Why security needs to focus on the user not the location [Q&A]
Keeping enterprise systems secure used to be a relatively simple matter of defending the network perimeter. But in recent times the increased sophistication of attacks, a shift to more remote working, and demands for more sophisticated identity management mean things are much more complex.
We spoke to Greg Keller, CTO of directory-as-a-service company JumpCloud who believes that the answer is to move the security perimeter to the user, wherever they are located.
BN: Phishing schemes are becoming more sophisticated, like the recent attack using a mix of enterprise cloud services (Microsoft Azure, Microsoft Dynamics, and IBM Cloud) as part of an attempt to steal login credentials. What concerns does this added sophistication raise for IT teams?
GK: The bad actors are getting more sophisticated, yes. Their investment in creating very precise replications of corporate portals, corporate email reminders, and now, AI-generated 'deepfake' phishing attempts is making it harder and harder for companies to protect their employees. In the 'old days', being on a corporate domain was the solution. Literally protected by the brick-and-mortar facilities employees entered and would compute within, safely. The open internet changed all that. IT teams need to be on guard for how and what their employees are engaging with to manage their 'keys', typically usernames and passwords that, depending upon their privileges, could be disastrous if compromised. Therefore their greatest concerns need to be: 'Are my employees trained regularly to spot, second guess and report a phishing email or website?' and 'Are all of my corporate resources that allow authentication protected with multi-factor authentication'. Start there, and rinse/repeat until your employees are trained and protected.
BN: Coupled with the rapid shift to remote work, what kind of strain have these threats put on organizations' security?
GK: Endpoints! Device endpoints within a corporate network and firewall were once considered safe. They're now the linchpin to an IT or security professional's battle space. Devices that now are outside those physical corporate premises, and are now in unknown homes, on untrusted routers, with access to resources coming in from these unknown locations, have all put considerable pressure on IT and security professionals. Additionally, these devices in many cases are largely unmanaged. Perhaps an antivirus has been installed, but more than likely these corporate machines have loose policy restrictions: user accounts are often at escalated/administrative levels; applications and anomalous files can be installed or end up on the system, configuration parameters like lock screens, full disk encryption and preventing unwarranted software like browser extensions are non-existent. So, ensuring maximum control on corporate devices, and doing so from, likely, the IT sysadmins own home securely, has to be established.
BN: What are the main security concerns you hear from IT teams involved in implementing an effective remote work environment?
GK: Generally, we hear that access to corporate resources, be it cloud or even those that remain on-premises (think: file servers, etc) need to be accessed conditionally or through some set of policy checks. Going back to our theme on 'the corporate network', resources, especially cloud-based) would expect traffic from very specific locations/IP addresses. Now, that has to be understood and ready to be received from a wider variety of networks, including home networks.
Therefore a whole new level of interrogation on the authentication and authorization request needs to be performed: Is this coming in via VPN? Is the machine that the VPN client on 'secure' / trusted by the corporation (e.g. is Dad, from his home, trying to hit Salesforce from his son's malware-infested gaming machine?) Is the right user making the request from the right machine? For many IT and security architects, especially those with traditional on-premise backgrounds, this is a massive architectural shift that is causing a lot of strain.
BN: How are security issues different for cloud-based environments compared to on-premises?
GK: The concerns are equally challenging. It all begins with trust in the pipes you have that traverse the open internet from the user/endpoint making a request to the cloud-based resource which is required to respond to the request. It is imperative that TLS / HTTPS is utilized in those transactions and that data can move back and forth in a virtually impenetrable fashion. This should be an imperative for any solution being evaluated for purchase to ensure corporate information is kept private and secure. Even Silicon Valley sweethearts like Zoom, used by millions, were put in the spotlight for not supporting end to end encryption. IT buyers, beware.
BN: What approaches or solutions should organizations consider to better secure and mitigate user-based security risks?
GK: IT professionals sincerely need to start to understand and appreciate more advanced, remote-specific security architectures. Studying Zero Trust models, or what Google refers to as 'Beyond Corp', should be interrogated as the world shifts from a corporate brick and mortar world, to one that feels more like the 'domainless enterprise'. Start with trusting the device (and second guessing your BYOD programs) and gating access to resources in conditional ways. Become familiar with your MDM (device management) needs and how you can manage those employee devices when you may not see your coworkers for months at a time… Or ever.
Most critically, shape your strategy for identity and access control. Do you have a centralized model for authentication? Are you limiting your vectors of attack by ensuring users do not have multiple credentials for various resources and, further, have everything gated with a second factor of authentication? Ultimately: Can you do all of these critical chores (managing devices and your employees identities) exclusively from the cloud? The new normal looks 'cloudy' (all puns intended). Start to unwind from how you once did your job, to how it can be done effectively and securely from your home office.
BN: What should a modern security strategy include?
GK: The simplest way to describe this would be to set a 'greenfield' example. Assume you are an IT/security professional building a company from the ground up. No traditional baggage to contend with. With that context in mind, I’d break it down to the following:
- Ensure there are no on-premises constraints for your vendors. Assume everything will be all-cloud.
- Ensure you can provide a single set of credentials from an authoritative source, again from the cloud, that can provide authentication and access to control to 'all' of an employees needs: their computer logon, cloud-based applications, VPN clients, infrastructure like servers in AWS or Google Cloud, etc. One credential set for everything.
- Ensure that all of those resources are protected with MFA. MFA on the computer, on your VPN client, accessing Salesforce or Google. Everything.
- Ensure you have tooling and process for managing the entire lifecycle of a corporate device like a Macbook or Windows laptop: Can it be configured from the cloud? Can I get it drop-shipped to my employee? Can I manage it remotely? Can I escalate (then redact) permissions of the user account if they need to install software at some point? Again, just get used to doing all of this without ever being in the presence of a machine.