The rush to provide remote employees with access to enterprise resources at the onset of the pandemic was the tipping point for remote access as we know it. With IT teams still struggling to sustain remote work via VPN, IT leaders are resisting the urge to redesign VPN ops and are instead looking to modern approaches for securing access to enterprise and cloud resources.
I want to share a few points to help organizations create a more accurate picture of remote populations and related risks.
1. Consider the information being accessed, who’s accessing it, where it’s located – in that order
This point speaks to scalability. The enterprise is not the center of the universe. Customers and business partners are at the center of your universe. And the digital processes that enable their continued success and loyalty are driven by the information stored in enterprise systems. So consider the many people, systems and things that will need to access and generate enterprise information, whether an employee, a third-party, or a sensor; whether from an office building, home office or a street lamp.
External user populations often comprise the majority of the remote access base, as well as revenue attribution, and risk. Considering the location of the information can help to prioritize cloud migration efforts and identify flexible cloud-based solutions that can secure all external identities.
*60% of all enterprise data breaches trace back to “trusted” third parties.
Watch the video, How to secure third-party identity and access at scale.
2. Separate connectivity from security
The best advice is to separate connectivity from access security so you can focus on authentication and authorization. Separating connectivity from security will help you develop solution requirements in context of all remote work populations and will ultimately provide yield more options.
Most enterprises have well-documented information security and governance programs for identifying risks and controls related to employee access. But Gartner reports that only 53% of businesses have a strategy for mitigating third party-related data access risk, and most lack sufficient third-party monitoring practices to detect new risk. Small wonder why third-party ecosystems are ranked among the top data governance worries for audit executives in 2020.
Consider brushing-up on information security standards and governance frameworks (e.g., ISO 27001 NIST 800-53, COBIT), noting that requirements apply to third-parties as well as employees. For example, a branch of the United Nations recently disclosed adverse audit findings related to external identity weaknesses:
- third-party governance and risk framework (high priority)
- third-party user identity and access management (high priority)
- third-party user logging and monitoring of activities (high priority)
Consider the three areas below in context of your overall external populations to help identify your unique requirements:
- Security: Consider all remote entities in your current and expected digital ecosystems – people, systems and things. Advanced solutions can provide each such entity with an identity, enabling common security and access policies to determine, enforce, monitor and govern access. For authentication, plan to treat each remote login as coming from a stranger (zero trust) yet be able to leverage data and signals from multiple sources to scale security in response to perceived risk. Adaptive authentication is a sound technique to accomplish this, provided that risk scoring considers the aggerate risk of all accounts and entitlements associated with the provided credential, in addition to the standard risk signals (device, geo, time of day, etc.).
- Scalability: A solution to manage millions of third-party identities across thousands of organizations must be secure, available, performant, cost-effective, and integrate with unknown systems. B2B solutions can manage access between third-parties and scale without adding internal resources, handling far more complex use cases than B2E and B2C. Pay extra attention to user administration: every touch adds cost. Solutions with built-in digital processes to delegate day-to-day user administration to third parties, empower end-users with self-service capabilities, and automate onboarding and enrollment will contain your costs and increase digital maturity.
- Interoperability and integration: Advanced B2B integration capabilities enable collaboration wherever needed. In a B2B world, solutions will need to connect to unknown environments and secure access using the method that best enables the business, technical, and performance requirements. Also, real-time lookups in external data stores and provider applications are common to augment risk scoring and access decisions. Messaging and orchestration, brokering and event streaming, and any-to-any transformation are desirable for supporting multi-enterprise collaboration.
Third-party access has become a strategic and operational barrier for enterprises, threatening growth and cost efficiency initiatives. Consider modern solutions that can secure third-party access with the same rigor as employee access, yet are far more automated and scalable. Doing so will start you down the right path for securing “the new way to work.”
You can learn more by reading the Identity and Access Management solution overview or the Increase Resilience in Collaborative Financial Services white paper.