It Started with a Travel Moratorium… and It Never Really Ended
Back in 2019 and early 2020, I, like most of us, traveled for work frequently. Sure, I worked from home on frequent Fridays, but it wasn’t the norm for me to do so for 5 days a week at the time.
My travel involved waking up at 3 AM on Monday, catching a Lyft to the airport, flying out of Atlanta into LaGuardia or EWR every week, and living out of a hotel till Thursday evenings when I flew back home. I’m not unique, as many in the business of IAM, and many other trades that call for it, can attest to worldwide travel week in and week out to meet the needs of clients where they live.
That all changed in February of 2020 when I remember canceling 2 months’ worth of pre-booked travel to our client site in response to the spread of COVID-19.
In tech, this raised copious questions of whether we, as a populous, were ready to work from home, and for employers raised concerns as to whether employees could work from home at the same efficiency and security as in an office setting. it should be noted that we learned a lot about what works, and what doesn’t work with WFH, and the benefits, in my opinion, far outweigh the costs.
That being said, this isn’t an article about the benefits of WFH, but by using that as a springboard, let’s talk about what it means for Identity Management Organizations worldwide, and what the Pandemic Perimeter brought to the forefront of Identity Security in 2020 and 2021.
The BYOD Boom
At the advent of the pandemic, many firms had already begun transitioning to workforces empowered to use their own devices for professional means. The companies who were ready for the major change that would be coming, for multiple reasons other than foreseeing a pandemic, had accounted for the risks that BYOD carried and had mitigated them accordingly.
Those that hadn’t faced a litany of problems in the first few months of the BYOD boom, facing multiple issues with providing end-users the accesses they needed to continue to work, while simultaneously extending the corporate perimeter to include personal devices and networks in a secure fashion.
Onboarding Personal Devices: For orgs that didn’t issue personal laptops or tablets, the transition to WFH meant accepting your employees’ laptops, phones, and tablets into the corporate security perimeter. This also meant figuring out how to link device identities and user identities in meaningful ways that returned data to administrators about end-user devices and allowed for device policy decisions and enforcement.
The Answer: Mobile Device Management (MDM) and pushing anti-virus or firewall software to devices that forced compliance with corporate policy when on the corporate network, as well as laptop/desktop management software that reported and maintained hardware and software compliance requirements with corporate standards. Platforms like Microsoft Intune Company Portal, or MAAS360 saw major adoption in 2020, and really saved IT orgs a plethora of costs in new hardware and the cost that would go into securing and rolling them out to your end-users.
This also allowed for building the foundation to extend RBAC/ABAC policies that dictated access to end-user applications and services to personal devices, while simultaneously providing Data Exfiltration risk mitigation with data security policies built into the framework of these platforms out of the box.
Mind you, the beauty of BYOD Security is that users could still manage their personal lives on the same devices with 0 restrictions outside of their work responsibilities, while simultaneously securing access to any and all corporate applications, and securing the data within those applications.
VPN Security Centered around Identity
Even before COVID-19, that Friday work from home privilege I mentioned earlier was a direct result of my ability to use the Virtual Private Network (VPN) access provided to me by my clients to their secured devices, or to a personal device subject to corporate policy.
Once the virus had spread to the point where one day a week turned into a daily reality, aside from throughput and load concerns, it became evident that securing access to, and increasing the apps/services that would be available over the VPN to match that of the on-site corporate network would pose challenges from a security standpoint that many would not be ready for.
0-100 Real Quick
Historically, we estimate that most companies, pre-pandemic, had an average of 5-15% of their users enrolled and actively using the corporate VPN, either on that one day a week or in emergency situations (My fellow Saturday night emergency responders can relate to many a night ruined by an incident that couldn’t wait). Going from that to 80%+ of your workforce transitioning to leveraging the corporate VPN meant that the songs us security experts were singing about the importance of securing the tunnel were starting to top the charts, so to speak.
In 2020 we saw an increase in corporate enforcement of complex password policies, history requirements, and reset requirements. While this is an important step to manage and secure centralized user credential pairs in systems like Active Directory that are plugged into quite literally everything at most organizations, it is not nearly enough to prevent breaches that arise from BYOD and expanded VPN usage.
MFA and Biometrics changed the game
Use of Multi-Factor Authentication to secure VPN Networks, on top of the traditional username and password are imperative to making sure the right person is accessing your corporate VPN. On top of that, using Biometric Security to secure the Application that provides end-users with the MFA code that is used where MFA is required, be it for VPN or other Apps, is an additional layer of security that many providers offer out of the box.
Additionally, biometrics for the devices that can leverage it, or hardware authentication devices like YubiKey being the basis of authentication to get into BYOD or Corporate Devices can cover a wide variety of threats that username and password combo-based authentication cannot.
Home Networks and WiFi Security
Look, we all love wireless fidelity, but most people don’t understand the security risk posed by a network device that doesn’t dictate that you carry a 30 foot Ethernet cable with you all-around your house to access it.
WFH’s biggest risk, in our professional opinion, is the home wireless network when all other aforementioned aspects have been mitigated to some degree. It is extremely important to make sure your home network is secured with strong, modern data encryption and firewalls. Home networks are a major target of bad actors who commit a wide variety of fraudulent activities if allowed to run amok. There are a few basic rules to securing a home WiFi Router that corporations should educate their employees about before rolling out access to VPNs or RDPs:
Rule #1: Make sure your User’s router is current:
This means it is relatively new, and still gets security patches, firmware updates, and other maintenance updates from the manufacturer automatically. Manufacturers make a living selling you these devices, but the reason you pay a little extra for a good router is the support framework that comes with it.
TP-Link, Netgear, and Linksys, historically, have been excellent at patching and providing routers with great performance, but there are many competitors that offer similar capability, so do you and your end-users a favor by compiling a list of acceptable home network devices for end-users to use before extending WFH capabilities.
Rule #2: WPA2/WPA3 Personal with AES is a must AT MINIMUM, Enterprise would be best:
This should be obvious, but the bare minimum to secure a wireless network is to have a complex password to access the wireless network. WPA3 is the better and most recent standard when it comes to encryption of user data, but many devices don’t support it so it could pose issues with your devices at home if they are not compatible. If using WPA2 Personal, then use complex passwords that are changed periodically to prevent issues.
The ideal situation is where you can use WPA2-Enterprise at home, especially when working from home and diving into the corporate network. The difference between the 2 is quite simple: WPA2 Personal requires a single password to access a network, while WPA2 Enterprise requires you to authenticate to the network using a username and password combination unique to each user of the network. The drawback here is that while WPA2 Enterprise is extremely secure, it requires maintaining a credential DB, as well as a RADIUS server for authentication, which is problematic for users with less know-how to manage.
Make sure you understand your users’ technical proficiency before applying policy. Albeit, Enterprise would be the best security option, there are ways to make Personal just as effective with the appropriate controls.
Rule #3: Wireless MAC Filtering is a MUST:
Especially if using WPA2 Personal, this is a necessity when accessing corporate networks, and is a good practice for overall home-network security as a whole. Wireless MAC filtering lets you define what devices are allowed to access the network and bar entry to devices that are not on the list of devices that are allowed. When a device tries to connect to the network, even if the password was leaked in some way, it will be shut out if it isn’t on that list.
A good router will come with management software that lets you easily edit this list, either from your phone or from the admin panel for the router, and will notify you when devices attempt to enter your network, allowing you to decide whether to allow or deny those devices access. If it is an unknown device, and no one you know has tried to access your networks, this would be a fantastic time to change your password and network SSID.
Secure and User-Friendly Access Request Processes
Many organizations “run and gun” Access Requests, meaning that while we have access request flows and processes, most of our approvals for access come verbally, or via email, at which point admins, users, and managers perform tasks in Identity Governance Systems, or directly in applications based on approvals sought out in person while commenting where the approval was received either in the ticketing system or in the IGA system to maintain a record of that access.
In this pandemic world, you don’t have the privilege of catching David at lunch and asking him if it makes sense to give his new subordinate access to the file share his team and others collectively use. If you thought emails were a solution, you’ll be waiting on him to respond to it amongst hundreds of others where it can get lost/forgotten.
Liaising with thousands of Davids, or waiting for an email from them approving access, or even expecting them to approve access using an automated email sent by your identity or ticketing software that makes this a bit easier to execute is still impractical. While you wait, your unresolved incident total continues to climb, and users continue to be unable to do their jobs.
It is imperative to cover the majority of your access requests in an automated fashion: This means that basic accesses to non-privileged systems and applications that are not “Mission Critical” should be pre-approved based on user roles and permissions already available to them. This means discussions with department heads and application owners to establish what accesses can be automated and not require explicit approvals, and can be fulfilled implicitly/ can be delegated to app owners and team leads who can approve or deny access for their users.
Identity professionals should spend their time monitoring security risks, integrating new services, and growing the business with Identity at its center, not fulfilling access requests manually. Those requests that need manual intervention should be managed using ticketing software integrated tightly with your Identity Governance Solution, thereby leaving clear and concise audit trails that make Identity Administration and Access Requests easy.
Security is a Team Effort
These basic tenets help secure a home wireless network, allow for users to securely access corporate networks, applications, and services from BYOD or corporate devices, and prevent stress to your Identity and Application teams due to an egregious amount of access requests in the WFH landscape.
The main takeaway here is that it is the mandate of IT professionals, both in Network and Identity Security, to educate end-users of the risks that WFH poses, and the actions we are taking to mitigate those risks so they are not reluctant to adopt these increased security measures. Without end-user buy-in, best practices are absolutely useless, and your pandemic perimeter becomes a liability versus a business enabler.