We are coming up on a year of pandemic lockdowns and enforced home working. We have seen companies of all sizes make massive changes to their ways of working to cope with this and seen security teams coming to terms with the changes. Physical security has suffered – Pro-Vigil reports that the number of physical security issues has gone up by 20% in the past year and that 40% will make changes to their security approach during 2021.
The big change has also brought up some major assumptions that company security teams have made in the past. The biggest of these is identity. With so many employees working from home for the foreseeable future, the role of identity management has shifted to online only.
Where physical and IT security crossover
Cybersecurity and physical security both have the same core goals – to keep out those not authorised and to maintain security for company information. While both play out in different ways, there are some areas of overlap.
Identity management is one such area. For IT teams, knowing who someone is and what assets they can access on a company network is essential. Provisioning access, changing it when roles change and deprovisioning when someone leaves are daily tasks. When COVID-19 initially struck and lockdowns were put in place, IT teams at companies large and small scrambled to provide remote access to IT systems and applications.
This switch showed something that many IT teams take for granted around physical access control: if you are on the network, then you must be who you say you are. Physical security therefore acts as a factor for authentication in the same way that a username and password combination does. After all, if you can’t get into the building, then you can be denied access to the network and any assets that are connected to it.
Today, with so many people working from home, there is no physical perimeter to play that role. Instead, employees are working from a mix of company PCs and their own computers. They may be working from their phones or tablets. They may be stuck at home or they may have some ability to roam based on where they live in the world. And they are relying on IT security to keep them secure while they work.
Managing identities based on context
There’s an old New Yorker cartoon with the caption, “On the Internet, no-one knows you’re a dog.” We have the same situation taking place for employees. The one constant that still exists for users – their identity – is now less reliable than it was before as it does not have the physical security element backing it up. In essence, it’s a lot easier for someone to get access to company information than it was before. While trying to get into a business when you are a dog is difficult, it’s a lot easier when everyone is remote.
At the same time, we don’t want to make getting access harder and more intrusive. Employees can be working in cramped or noisy situations at home where they are under more stress and faced with more issues taking place simultaneously. If we make security too hard, then people will either find ways around the rules or complain vociferously. To solve this problem, we have to think about the components that make up our identities today and then look at how they can be used to confirm that people are who they say they are. This follows an approach called Zero Trust, where each element has to be verified before providing access.
There are four elements involved here and each one can be used to provide context. The first is the user themselves, which covers the user’s account and how they get access. The most common approach is to supply a username and password, which then gets checked against a directory to provide access to the network. These credentials are then used to provide authorisation to get into applications or files. Users may also have to authenticate themselves into applications from the cloud.
The second element is location, or where the user is physically located when they try to gain access. Before COVID-19, this might be split between the company network and remote access on occasion; today, the majority of employees will be remote for the majority of the time. This situation will not change in the near future, if at all – companies like Google have said they will not return to their campus locations until at least September 2021, while others like Twitter and Facebook have moved to remote work permanently.
In order to manage location data, this means looking at the network and IP address that a user is on at a given point in time. When an employee connects from home using WiFi, they will be on their home network and IP. Similarly, if an employee uses their phone as a WiFi hotspot and tethers to their mobile broadband, they will be using an IP address linked to their network provider. This person could be in the same physical location but their IP address each time they access company data or systems could be very different.
At the same time, there are ways to use IP addresses to stop access. If an employee lives in London and a request using their username and password comes in from Sydney, Australia, then the chances are that the request may be fraudulent. Equally, while people may move for work on a regular basis, you can apply some realistic filters to stop access requests that would not be possible in the real world. For example, your employee may be on a work trip in the future and access services from San Francisco. However, getting another request for access from Mumbai sixty minutes later would mean that one of those requests is fraudulent.
Applying more contextual approaches
Another area for context is the device that someone might use. If you have to be strict, you can enforce rules that only company-issued devices like laptops can be used for work. Pre-COVID-19, employees could be limited to the machines issued to them that spent their working lives in the office, for example. Today, that is not as easy. While many employees could take their equipment home with them, others have to use their own machines for work.
These assets may not exist in a formal IT asset database, but they can still be used for work. However, this does make it harder to manage identity. Approaches like device fingerprinting and agents can help, as employees can install software to show which machines they will use and then be recognised when they attempt to gain access.
Today, there are many more devices that users can have. Operating systems like MacOS and Linux are becoming more popular alongside Windows, for example, while tablets and phones are also used for work. Employees may use different devices depending on their work tasks and situation. Managing all this can be a headache, particularly if you have multiple different operating systems in place.
In order to manage all this effectively, we have to think about context and how to create rules that will make it easier for employees as well as keeping security in place. As an example, one set of employees will only work from home during the pandemic with a company device. This cohort can therefore be restricted to using that device for work and any other attempts to get access can be denied. While whitelisting individual IP addresses may be overkill, stopping access from other places in the world is an easy rule to put in place.
Other employees may be able to travel and this set of rules may not suit them. Alternatively, they should be allowed to access their services from anywhere, but they should have to use second factors of authentication in order to complete their requests. This conditional access approach is about making it as easy as possible for employees to work, but also not trusting any individual account on its own.
One day, we will be able to go back into the office and there will be more flexibility around how and where we work. To support this, we have to understand the balance that exists around our identities, how we want to work and how we have to keep ourselves secure. By applying some of the lessons that we have learnt due to the pandemic, we can make better use of our identities and improve security.
By Bill Mrochek, Head of Product, JumpCloud