I met today with my colleague from a major entertainment studio and he relayed to me a growing concern that will soon be facing the majority of businesses; how to securely manage the new trend of remote workers. It isn’t enough to simply view this as an aberration, as more of the workforce is proving to be productive even given distance, technology is going to be a communication enabler as well as a means to ensure corporate policy and procedures are met but only with the proper foundation.
The premise of his worry is sound; with over 90% of his users now away from the office unexpected, how can there be a reasonable assurance of information security in terms of confidentiality and integrity of the corporate assets? Like most companies they were caught unprepared for this mass migration and have had to tighten down in areas they never would have thought to look at any other time. They did what could be reasonably expected of any team, they gathered resources and thought outside of the box.
Starting with logging and data gathering, they sought out trends of risk and measured it against previous known user behaviors. They analyzed traffic for new problems and worked to lock down resources that didn’t need to be online in order to protect the integrity of the data from unnecessary or unwanted access. Whenever they could, they implemented scripting and active policies within their platforms that allowed for software to take the burden of action off of the department and allow them to focus on protecting rather than reacting. All told, they hit all the major points that could be reasonably expected from they to take when you are dealing with a hundred thousand endpoints and near zero warning.
But one thing missing, I mentioned, is what comes next? How do you prepare for this new norm and transition to it being more than just a fluke but the standard of the workplace? In moving so rapidly a knee jerk reaction can lead to a false sense of security that all is working as it should be. Users are connecting, work is progressing and security seems to be the same as before. But what has changed is the landscape. The data that was once reasonable secured within the corporate environment has moved so far from the center of traffic and in so many directions that it cannot be managed with tools that were once used with effectiveness when users were at their desks.
I counseled my colleague to begin to look into changing his settings and methods of monitoring. No longer can it simply be assumed that products that were configured from stationary workers would work as desired. Start from a ground up approach as if you were walking in as a director on the first day; assume nothing and test everything. For instance, look to your remote access methods; were they designed with such a high overhead to perform all the necessary screening that they were designed for when only 15% of the user base logged in or are they dropping services by being overwhelmed. When your cloud access gateway was first conceived, how much overhead did you bake in? All of these questions and more have to know be investigated with a fresh perspective.