Last year, the COVID-19 pandemic forced corporate offices worldwide to close their doors and send employees home to work remotely. Now, the time is approaching for some of those same businesses to welcome employees back to the office.
However, getting back to normal will be more complicated. From an IT security perspective, the pandemic opened a can of worms. Security visibility and management were challenged by the increased adoption of unmanaged software-as-a-service (SaaS) solutions and the use of personal, non-corporate issued devices. The reality brought home an unavoidable truth; effectively securing an organization’s resources and data requires making user and device identity and access management the new focal point of security.
Organizations will need to reconsider their security strategy once again to accommodate staff as they return to the office.
BYOD’s Device Management Challenges
The spike in the use of personal devices has enabled and complicated the remote work situation. Though the BYOD trend was already in full swing before the pandemic, the COVID-19 crisis accelerated it. According to a survey by Bitglass and Cybersecurity Insiders earlier this year, 47% of respondents reported an increase in BYOD during the pandemic. While one of the often-cited benefits of BYOD is improved employee productivity, securing these devices remains a top concern.
Organizations have no insight into the posture of unmanaged devices — their patch level, hygiene, and activity are all blind spots. Yet in many cases, these same machines are connecting to the organization’s network and accessing resources and data.
The increased use of personal devices by remote employees also means that corporate-issued devices that have not connected to the network for an extended period of time will need to be assessed. Organizations need to determine the health of the devices that are attempting to connect to the network and roll out any missing patches without major disruption. As part of this process, on-premise systems should also be checked before the workforce starts to arrive en masse.
In addition to updating patches, organizations will need to update access policies that were adapted to support remote workers. All these security policies will now have to be revisited to ensure they do not introduce unnecessary risk. While it may have been perfectly reasonable to allow a device in a far-flung geographic location to connect to a sensitive database when everyone was remote, now, that same level of privileges may make less sense.
Device Trust and Zero Trust Segmentation Is Key
The increase in remote workers and usage of personal devices make it clear that businesses will have to securely enable BYOD culture in their organization.
Here is where device trust and device management become critical. Organizations need to ensure that all their devices can be properly identified and given the appropriate access level. It is crucial to accurately identify all the devices used by employees — from desktops to personal tablets, to QA machines used by developers — so that Zero Trust security policies can be consistently enforced and devices are continuously monitored. Once identity is properly assured, corporate-owned devices will need to be put under centralized management, allowing organizations to implement policies based on device trust.
Ensuring the Identity of User and Device
The concept of device trust is simple; if we can identify which devices are managed by the organization and ensure they are properly postured and up-to-date, we can give them higher levels of security clearance. This is vital in a cloud-centric world where employees can access applications from any device they like. Device trust is nearly impossible to implement with standard password-based authentication as credentials don’t allow us to validate the user’s device.
But with X.509 digital certificates, only a device with a valid certificate can be trusted and granted access because they are tied to a device’s TPM and cannot be exported off the device. The use of certificates to provide proof of identity can also be layered on other factors to make smarter security decisions. Because the certificate provides assurance of accurate device identification, it can provide additional information such as the health of the device or whether they are accessing resources that should be available to them. Certificates can also be used on physical security devices such as Security Keys, offering incredibly high levels of identity assurance.
Taking a layered approach to security and authentication creates multiple hurdles for attackers to jump over. By implementing centralized device management alongside device trust, threat actors have to circumvent the endpoint security controls on the device, device monitoring, and multi-factor authentication to just get into the network.
The Road Ahead for Hybrid Security
The explosion in remote workers brought multiple IT and workplace trends to a head, causing IT leaders to adjust their approach to a rapidly-changing landscape. And now as employees return, those trends will be affected by a new bout of challenges.
The proliferation of the Delta variant combined with the public’s growing support for telecommuting means that businesses will have to be able to support a mixture of remote workers and in-office staff into the foreseeable future. Additionally, BYOD culture will continue to put pressure on organizations to reduce the risk caused by the explosion of devices trying to connect to the network and allow employees to leverage technology to maximize productivity.
Whether employees are on-premises all the time, some of the time, or never, enforcing strict access controls built around identity, trust and device management will remain a critical part of securing applications and data.