IT Brief Australia logo
Story image

Protecting endpoints (and users) that have left the office

30 Apr 2021

Article by ThycoticCentrify chief security scientist & advisory CISO Joseph Carson.
 

Today’s internet connection speeds mean there is little difference in responsiveness between cloud and on-premise applications. Just as well, given that so many in the workforce have left the office.

This massive shift since 2020 means protecting cloud services, cloud access, remote endpoints and data in transit has become just as important as safeguarding network perimeters. Endpoints are no longer the only devices people use, they’re also the applications that are now hosted anywhere and everywhere. This highlights that traditional on-premise network security solutions are not sufficient alone in protecting endpoints or remote users. The new security perimeter is with identities and privileged access.

Consequently, users now need a multitude of credentials and authentication methods to be able to access applications, many of which no longer sit behind the organisation’s firewall. That’s why solutions like single sign-on and privilege-based access security have come to the forefront. They help manage the complexities of authentication and authorisation without being a burden to users.

Throughout this shift, a classic mistake has been to approach cybersecurity from the standpoint of individual endpoints. A better approach is to begin with a comprehensive and continuous risk assessment of the data and applications with which they are accessed. That’s actually what cybersecurity is designed to protect. Our job is to help reduce the risk to the organisation’s business and help employees be successful.

There is another element that is often overlooked: employee education in cybersecurity issues. Educating users remains valuable, although human defences can never be the whole story in a risk-based cybersecurity strategy. After all, it is precisely what cybersecurity teams have been trying to do with varying degrees of success for 20 or 30 years.

That doesn’t mean we should stop trying, and cyber awareness training must evolve into awareness, behaviour and culture that is a long term ongoing cyber education strategy. We still want better-educated users to identify risks and report them, even if they can’t always prevent incidents. The more people you have on the front line that can report risks, the earlier you will know about them and the better you will be at reducing them or preventing them from turning into cyber catastrophes.

Background security controls

At the same time, we want to make sure that when users click on the wrong link, the security controls in the background will detect potential risks. They should bring critical information to the foreground that users need and report the incident for additional checks. The more we move security to the background, where we make security work automatically and seamlessly, the better it is for the user and the organisation. Security must be usable and help the employee be successful. 

It is not just enterprise users who connect to networks and introduce risk to an organisation’s systems and data integrity. Today many thousands of devices connect through a network: the Internet of Things (IoT) exists to a greater degree than many people imagine. Ensuring that machine security and identity is part of the risk assessment is now a critical part of cybersecurity practice.

Take, for example, an IoT network in which one device might drop off the radar then reappear a few hours later. In an intelligent, adaptive cybersecurity framework, such an event should raise a red flag until such a time as the reasons for the outage can be determined.

Aside from IoT devices and cloud applications’ redefinition as endpoints that need cybersecurity consideration, 2020 and 2021 have writ large the issue of bring-your-own-device or BYOD. Or perhaps that should bring your own disaster — or even, soon, bring your own office!

Introducing endpoint privilege management

Many millions of words have been written about the different ways in which organisations can help their users demarcate between work and personal applications or workloads on their laptops, smartphones and other devices. However, the new normal demands a more finely tuned approach, something we call endpoint privilege management (EPM).

It might be perfectly fine to authenticate with a username, password, and multi-factor authentication to access a work email. But if users want to access customer data, that level of security control is not satisfactory. Users can’t just move across and use the same security controls to access sensitive data. That’s referred to as ‘leveling up’, in the sense that users must satisfy more stringent security controls.

Even though the technology used in situations like this is exceptionally sophisticated under the hood, user simplicity is vital. Many years ago, one of my mentors told me that security should be like a light bulb or electricity. You hit the switch, and you don’t need to know the complexity in the background; it just works for you.