Identity and access management (IAM) solutions protect company data even when employees do not enter the office.
What are the security challenges of a remote workforce?
In an on-premise working environment, internal corporate IT teams usually control network security and the devices used to access that network. In addition, physical security teams have control over who is allowed into the office and who can access internal infrastructure.
However, as cloud computing grows in usage, distributed workforces are increasingly common. The cloud is location-agnostic since it is accessed over the Internet rather than an internal network. If a company uses the cloud, its teams can work from anywhere. “Working from home” is also increasingly an option, even for companies that have not moved to the cloud. Many companies allow employees to access their desktops remotely, either over the Internet or through a VPN.
Remote working often helps companies stay more efficient and agile, but it can also introduce several challenges for protecting sensitive internal data. Some of the biggest challenges are:
Employee endpoint devices may be vulnerable. IT cannot directly maintain the laptops, desktop PCs, and other remote workers’ endpoint devices. In many cases, these may be workers’ devices.
Access to data relies upon identity verification, which attackers can fake using a variety of account takeover attacks. Phishing attacks, credential stuffing attacks, and brute force attacks are all too common, and all of them can compromise an employee’s account.
Data may pass over unsecured networks. Using the Internet means there is a risk of attackers intercepting data in transit as it passes through various network connections. This risk increases when remote employees use unsecured or vulnerable WiFi networks. For instance, if a remote worker uses their work laptop from a coffee shop offering free WiFi or their home WiFi network has a weak password.
How can a remote work security policy address these challenges?
Several identity and access management (IAM) technologies can help mitigate these risks and keep remote teams secure while protecting sensitive corporate data.
Secure web gateway: Secure web gateways sit in between internal employees and the unsecured Internet. They filter risky content from web traffic to stop cyber threats and prevent data loss — for instance, they can stop employees from visiting unencrypted HTTP websites that send data over the web in plaintext. They can also block risky or unauthorized user behavior. Secure web gateways can protect employees working both on-premise and remotely.
Secure web gateways use DNS filtering or URL filtering to block malicious websites, anti-malware protection to prevent endpoint compromise, data loss prevention to detect data leaks, and other forms of threat prevention. Cloudflare Gateway, for instance, uses browser isolation to protect employee endpoints from malicious JavaScript.
Access control: Access control solutions track and manage user access to systems and data, which helps prevent data leakage. Implementing an access control solution ensures that employees do not have too much access to company systems and that no unauthorized parties are given access.
Single sign-on (SSO): Remote workers often rely on SaaS applications instead of applications installed locally on their devices, and they access these applications through a browser. However, logging into these applications separately incentivizes employees to use weaker passwords and makes user access harder to manage for IT. SSO lets employees sign into all their SaaS applications from a single login screen. This makes password rule enforcement easier since it must only occur in one place and makes it possible for IT to add or remove application access from a single point as needed.
Multi-factor authentication (MFA): Strong user authentication is essential for a remote working security policy because an employee’s physical presence in the office cannot verify an employee’s identity. Even the most robust passwords are subject to compromise, but MFA reduces the threat of account compromise even if an attacker obtains an employee’s password. By requiring at least one more form of authentication in addition to a password, MFA ensures that a user must be compromised in at least two different ways instead of one for an attacker to gain control of their account. This additional step makes attacks much less likely to occur.
For instance, if Bob’s corporate email account requires Bob to enter both a password and a code from an electronic key fob to log in, an attacker would have to digitally steal Bob’s password and physically steal his key fob to compromise his account. A successful attack of that nature is not likely.
