The coronavirus pandemic has brought about a permanent, large-scale shift to distributed work. Unsurprisingly, traditional access controls quickly proved themselves ill-suited for remote staff. Security teams were not unaware of this — as reported by Security Magazine, nearly 80% of organizations increased their focus on identity-based security as a result of the pandemic.
Even once things return to some semblance of normal, telecommuting isn’t going away. We’ve all had a taste of working from home. We know how convenient it is, and we know that, for the most part, we can do it without having to worry about lost productivity.
Moving forward, a hybrid workplace that supports both distributed and traditional, in-office work is inevitable.
If you’re to protect your systems and data without creating a legion of frustrated employees, Identity & Access Management (IAM) is non-negotiable. You need to ensure that your users have immediate access to the resources they need, no matter where they are. And you need to do so without damaging your organization’s security posture.
IAM allows you to achieve both but only if it’s implemented properly. With that in mind, we’re going to go over a few IAM best practices you cannot afford to ignore.
Leverage Multi Factor Authentication
There’s no shortage of media around the impending obsolescence of passwords. Whether or not they’ll vanish entirely in the coming years, they’re still the primary means through which we connect to our digital lives. They’re also horrendously insecure.
In addition to mandating strong, complex passwords (ideally generated via a password manager), it’s therefore imperative that your IAM include multi factor authentication. And not SMS authentication. You’re going to want to rely on a tool like the Google Authenticator — as reported by CNet, using text messages for 2FA puts everyone at risk.
Practice “Zero Trust”
Even though the zero trust model was created more than 11 years ago, in a world defined by distributed work, it’s more relevant than ever. The way this security model works is quite simple. Until it can be verified that a user and their device are trustworthy, they are completely restricted from accessing anything within your perimeter.
As you’ve probably guessed, this approach is ideally suited for IAM, which provides the verification mechanism.
Prune Old Accounts
Orphaned user accounts may not seem like such a big deal. After all, is there even any guarantee that a particular user will remember their credentials? And it’s not like someone could use that account to make off with intellectual property or facilitate a cyberattack, right?
As you’ve probably guessed, we’re being facetious.
You cannot afford to leave any holes in your threat surface. The reality of modern cybersecurity is that you need to fend off countless attacks, but a criminal only has to succeed once. That’s why it’s imperative that you have a mechanism in place for removing unused credentials from your systems.
The simplest way to accomplish this is by automating onboarding and offboarding. When someone joins your organization, the provisioning process is automatic and immediate. They’re provided with an account based on their role, with access to all the systems and data they require to do their job.
When they leave the organization, that account is automatically deleted, removing the user’s access to privileged assets.
Preparing for a Virtual Future
Distributed work isn’t going anywhere anytime soon. If you’re in an industry with the capacity to support remote work, you need to start thinking about how you’ll secure it. Otherwise, you’re setting yourself up for a very rude awakening.