The Work From Home (WFH) movement made headlines with a Statistics Canada survey indicating that 4.6 million Canadians were working from home in July 2020. If that wasn’t disruptive enough, many of these people will continue to do so, even after there’s no great threat from COVID-19.
“We are all facing issues around the massive migration to work from home,” said Jim Love, CIO of IT World Canada (ITWC). “We did it all really quickly, and now we have to deal with the reality of supporting and securing what amounts to a new enterprise architecture.”
Love joined Ralph Loewen, CEO of Itergy and Curtis Johnstone, Distinguished Engineer/Microsoft MVP at Quest in the September 15, 2020 webinar People Not Perimeters: How to make work-from-home and cloud architecture more productive and secure. The focus became practical tips for identity management.
Organized around a series of anecdotes dealing with compromised digital identities, the webinar shed light on just how easily things can go wrong. In one example, a consultant for a North American transportation network set off a process that effectively put the brakes on transportation across the country. Another case detailed an outage that lasted the better part of eight hours and saw almost 10,000 workers in the manufacturing sector sent home from their shifts.
Strive to be boring
As a follow up to these attention-seeking incidents, Loewen detailed the story of a major manufacturer with sites in Canada and around the world that had activated multi-factor authentication (MFA) just as COVID was beginning to spread. As a result, the company was able to thwart malicious attempts to access privileged accounts. “So nothing happened in this story, and it’s actually what we all want,” says Loewen. “Boring is really what we’re after.”
Boring may be the goal, but according to Curtis Johnstone, it’s not always the reality. “At some point a breach will likely happen,” he said, illustrating his point with some sobering numbers related to business continuity in the face of a breach. “Every 14 seconds another ransomware attack occurs,” he says. “It’s really important to do whatever you can to prevent that breach in the first place. But if there is a breach, it’s really, really important that you plan beforehand to address it.”
What does that mean? For Johnstone, it’s all about having a business continuity plan, which includes processes and people, and knowing how to use it. From an identity security point of view, he also stressed the importance of monitoring identity systems with an appropriate combination of native capabilities and third-party solutions.
When the user becomes the new endpoint
The regular ways of doing things are being eroded during the pandemic motivated exodus from physical offices.
“The firewall is no longer the perimeter,” said Loewen. “We used to be able to lock down a desktop or a laptop and that did the job. But now, people want access from home machines, so the user has become the new endpoint.”
A disaster waiting to happen
Part of the problem in securing employee identities is that onboarding processes are often lengthy and involve many layers of permissions and privileges – a challenge when it comes to deactivating an identity.
Another problem, according to Loewen, is that long term employees move jobs multiple times, gradually gaining access to highly sensitive, restricted corporate information. When they eventually leave, auditors are faced with finding all the access points and removing permissions. “We can’t just add people in and forget about them, so we need governance on this,” he said. “It’s a disaster waiting to happen if we don’t, but it is a problem that can be managed.”
Johnstone observed that it really makes sense, from an identity governance perspective, to have a handle on the identity footprint, so that identities don’t get lost in the shuffle.
“It’s really important, especially with privileged identities, to make sure they’re locked down,” he said. “This goes back to preventing a breach in the first place, which is why we prioritize identity governance.”
Options for protecting your identity
Other strategies discussed by Loewen and Johnstone for protecting identities include knowing your native options, using conditional access policies to lock down WFH resources, cleaning up permissions for external guests after virtual team meetings are dissolved, having an audit trail, and being especially vigilant during mergers and acquisitions.
“That’s when things change and identities get lost,” says Johnstone. “Migration is a great time to do a pre-assessment and clean up any identities – privileged or not – that are not being used. And the lesser the identity footprint you have to deal with, the more secure you will be.”
And if there’s no in-house expertise to manage this?
“Send it to the right people,” says Johnstone.
Both Johnstone and Loewen stress the importance of incremental steps.
“We didn’t get to where we are overnight and we won’t solve it overnight,” said Loewen. “What we need is a strategy in place to move forward.”
“Know where you are and move forward,” concurred Jim Love. “Every time you move forward a little, you get closer to a good night’s sleep.”
