Using IGA to ensure data protection and privacy with a remote workforce
Remote working has been a hot topic for many years. Internet-based tools and capabilities have made it easier to enable remote working and work-from-home leading to a steady increase in the number of enterprises offering these options to their employees. However, the emergence of COVID-19 and the widespread work-at-home directives used to curb the progress of the pandemic have initiated an experiment in remote working on a grand scale. So, what have we learned so far?
The first thing we learned is that remote working can be done on a grand scale. Despite initial technical issues, IT departments, cloud service providers and communication service providers adapted quickly and successfully to meet demand. We also confirmed that employees like working from home and the flexibility that it offers with many remote workers stating that they have no intention to return to the office. Remote working and work-from-home are here to stay and are now the new normal for enterprises.
Time to plan for the new normal of remote working
While enterprises, cloud services and telecommunication companies can rightfully be proud of their ability to react quickly and adapt to the unprecedented situation that COVID-19 instigated, now is the time to start planning for the long-term reality of remote working and what that means for enterprises.
One of the areas of particular concern is data security. In a recent blog entitled “Gartner top 10 security projects for 2020-2021”, the number 1 security project recommended by Gartner was securing your remote workforce. Gartner recommended their clients to “Focus on business requirements and understand how users and groups access data and applications. Now that a few months have passed since the initial remote push, it’s time for a needs assessment and review of what has changed to determine if access levels are correct and whether any security measures are actually impeding work”.
With remote working, the attack surface has increased dramatically on devices and in environments that lie beyond the control of the enterprise. This is not welcome news for stressed and over-worked security teams who already struggle to respond to security events today.
The target for malicious actors is in most cases customer personal identity information, which not only raises security concerns, but also compliance and governance issues. With countries around the globe following the lead of the EU with strict data privacy and protection laws, the cost of a data breach can also include litigation by governments for lack of adequate response.
While strict policies and guidelines can be prescribed to ensure remote workers are working responsibly, the key for enterprises is to ensure that access to sensitive data is governed and monitored centrally. Identity Governance and Administration (IGA) solutions and best practices ensure that only the right people have access to sensitive data. IGA also ensures compliance with data privacy and protection laws even in the worst-case scenario of a data breach.
IGA can provide the foundation for enabling remote working in a secure and compliant manner enabling the enterprise to adapt to the new normal of a remote workforce.
The grand remote working experiment
Over the past years, several surveys have been performed on remote working with similar conclusions. Once of the main conclusions is that workers prefer to work remotely.
For example, Buffer, together with AnglelList, have performed a State of Remote Working survey for the past three years with consistent results. In 2018, 2019 and 2020, the percentage of respondents who said they would like to work remotely has been 90%, 99% and 98% respectively. These results are mirrored by similar state of remote working surveys over the same period. In the Remote Work 2020 survey, 82% of remote working survey respondents stated that they do not plan to ever return to an in-office setting.
In both surveys, the biggest benefits of remote working were the ability to work flexibly and the flexibility to work from anywhere. Even so, around 80% of remote workers work from home, which might sound comforting to security professionals, but still means 20% of remote workers are accessing the enterprise network from libraries, coffee bars and co-working spaces.
Up until this year, remote working was not the norm in most companies. With the outbreak of COVID-19, many enterprises had to send all employees home to work remotely and thereby instigate a grand experiment in remote working. Despite initial problems where Internet networks needed to be reconfigured leading to some outages and IPsec VPN capacity constraints, the networking, security, and IT support community scrambled admirably to meet the challenge. As we now experience a second wave of COVID-19 cases around the world, there is more confidence that the infrastructure can meet any challenges.
But, during all this scrambling to make things work, there has been little time to consider the data security implications of remote working. With infrastructure challenges behind us, perhaps this is a good time to consider data security, protection and privacy while preparing for the new normal of remote working.
Remote working leads to an increased attack surface
Security teams have been struggling for many years to keep up with the relentless growth in malicious attacks and the ingenuity of cybercriminals. A 2019 survey by Critical Start of Security Operations Center (SOC) professionals found that 80% of respondents had reported their SOC experiencing between 10% and 50% analyst churn in the previous year. This is directly due to an increase in the number of alerts that each analyst needs to examine.
COVID-19 and the need for remote working has added stress to these teams. According to a recent report from ESG and ISSA, “COVID-19 has forced cybersecurity professionals to change their priorities/activities, increased their workloads, increased the number of meetings they have had to attend, and increased the stress levels associated with their jobs. CISOs should take note of these changes and closely monitor cybersecurity team members for signs of burnout.”
In addition, the number of attacks has increased during COVID-19. In a recent report from VMware Carbon Black it was found that “The sudden global shift to homeworking due to COVID-19 has both increased cyberattack activity and exposed some key areas for security teams to address”. 91% of global respondents in the report survey stated that they had seen an increase in overall cyberattacks as a result of employees working from home.
Remote working poses both a data security and data privacy challenge
The main target for cybercriminals is what is termed Personal Identification Information (PII). According to the latest “Cost of a data breach report 2020” from Ponemon Institute, 80% of data breaches involve customer PII. The average cost of a data breach for an enterprise with more than 25,000 employees is $5.52 million, while the cost to smaller organizations of less than 500 people is $2.64 million.
This poses two sets of challenges; the first is a data security challenge as remote working effectively increases the attack surface and the second is that customer data privacy is also compromised.
With remote workers accessing enterprise networks through home office environments that might or might not be secure, there are more vulnerabilities for cybercriminals to exploit. Security teams can do very little unless corporate devices are allocated to each remote worker. But, even in these cases, it is hard to prevent users from accessing personal applications like social media, personal storage or streaming services and games using their enterprise device. The protections enjoyed while inside the corporate perimeter are now no longer available.
The fact that it is customer PII that is the main target for cybercriminals opens a new concern, namely data privacy and compliance. New data protection and privacy legislation similar to the EU’s GDPR is being adopted across the globe. According to the UN, 66% of countries globally now have data protection and privacy legislation in place. These legislations stipulate how quickly users need to be informed when a data breach occurs. Using GDPR as an example, organizations have up to 72 hours to inform affected customers of a detected data breach or face fines of up to €20 million or 4% of annual global turnover (whichever is higher).
This is a significant extra cost should a breach occur and affected customers cannot be identified quickly. The EU has also been willing to litigate in this area with fines already totaling €176 million in the past two years.
Identity Governance and Administration (IGA) for remote working
Protecting access to sensitive data by remote workers is not just about security devices and VPN solutions. It is also about managing who has access to specific data and ensuring that they can only access data that they are entitled to access. While it might not be possible to control the type of device or connection that remote workers use to access data, it is still possible to enforce rules as to the type of data that a specific identity or role can access in a specific situation.
The Omada IdentityPROCESS+ framework provides best practice guidelines on a wide range of IGA issues. This includes managing identities and roles, managing the type of data that specific identities and roles can access as well as responding to security breaches involving identities. The framework also includes guidance on governance and compliance to data protection and privacy laws including risk assessment of assets.
In preparing for remote working, enterprises can use IGA solutions like the Omada Identity Cloud and the IdentityPROCESS+ framework to establish a solid foundation for data protection and privacy using the following recommendations:
- Document who has access to which IT data and information resources
- Map identities to roles and create policies for the entitlements associated with a specific role
- Ensure that when the work of each role changes then so do the entitlements
- Enforce segregation of duties so multiple roles associated with an identity do not lead to unintended access to sensitive data
- Improve efficiency by allowing real-time request and approval processes for data access
- Perform regular audits on data access and compliance to identify anomalies
- Use risk scores associated with each data and information resource to understand the severity of audit events
The Omada Identity Cloud provides the tools and automation to help enterprises to implement the processes recommended in the Omada IdentityPROCESS+ framework. The solution allows real-time enforcement and monitoring of data access and automation of audit processes, especially compliance audits. A compliance dashboard provides an overview of all the systems that contain sensitive data as well as the compliance level of each application and system. If there are compliance issues, remedial actions are recommended and can be executed immediately.
Securing data in a remote work world
Remote working is here to stay, which means it is harder to control the environment in which employees work and access data. However, with IGA, it is possible to control, which data can be accessed and in which situations that access can be allowed. With regular audits and the compliance dashboard, it is possible to identify potential issues and take remedial action quickly. This goes a long way towards ensuring the protection and privacy of customer data and compliance with government regulations.