The standard of working in an office is no longer the standard. The need for security remains the same. So, what does that mean now? One Identity's Robert Meyers explains :
The digital transformation happened. What does that really mean? It means that users have been enabled to work from anywhere and have access to all the same resources as if they were working in the office. It also often refers to the concept of using cloud resources. Perhaps this transformation was something organizations were putting off; however, in the end, it happened in an instant. Thank you, global pandemic.
The forced digital transformation caused IT departments to work like mad to make changes that suddenly couldn’t wait for tomorrow. Updates were made quickly but not as securely, nor as automated as possible.
With any digital transformation – forced or not – there are three areas of focus:
- Remote access
- Managing entitlements
- Controlling costs
Let’s look at the three focus categories in detail.
To keep business running, users need to have access. Users must have remote access to the tools they need to do their job. This means presenting the tools a user needs to do their job in a way they can actually do the job. For many this was easy, they just received a remote desktop session and everything was good! Or was it? No it was not. This did not mean that is not how many companies did it. So what is the issue?
Let’s start with a remote desktop, also called RDP or Citrix connection. You are looking at simple password hacks. You are looking at man in the middle threats from insecure WIFI networks (and most are). Your also looking traditional inside threats like bots scanning the inside of your network left behind by earlier attacks.
Ok, lets lock that up some, lets use a VPN and MFA (See One Identity Defender by Quest) and/or a secure remote-access gateway. Hm, still not quite there however you are now significantly more secure. But is that enough for working with privileged information and systems? Probably not.
The next stage is truly using a managed network connection. This can mean many things but for this discussion it is a combination of MFA, VPN and privileged session management (See One Identity Safeguard by Quest) which encapsulates the connection all the way to the target workload to the originating workstation. Throwing this combination up means you have real security, with even some defenses in place with analytics to do some defense from an internal bad actor.
A truly secure, managed remote access should be used to connect to the right workload. However remember you may need to rethink that network, as most businesses are finding that their network connections are simply not large enough to give reasonable performance. When this happens, look towards moving workloads, not simply applications to the cloud… but maintain security.
Controlling entitlements is key, but it also has to be methodical – with security always in mind – and must be automated. So what is an entitlement? It’s the right to do something like: grant access, revoke access or make privileged changes to rights or assets.
Why is automation so important? This dynamic environment that we are in today will change again. Furloughs will cease and users will return. And maybe the whole cycle will repeat itself. When you have 5,000 users move to remote access in one day and another 5,000 have their accounts disabled on the same day - that’s a lot of work to do in your Active Directory (See One Identity Active Roles by Quest). If you’re using manual processes to make these changes, this work is not going to happen in a day. Most likely, it will take weeks.
Plus, there’s the human factor: people make mistakes and they take shortcuts. If a person doesn’t have enough time to do a task and it was completed quickly, it means shortcuts were taken. When it comes to entitlements – particularly elevated rights that control applications and access, or has access to IP and customer data – shortcuts are not an option if you want to stay compliant. So, when a company is returning to an office-based mode, automation will remove the human factor from the equation and to accelerate processes.
People are moving technology budgets around at an unprecedented pace right now. At the same time, everyone needs to focus on ways to control their costs. So how can you do this during such a chaotic time?
There are three areas you to manage to control costs:
- Your log feed and your SIEM solution
- License agreements
- Cloud migration strategy and expense
It’s interesting that logs come before licensing (See syslog-ng by Quest). Logs have to be taken more seriously today because users are out there and so is the data that needs protecting. But most SIEMs charge by the gigabyte per day. They often charge for how much data is stored.
Another controllable cost is licensing. It is not uncommon to learn that an organization extra licenses for email, service desk systems “to be safe”. Those extra accounts should be de-provisioned and the license released. Today, many service providers allow users to be added back in nearly seamlessly.
Lastly, in the controlling costs category: cloud migrations will happen, but they need to be the right migrations. There are a lot of services to help identify an infrastructure provider or SaaS provider that will be economically advantageous. Today, that should include an interface and ease-of-use. The key here is to reduce costs by putting the right workloads in the right cloud infrastructure.
What’s going to come out of digital transformation, now that is was forced on most organizations? No one knows. It wasn’t controlled. It wasn’t planned. It happened. When planning next steps, remember to keep in mind the following:
- Focus on remote access
- Manage entitlements
- Controlling costs
The world as it exists today will not be the world we work in next year. Plan accordingly.
About the Author
Robert Meyers is a Compliance and Privacy Professional, as well as the Channel Program Solutions Architect for One Identity. He is a thirty-year veteran of the Identity and Access Systems and Information Security industry, including mergers and acquisitions, and with more than 10 years of that time focused on planning, supporting and managing privacy programs, such as FERPA, HIPAA, GDPR and CCPA. His experience also includes leadership responsibilities for nearly one hundred mergers and acquisitions. Robert regularly speaks at events about privacy topics. His extensive certifications include IAPP Fellow of Information Privacy, CIPP/E, CIPT and the ISACA CISM and CDPSE.