The current Work-From-Home phenomenon opens up such a gaping attack surface that enterprises have no choice but to buck up.
A comfort zone is a psychological state where things feel familiar and we retain a sense of control over our environment, leading to reduced anxiety and stress.
We have all experienced this phenomenon at some point in our personal or professional lives. If we are lucky, we get inspired to take ourselves out of our comfort zone and in the process, learn new skills; or grow as individuals.
Sometimes, we get taken out of our comfort zone by circumstances and are forced to challenge our foundational assumptions. The current global scenario is one such circumstance that is pushing IT security teams outside of their normal operating model.
Technology leaders had been gradually moving towards enabling remote working for several years anyway—some industries more enthusiastically than others. The events of Q1 2020 have acted like a forcing function in terms of accelerating this shift. Today even companies with a primarily in-office workforce have no choice but to enable work-from-home (WFH) scenarios for their employees as part of their business continuity strategies.
So, will enterprises emerge from this phase with an improved security posture, or a weaker one? As usual, the answer depends on the choices CISOs make for their security program.
Perimeter-based security is not enough
Enterprises that understand and adapt to the new risk surface presented by global WFH scenarios will be better defended against emerging threats and attack campaigns. In this new reality, applications and users need to be protected differently than in the past. Let us take the example of enterprise application access—the primary mandate most business continuity and security teams are grappling with today.
The traditional method of enabling remote access to enterprise applications is through a VPN (virtual private network (VPN). In the scenario we face today the access model for enterprise applications has been inverted, with a majority of users working remotely. A new approach is clearly required.
Perimeter-based network security controls such as VPNs are insufficient to secure access to these applications because they are designed to provide access to a segment of the network, not an application or resource. This opens up the enterprise to more risk than is acceptable.
What is more: attackers are actively exploiting vulnerabilities in common perimeter-based security appliances to compromise enterprise environments as identified by the NSA and NIST In their advisories.
In addition to the security issues associated with VPN infrastructure, deploying and scaling up new VPN infrastructure to support a rapid increase in remote workers is an uphill battle.
ZTNA for WFH
Traditional perimeter-based security approaches rely on most employees and applications operating within an implied trust zone, i.e., inside the enterprise network. The better way is to work on the assumption that every access request, whether it comes from within the enterprise network or from outside, is hostile. This Zero Trust Access (ZTA) principle works much better in an increasingly digital world.
ZTA is different because it increases the focus on authentication and authorization prior to granting access on a per-resource basis, and also on reducing the risk surface by design. Since users and applications are now everywhere, it makes sense to use user identity and device posture to make application access decisions.
The value of this approach has been recognized by neutral industry bodies such as NIST, Forrester and Gartner. Gartner calls this approach Zero Trust Network Access (ZTNA) and predicts that by 2023, 60% of enterprises will phase out their remote access virtual private networks (VPN) in favor of ZTNA.
Since Zero Trust access technology should ideally be delivered as a cloud-based service, accelerated by a content delivery network or other edge security architecture. This ensures that enterprises can handle sudden spikes in workload easily and can deliver users the same experience as they would have had working from within the enterprise network.
At Akamai, we are already seeing leading organizations respond quickly to new WFH requirements—enabling 30,000 users to work from home in matter of just two weeks using ZTNA.
Patching other security loopholes
Enterprise users working remotely are now the target of attackers looking to exploit the current global fear and confusion. Most companies have some form of email security gateways, but attackers are still able to succeed with their phishing and business email compromise campaigns.
Therefore, enterprises need to ensure that their employee’s devices are not communicating with suspicious external domains or exfiltrating sensitive data to unauthorized servers. There needs to be a combination of DNS-based security and inspection of outbound internet traffic on the employee device. The security posture of the employee device needs to be constantly assessed and this assessment needs to feed into access decisions for enterprise applications.
Home wi-fi networks or employees’ personal email accounts are also fair game for attackers. So, it becomes important for CISOs to ramp up their security awareness programs. After all, a good security strategy is about people as well as technology.
Now that employees’ personal and professional technology environments have converged, it is likely that they will have a renewed interest in security awareness programs. Including security awareness messaging in on-going business continuity communications is a great way to get the message out.
CISOs that modify their security awareness and communication strategy to suit the rapidly-changing work environment can improve employee contributions to their organization’s security maturity.
In addition, intense experiences often have great potential for spurring learning and growth. Boot camps are used during military training to transform regular individuals into military personnel. Applying that analogy to the cybersecurity industry, organizations (and employees) that treat this period of change as a cybersecurity ‘boot camp’ can emerge better-prepared for the digital security challenges of the coming decade.