Hidden Security Gaps For Remote Work – Part 1: Identity

Early on at Impelix, we knew that a distributed workforce would be part of our DNA. Whether working from home, a coffee shop, or 30,000 feet in the air, we wanted everyone at our company to able to do their job.

From the start, now over a decade ago, I began to recognize the unique challenges this brought to the organization: gaps, lying hidden, created by our work-from-anywhere workforce. To mitigate them as best I could, I set about putting various technologies in place, ones that weren’t anywhere near as robust or elegant as we have today.

Many of the gaps I identified back then still lie in wait today for many companies who now, a decade later, are instituting fully remote and distributed work forces—and are doing so on an accelerated timeline.

Fortunately, much progress has been made in the development of security solutions that address remote work. I’ve tested and deployed them to mature our work-from-anywhere model, remaining committed to it even as Impelix substantially grew.

For those companies that are now exploring this new territory, I’m embarking on a series to share the insights I’ve gathered from our own journey. First up: Identity.

Part One

Remote Work Security Gap: Identity

To prove identity, two pieces of information are required at minimum: a form of identification and a form of authentication. Traditionally, this is usually some sort of user ID for your identification and a password for authentication. This is known as single-factor authentication (SFA).

The primary method of security here is the password complexity. Unfortunately, humans perform very poorly when generating strong passwords. Additionally, since we are bad at generating complex passwords, we will also tend to reuse the same passwords.

Gap: using weak, reused passwords to access apps, many in the cloud, from outside the trusted network

With the majority of us working from home nowadays, to perform our job, we must authenticate to applications that reside in the cloud and in our organization’s data center from outside of the secured and trusted network. Doing so opens up one more attack surface for bad actors to target. If the account information is compromised, this will likely allow the bad actor access to multiple applications and/or systems within the organization.

In our early days, to mitigate this specific type of security gap, we implemented a very strict password policy along with an aggressive password rotation policy. Then came along two-factor authentication (2FA).

Instead of just a password required to authenticate, we needed another authentication factor. Originally, we started with SMS; however, it’s now considered inadequate. Eventually, we moved to a software token-based solution.

Stop gap: strict and aggressive password policies, plus software token-based 2FA

2FA mitigates the credential theft situation. Without the second factor, a bad actor is unable to gain unauthorized access into the application or systems. This also allows the IT team to reset the user’s password without exposing the organization due to a compromised password.

Modern IAM: 2FA and Beyond

Today’s solution for Identity and Access Management (IAM) is very robust. Along with 2FA, other notable features include 1) Single Sign On (SSO) and 2) adaptive capabilities (where are you acting from, what type of device, are you human or not).

If you haven’t enabled 2FA/MFA in your organization, I highly recommend that you take the time to evaluate an IAM solution. Given the extraordinary times we are currently in, our partner Okta has developed an emergency remote work program for any organization to adopt SSO with MFA at no cost for six months.

As we adjust the way we work, we should also assess and adjust the security necessary to keep our people safe and our companies safe. Let’s all do our part, both physically and in cyber.

Until next time, stay safe everyone.

Featured image credit: chriscom via Flickr