The dramatic force of change, driven by the coronavirus, and the resulting mass migration of workers, students, and others to a home-based existence is unprecedented. The COVID-19 pandemic has prompted enterprises to mobilize around work from home (WFH) to slow the virus’ spread, care for employee well-being, and ensure business continuity. With WFH mobilizations, IT security operations has been strained to ensure:
- Control: Since enterprises lack logical and physical control of managed and unmanaged devices and their access networks (e.g., home Wi-Fi), remotely enforcing corporate-defined security policies at these control points may not be possible.
- Consistency: Pre-WFH mobilization, end-user devices and networking components were standardized based on IT-defined specifications. In post-WFH mobilization, exceptions multiply and so too do the challenges in maintaining a consistent set of device, identity, data, and infrastructure policies for secure operations.
- Visibility: In the absence of a virtual presence on end users’ devices and their access networks, security analysts are sensory deprived. Security teams may be challenged to identify shadow IT and anomalous activity by end users and attackers, because telemetry used to build storylines of multistage attacks and compromised systems is not as plentiful. Consequently, detection and response times lengthen and post-incident, systemwide removal of adversaries’ silent malware and backdoors becomes less certain.
- Support: IT teams are also dislodged from their traditional work environments and routines, which impacts their ability to support end users. For example, as IT frequently has hands-on responsibilities in endpoint security (e.g., maintaining device inventory, deploying security agents, patching systems, scanning for software vulnerabilities, and configuring device, DNS, proxy, and host security settings), systematic follow-through on these responsibilities across a suddenly more diverse and remote IT footprint may suffer.
Eventually though, we will get past COVID-19. Our leadership, peers and employees may or may not return to the office though. One certainty is that the impact of the COVID-19 work at home migrations is that the we way that we work will forever be changed.
What Happens to Security After COVID-19?
Security teams have responded to the pandemic with “break glass” approaches to get employees up and functioning. Time was not our friend, so the bar to cross was “functional” and not “optional.” The time is now appropriate for us to reconsidering our approach to employees, authentication and remote access as the COVID-19 WFH mass migration has made us aware that our approaches to remote access were considered in a different reality.
In 2017, we advocated for a new approach to user authentication. Our argument was that technology has changed, connectivity has improved, and mobility and cloud have dramatically increased the need for authentication; therefore, our definition of and expectations for authentication also need to change. IDC thus defined and advocated for a new approach to authentication, designating the term modern authentication. Modern authentication has the following primary attributes:
- A modern, simplified user experience
- Authentication appropriate to the risk mitigated
- Solution centric
- Invisible authentication whenever possible
Passwordless Modern Authentication
As companies look to move to Modern Authentication, they are often passing on multifactor authentication (MFA) and moving straight to passwordless. Let’s face it; the password component of MFA adds no value. Why have it? Some companies are using the passwordless banner to completely rethink the way that they provision worker access, an especially timely topic as we look forward at a post COVID-19 reality. IDC holds Microsoft up as an example.
At Microsoft Ignite 2019, Microsoft presented its passwordless initiative for its internal users. Considering the company has more than 200,000 employees and is far from a homogeneous client OS environment (Microsoft supports everything from Windows to macOS to Linux derivatives), the case study is illustrative of one of the most challenging enterprise IT environments. For example, a little-known fact is that Microsoft is the fifth-largest “Mac shop” globally.
The passwordless initiative is an enabler of a zero-trust push. The approach is straightforward: strong identity + device health + least privileged access (verified with telemetry). The approach has six components:
- Identities: Verify and secure each identity with strong authentication across your entire digital estate.
- Devices: Gain visibility into devices accessing the network. Ensure compliance and health status before granting access.
- Applications: Discover shadow IT, ensure appropriate in-app permissions, gate access based on real-time analytics, and monitor and control user actions.
- Data: Move from perimeter-based data protection to data-driven protection. Use intelligence to classify and label data. Encrypt and restrict access based on organizational policies.
- Infrastructure: Use telemetry to detect attacks and anomalies, automatically block and flag risky behavior, and employ least privilege access principles.
- Network: Ensure devices and users aren’t trusted just because they’re on an internal network. Encrypt all internal communications, limit access by policy, and employ microsegmentation and real-time threat detection.
The idea of taking data and applications off the corporate network (unless they are mission critical) and essentially making the internet an individual’s core network connection is a bit surreal to hear from Microsoft; nevertheless, the transition is very real. Corporate network access is a feature of a LAN-centric past, adding complexity to least privilege access controls. Retrospectively, Microsoft has discovered that such access is only a requirement for a small minority of its users.
Moving Forward with Passwordless Modern Authentication
Although arguably not the primary driver, the reduction of help desk tickets was noted. Password resets is the number 1 source of help desk calls, totaling approximately 28,000 tickets a year, followed by VPN issues adding another 13,000 yearly calls. Both go away in Microsoft’s passwordless/zero-trust future.
Microsoft provides the following key considerations in getting started down a passwordless journey:
- Collect telemetry and evaluate risks, and then set goals.
- Get to modern identity and MFA.
- For conditional access enforcement, focus on top used applications to ensure maximum coverage.
- Start with simple policies for device health enforcement such as device lock or password complexity.
- Determine your network connectivity strategy.
It should be noted Microsoft is not the only or even the first company to rethink employee access. In 2011, BeyondCorp began as an internal Google initiative to enable every employee to work from untrusted networks without the use of a VPN. Google was thus prepared for a work at home exodus.
Disrupt yourself before you get disrupted! The larger point is that as awareness is high, the time is now to reconsider the way we enable and secure user access. Companies like Microsoft and Google have been proactive and are reaping the benefits.
The coronavirus (COVID-19) pandemic is impacting the global economy at nearly every level. Anticipate market challenges and keep business moving with IDC’s extensive COVID-19 research and advice.