Dawn Mallyon, VP Marketing, Hitachi ID
There’s no telling when employees will be back in the office, if ever. Capital One doesn’t expect to bring employees back until after Labor Day. Amazon has extended its work from home policy to October. Twitter employees never have to return to the office if they don’t want to.
Now is the time to strengthen your organization’s security. Let’s look at five questions every CIO should be asking right now.
What risks do we face with employees accessing applications from home?
If you’re using SaaS applications like Office 365, G Suite and others, accessing applications is fairly simple for your users. On premises applications have three options:
- Do nothing or find a workaround. In this case, users won’t have access to the on-premises applications until return to the office. This is most disruptive. Users locked out of applications, will create massive drops in productivity or workarounds you might not like. Could you find the workaround with a SaaS application that approximates what they had in the office?
- Use virtual desktop infrastructure (VDI). Users can access on-premise applications by signing into a VDI session. If users are stuck with their personal devices while working from home, this can be a good option since it lowers the risk that any compromised devices will connect to your network.
- Use a VPN. This way you connect the user’s device directly with the application. It requires less infrastructure and typically costs less than VDI, and users don’t have to jump through several logins to get to work.
How can we secure public-facing logins?
If you opt for SaaS applications or VDI, you have one other security concern to keep an eye on: public-facing logins.
If anyone on the internet can access your login page, you raise the risk that attackers will try to guess passwords or attempt social engineering their way in. Implement the following measures:
- Consolidate your login screens. If you use multiple SaaS applications, you might have a number of public-facing logins. Instead of leaving all of them open to the public, you can consolidate them on a single platform. One login page for a single sign on is more secure.
- Add multi-factor authentication (MFA). This should be table stakes. If you can, use a smartphone app to add an extra layer of protection.
- Make passwords the second step. The same goes for PINs and answers to security questions, all of which can be easy to guess. Only ask for a password after you’ve required employees to use a hardware token, enter a PIN sent to their phone, or use a smartphone app to confirm they’re authorized.
- Consider using CAPTCHAs. Avoid bots by making this the first step in authentication to confirm a human who wants access.
How can we get IT work done when everyone is remote?
With everyone working from home for the foreseeable future, including your vendors, it’s less and less viable to schedule the work for when you’re back in the office. That means you’ll need a secure way to grant vendors remote access.
- Designate a point person. Put one trusted user from every vendor in charge. That person will decide who on their team needs access to your systems.
- Keep vendors off your VPN. Just as your own users’ personal devices pose a risk on a VPN, your vendors’ corporate or personal devices are just as dangerous.
- Use MFA. As with users, don’t rely solely on passwords. App-based MFA makes the most sense since vendor turnover makes physical tokens less convenient.
What’s the best way to manage access for furloughs and layoffs?
With the economy frozen, many companies have unfortunately had to furlough or lay off workers. One of the most important implications for your organization is to keep tabs on is access.
- What is the workflow for revoking access? Does your request and approval workflow for deactivating login IDs still work? Can you quickly and easily set a status for each user, especially in an environment where you might have hundreds of layoffs in a day? What additional steps are needed to move and archive content if layoffs are permanent?
- How will you reinstate access at a later date? If employees are returning to the office gradually, you might be able to do the same request and approval workflow to get logins back up and running. This is best if a handful of users are returning on any given day. If everyone is returning at once …
Can you automate the process? Automation can be helpful at both ends of the process. If, for example, you have a high number of layoffs or furloughs, an identity and access management tool can automatically revoke access based on certain criteria. If the day comes where you’re bringing back all your employees at once, automation can help quickly restore logins so there’s no delay in getting back to work.
What should we include in our return to workplace plan?
Just as the transition to work from home was jarring, the return to the workplace will be too.
- How to handle forgotten and expired passwords. Many employees will have forgotten passwords or they’ve expired. Consider ways to scale your password reset strategy. For example, you could email users a one-time-only link to reset their password that bypasses the typical security questions.
- Reviewing access levels. Between layoffs and other changes, roles and responsibilities may have shifted. Invite managers to review data for each employee and re-approve access levels. Again, an IAM tool will help efficiently review, update and validate access.
Now is the time to review security and access from top to bottom and plan for the day you return to the workplace, whether that’s in a month, in a year, or never. Whichever path your organization chooses, you should be ready to manage access rights, passwords, user IDs, and user content to ensure a smooth transition.