This article is based on a panel discussion at ChannelPro’s 2020 Cybersecurity Online Summit.
“DUMPSTER FIRE” is how cybersecurity expert Ian Thornton-Trump describes the state of post-perimeter security as businesses of all sizes cope with how best to secure remote employees in what could be a permanently altered workplace in the wake of the coronavirus pandemic.
Consider the obstacles: An August 2020 Netskope report found a 148% rise in remote workers due to COVID-19—and a 161% increase in visits to high-risk apps and websites, as personal use of managed devices nearly doubled. Moreover, according to a December 2020 Qualtrics and PwC study, over 65% of all IT executives say at least a quarter of their companies will continue to work remotely permanently.
The traditional perimeter was already shifting pre-COVID as more businesses moved to the cloud, but now it has “disintegrated” as IT departments and managed service providers are supporting personal computers and home networks that are in various states of security (or lack thereof), says Thornton-Trump, chief information security officer for Cyjax in the U.K. and CTO of Octopi Managed Services in Canada. “Their jobs have tripled or quadrupled overnight in terms of the security requirements,” he notes.
Michael O’Hara, owner and principal consultant of MEDSEC Privacy Consulting, uses this analogy: The “perimeter” used to be contained, like a glass of water. “It was something that I could easily control. … I could see if any contaminants were coming in or out of it. And it's something that I could manage with not a lot of effort.” Flash forward to today, he says: “You're trying to manage 10,000 glasses of water.”
Clearly, securing users in the age of work from home (WFH) requires rethinking security as well as adopting some new tools and techniques.
Today security risk is everywhere. “It's at Starbucks. It's at that Cox Cable home internet connection. It's at your Wi-Fi connection. It's at your cell phone acting as a hotspot connection. And let's not forget the tried-and-true social engineering,” O’Hara says.
Add to that your business partners and “every IP address and every endpoint that possibly is connecting to us,” says Thornton-Trump.
One challenge is that with data so distributed and dynamic, businesses may not be able to collect and monitor all suspicious activity from end-user devices, cloud services, on-premises services, etc. Another is lack of risk models for WFH computing.
“Nobody thought for an instant that an entire business function would now be dependent on residential-grade internet,” says Thornton-Trump
In addition, businesses must balance their security posture with privacy issues. “What tools can an enterprise put on that personal network and on that personal PC to monitor it?” O’Hara asks. “The home network is an asset that does not belong to the enterprise.”
Compliance is yet another challenge. Any network that is collecting or processing credit card information, for instance, falls within the scope of PCI DSS requirements. “If you were tasked with having to run somebody's credit card to handle an outstanding invoice, and you were doing it from your home personal network, even over remote desktop, we don't take that into account in terms of the hard and fast PCI DSS standard,” Thornton-Trump notes. “That whole network now has to be PCI DSS compliant.”