By Murali Palanisamy, Chief Solutions Officer, AppViewX
Since the onset of COVID-19 and a rapid increase in the hybrid working model in Spring 2020, the workforce has adjusted to the work-from-home life. Initially, the primary concern was whether the workforce could work remotely long term, but since then things have changed. Nearly two years later, many still work from home and have plans to maintain this workstyle for the long term. While a majority of workers use Company Owned and Managed Device (COMD), many have been using their own laptop, desktop, and smartphone or opted out of one provided by their employer especially when they don’t need VPN and use SaaS services- this has caused a plethora of concerns for cybersecurity and IT professionals.
Institutions typically install proper security measures on any company-owned device. When it comes to personal devices or BYOD, however, IT teams have less control and even less control when it comes to ensuring an employee complies with the policies. Since it’s a personal device, there are only so many measures that can be taken. It’s imperative that each organization has its own BYOD policy and proactively enforces this policy to avoid any unwanted intruders on its network. The following outlines three considerations IT and security professionals should consider when developing this policy.
In a recent survey with Vanson Bourne, it was discovered that 90% of organizations say MIM is a top priority in their organization now that the concern for cyber breaches has risen since the onset of the pandemic. While these organizations are headed in the right direction with the decision to use MIM as an IT framework for BYOD, there is still work to be done.
Organizations still face numerous challenges as they enhance their Machine Identity Management approach. Some of the concerns at hand as organizations begin to adopt MIM are:
- The complexity of ensuring that certificates are provisioned across all areas of their IT infrastructure – the complex number of devices being added due to the BYOD/hybrid work model has bottlenecked this.
- A lack of skill sets within their IT/security team when it comes to MIM – from the IT talent shortage to the skills gap, IT leaders are struggling to find new hires and maintain current employees. According to Gartner, 80% of organizations shared that they are having a hard time finding and hiring security professionals.
The Problem at Hand
What does this mean exactly? When it comes to protecting an organization’s network and data, there is a scale, and each organization can choose how aggressive it wants to be. For example, endpoint security allows bridged devices to stay connected but will still maintain and protect the network when under attack. By securing the endpoints or entry points, it is a much more difficult task for hackers to access the network. But this method is not flawless, and organizations fall victim to attacks through phishing, email attachments, accidental downloads and more. With this vulnerability in mind, cyber professionals have looked at additional ways to protect the network.
Machine Identity Management at Work
One method of security that is often overlooked is Machine Identity Management (MIM). Under every organization’s BYOD policy, MIM should be implemented, and employees should follow its best practices. This means having certificates for users and the machines to uniquely identify the machine – and those that are not identifiable are denied access. Despite the organization not owning the device, IT or the information security team is able to transfer trust to the device the employee owns with a digital identity that the user themself would manage. Having the ability to issue and revoke accessibility for the device is a critical step in managing who accesses the network without taking full control of employees’ individual devices. If at any time, an employee’s computer is lost, stolen, damaged or compromised, the employee himself or the IT will be able to revoke that device certificate and access will be denied.
A few best practices for BYOD that are recommended include:
- In a BYOD scenario the employee is trusted, and that trust is transferred to the device that he owns, in that scenario he should be able to revoke the device without having to manually interact with another team or person
- The Global Information Security team or Central team should be able to control the policy and access of any device from a single console especially during an incident
- A move to a short-lived certificate which is valid for 10/30 or 60 days with automated renewal and reissuance would be best especially when the devices are outside the perimeter.
- The Global Security team should be able to reissue and revalidate certificates across all devices within a short period of time maybe less than an hour that provides crypto agility.
The Enterprise, The Cloud, and MIM
With the cloud transforming the physical data center, and compute and data moving to cloud steps in which data is stored accessed has greatly changed. The pandemic has changed the retail office space and since the onset of COVID-19, the number of ransomware attacks has greatly increased due to BYOD being adopted by many. The attacks on major infrastructure have required security professionals to reevaluate steps to protect organizations. While these attacks may have not been instituted by BYOD entry, IT professionals have agreed that it is critical to look at every vulnerable access point and address it.
While BYOD has been around for years, the IoT visibility gap has led to difficulty for organizations running in multiple cloud environments. Maintaining security measures across each cloud environment plus the relationships between each environment and every device in the network has become quite the challenge, especially when numerous devices were introduced as part of work-from-home amidst the pandemic. Many organizations are still playing catch up when it comes to distributing and revoking certificates as they work to identify the number of devices added to their network in mid-2020.
To get ahead and quickly make way with MIM efforts in the cloud for BYOD, it is recommended that organizations:
- Create central visibility of all the issued identities
- Define a central policy that can be audited, reported and enforced across hybrid environments
- Have an out-of-band validation option which can audit and report on compliance of identities
The overwhelming stress a ransomware attack puts on an organization including the reputational impact, requires that security teams put an assertive BYOD policy into place to protect the network and greater organization. As we look back on lessons from 2021, the pandemic and remote workforce has made organizations more vulnerable to unwanted invaders. As attacks in sophistication, the steps taken to block them should evolve as well. With MIM implementation – organizations are one step closer to protecting their networks.
