Pandemic response has forced a rapid adoption of remote working for all organisations. For many, this is a change that involves cultural, policy, procedural, and technology changes to the way we operate. This has happened with astonishing speed showing what we are capable of when suitably motivated.
But of course, this now exposes additional risk.
The device is now outside of our corporate network; we are providing access via VPN, via SaaS, or our application delivery networks. We need to acknowledge there will be a shift in user behavior relative to our data.
There are two key challenges we need to address.
- Who is at the end of the line – now that our users are not inside our network, how do we attest they are who they say they are?
- What do they have access to – how do we ensure we are limiting access to that people need?
All we need is one employee to connect to somewhere they shouldn’t, or share something they normally wouldn’t and we have a data breach.
Who is at the end of the line?
The importance of this question will depend on what it is the person is doing. If they are reading our public web site, we probably don’t care, however; if they are working with our confidential customer data this is a different problem.
If our workforce transitions to a work from home, this become important. We want to make access decisions that consider the device, the location, and the person. We need our tools to work together to provide this information and make appropriate access decisions. Getting the Identity & Access Management (IAM) solutions behind this to ensure we know; who the person is, that they can only access what they should, and that we are making suitable access decisions with the ability to record the user activity, is critical.
What do they have access to?
Once we know who it is, we want to make sure we know what they should be entitled to see. While effectively identifying people limits our risk of breach, limiting access reduces the impact.
We want to control access based on the business need of the person to effectively do their job. Decisions relating to this access need to be made based on rules or decisions from managers or resource custodians. IT should not be making these decisions or changes!
Role of Identity Management
Managing the inherent risk of remote workers requires our identity policies, processes, and technology to lift. Maturing our approach to identity management means we improve:
- The ability to effectively identify people in a way that is unobtrusive and secure
- Apply access rules allowing the level of access appropriate for user needs
- Empower managers to control these levels of access
Assess, plan, act.
Understanding the current state of affairs is always crucial so we know where the risks, weaknesses, and opportunities are. Plan an approach that addresses the risks and opportunities, and works with the capabilities and assets of our business. And lastly target activities that generate improved experience and security while managing the scope to ensure we can deliver.