One of the things we’ve run into when doing videoconferencing doesn’t work that well over VPN,” he said, “so we’re educating our staff that when their doing videoconferencing to disconnect VPN, then re-connect when you need access to corporate data.”
Meeting security problems is about educating staff, he said. But, if agency management decides that working from home will be the norm then buying staff additional security hardware to protect them may be necessary, as well as purchasing a next-generation firewall to give more traffic visibility, he added.
Pinard was on a panel discussing how IT deals with securing a remote workforce at the week-long siberXchange conference run by Richmond Hill, Ont., based siberX, which produces cybersecurity events.
Other panellists included moderator Mark Dillon, VP of IT at Waterloo North Hydro Inc.; Jason Georgi, global field CTO of Palo Alto Networks; Adriana Gliga-Belavic, privacy leader and member cybersecurity team at consultancy MNP Canada; and Michael Ball of TeamCISO, which offers virtual CISO services to organizations.
Gliga-Belavic said the pandemic is driving organizations to move to the cloud faster than they planned. However, some weren’t ready to deal with the security challenges in part because they didn’t have a good understanding of their existing security requirements.
Organizations can’t just ask a cloud provider to put security around workloads, she said. First, they have to understand what they’re buying because there’s always a balance between the security the organization gets and the costs.
Second is how much sensitive data will move to the cloud and what controls are needed to make it secure. “A lot of our clients are struggling with encryption, key management, and where they should encrypt — before data sent to the cloud or after?”
Gliga-Belavic said organizations also have to come to grips with the fact that traffic visibility in the cloud may be less than when data was all on-premise. Logs IT relied on before are likely not available in the cloud.
“They find defining the roles and responsibility of stakeholders becomes very important to ensure you cover the entire lifecycle of threat management from identification to management to remediation. And in case of an incident, you have to have really good processes for good incident response. including communications,” she said.
Staff also need to be trained in dealing with cloud-related security and privacy issues, she explained.
Ball reminded listeners that many cloud services — such as Microsoft Office365, Salesforce and SAP — come with tools to help customers do security assessments. Setting up controls such as two-factor authentication is easy for some applications, he said.
Many CISOs believe that having staff work remotely isn’t as safe as having them in the office and working behind a firewall. Not Palo Alto’s Georgi. “I don’t agree that being in the office necessarily makes you secure, even with things like network access control, because things [servers, routers, PCs] can be compromised and typically they’re not set up properly.
“I think forcing people at home … forces you [the CISO] get identity right.”
Having remote users authenticate themselves and their devices through a security posture is better than having staff on-premise plugging in and using unapproved WiFi access points, he argued. “You could be a little more secure at home depending on how you play your cards.”
In the future the concept of “taking your security stack with you” will become important, he added, and cloud-delivered services will make it possible.