In a connected, but still remote, world, employees are logging in from countless devices and locations. Behaviors that were once uncommon – like accessing the corporate network on multiple or personal devices – are commonplace today. Driven by the expansion of a remote workforce, COVID-19 work-from-home orders and an exploding SaaS market, organizations everywhere are trying to adjust to these shifts.
But real leaders never waste a good crisis. Instead of just adapting to this disruption, businesses can use it to future-proof their operations, lock-in long-term savings, streamline infrastructure and vendors, strengthen their security and recruit a better, more diverse team.
One major component of realizing those advantages and optimizing for the next normal is developing a risk-based approach for identity and access management (IAM) that learns from users’ behavior, environments, and other threat signals to ensure that the right users gain access to whatever they need, whenever they need it.
Enabling Remote Work
Expanding multi-factor authentication (MFA) for all users is a post-pandemic priority for many organizations. Whether they’re doing it proactively or if they’re being dragged through this change just to ensure continuity of operations, organizations recognize the necessity of taking this leap: when nearly all your users are working remotely, you need an IAM strategy that encompasses everyone, not just ‘high-risk’ users like network administrators.
As businesses roll out MFA, user experience becomes even more important; it must be empowering, convenient and flexible. The solution needs to account for diverse (and possibly less tech-savvy) users who might now access enterprise resources on personal devices and on personal networks. One size won’t fit all.
Moreover, how an organization protects its information matters, too. A virtual private network (VPN) isn’t enough, because much of your most sensitive information now resides outside the corporate perimeter, on employee laptops and in the cloud. Finally, you’ll also need to ensure that your IAM strategy supports both on-premises and cloud resources – and that your vendors, suppliers and other partners can access the applications they need.
The Benefits of Smart IAM
Ensuring that all your employees, vendors and partners can access the tools they need to work together is an important starting point in a post-COVID world. But it’s really just that: the bare minimum that organizations must do today to get by.
Businesses can do a whole lot more – and get a much bigger ROI – by building for the future today. Remote work is working, and early adopters are changing the ways they hire and budget for office space. As these changes become baked in to the future of work, businesses need to adjust their IAM strategies accordingly by replacing traditional perimeter security with application-level access controls and next-generation control points like CASB or SASE. Doing so increases your remote workforce’s productivity without sacrificing security.
To make this change, organizations must examine their working assumptions about users’ behavior. In the past, security teams assumed that most users would be in the office and working on the corporate network most of the time. Back then, you could rely on static access policies that always treated users working from a corporate campus with a high degree of confidence.
Security teams relied on office locations and typical business hours to create norms – and they could find deviations from those norms fairly quickly. But the new normal is no normal – every employee has become a branch office of one. Defining access policies that assume one fixed location for the majority of employees is a losing battle.
Evolving from Conditional Access to Dynamic Access
Instead, organizations need smart IAM that learns each user’s many different normals. Another way of putting it: businesses should evolve from static or condition-based access to dynamic access, enabled by real-time decisions that are application-, context- and risk-aware. By following industry trends and embracing a zero-trust model, organizations can continuously validate and learn from their users’ behaviors.
Organizations should consider three elements to any dynamic, risk-based approach:
First, employ smart IAM solutions that use machine learning to develop an understanding of each user’s normal patterns of access. With a remote workforce, the where, when, what and how will be very different for every user. Any solution must be able to adapt to changes in user behavior over time and accommodate legitimate deviations (e.g., user access while on vacation).
Next, look for suspicious patterns that could indicate a threat. These patterns could be user-specific, such as an excessive number of failed logins, recently changed email addresses or an unrecognized mobile phone number used for account recovery. You can also find patterns by correlating information across the system, such as multiple consecutive failures across multiple accounts from the same IP address. Ground-speed violations are another pattern that could indicate something is amiss: if I authenticate from New Hampshire at ten A.M. and then register as working in California at eleven, then I’ve moved faster than is physically possible – and my IAM system should register that ‘movement’ as a threat.
Finally, corroborate individual user norms and broader patterns with external threat intelligence signals. Positive signals may increase the level of trust (e.g., validation through a telco that the mobile phone belongs to the user) while negative signals may decrease the level of trust (e.g. passwords that have appeared in a data leak; IP addresses used in previous fraud attempts).
Importantly, as GDPR, CCPA and other data protection laws take effect, businesses must be mindful of what personally identifiable information (PII) they’re collecting and how they’re using it. Good, risk-based IAM strategies account for these regulations; they’ll create secured, encrypted and tokenized records that can’t be connected to individual employees.
Increased productivity, enhanced security and decreased costs are all real advantages for organizations that evolve and embrace dynamic access. By leaning into this disruption, businesses can adapt to this new normal and thrive in the next normal.