The COVID-19 pandemic has caused tremendous disruption and the impact has affected the global business economy. In short, our whole lives have changed. This disruption has its benefits, and has accelerated the need and adoption of digital transformation within our global businesses. Something that many companies have struggled with in relation to the pace of that transformation.
We all have seen and personally witnessed individuals and organizations shine throughout this crisis. Unfortunately, we have also seen hackers take advantage of the most vulnerable during this time. Weak access control and social engineering phishing campaigns are the main vehicles used by hackers to target and exploit vulnerable individuals and organizations.
In working remotely, our end-users are no longer afforded the same security controls in the remote workforce environment that they had in their office environment.
The fundamental security requirement is to understand who and what is trying to access their technology environments and the data stored within. This security requirement is further empathized with all the new return to work regulations which require organizations to put hybrid operating models in place that cater for both office and remote working.
This security requirement is often commonly referred to as implementing ‘a zero-trust model.’ There are five key components to consider when applying a zero-trust model within your organization as you implement to a hybrid operating model to meet COVID-19 working order restrictions.
End-Users: Understand your end-user groupings and their requirements for carrying out their business roles within your organization. For example, sales teams have very different business requirements than technology teams. Group your end-users by role, access and application requirements.
Identity: Standardize access control and streamline to a single Identity and Access Management (IAM) platform for all your end-users while balancing cost and risk. End-users must have a single location to access all the communication and business applications securely.
Policy: Have a clear ‘acceptable use policy’ that outlines what actions are permitted and not permitted on your company’s organization devices. Examples include, but are not limited to, not sharing your company device with family members, not using your device to watch video streaming services and/or not accessing websites that you would not feel comfortable sharing with your parents, partner and/or children. Take the opportunity to re-educate end-users on policy requirements as part of your return to work strategy.
Governance: Set multi-factor authentication as a requirement for all critical business applications and communication applications such as email, instant messaging, collaboration tooling and video conferencing. Updating your organization’s existing governing business processes to support the organization while maintaining alignment is essential. The list of identified businesses for incorporating MFA requirements include but are not limited to Financial Procurement, Third Party Risk Management, Joiners, Movers & Leavers, Business Continuity, Audit/Assurance, Privacy Impact Assessments and Compliance assessment processes.
Assurance: Use enhanced multi-factor authentication as assurance to support the authenticity for authorization of power-privileges and/or high-risk actions within your technology department, financial department and execution of social media activity from Executive Management. This is where the end-user is presented with a re-authentication mechanism where they must successfully authenticate themselves prior to being allowed to execute the high-risk and/or sensitive action.
Here at OneLogin with the new COVID-19 return to work restrictions in place, we have had an increase in businesses across all industry types reaching out to partner with us on identity and access management.
We work together as a partnership to understand the business requirements and, following our five components above, we design and implement our Trusted Experience PlatformTM.
In turn, our prospects and customers are provided with independent assurance that access to their data and systems are secure from any device and any location via our Trusted Experience Platform.