As businesses shifted by the millions to remote work to slow the spread of COVID-19, IT teams first focused on endpoint and network management. Now past that initial scramble, enterprises should broadly reconsider their approach to SecOps.
“We are just starting to see people become aware that there’s change management that needs to go on,” said Miten Marvania, COO at Agio Inc, an IT managed services firm based in New York. “Businesses without proper [VPN] licensing had to make compromises to let more people in, and they let their guards down a bit.”
VPN capacity and licensing expansion to accommodate more remote workers didn’t necessarily follow IT security best practices, given the pressure to do it quickly, Marvania said.
“[Businesses] aren’t ensuring the endpoint computer has all the necessary components built into it like advanced endpoint protection or encrypted disks, [and] they may bypass DLP mechanisms that were built in,” he said. “There’s tremendous exposure to data loss right now where [tech leaders] were under pressure from business leaders to get up and running, and bad actors know about it.”
End users the weakest link in remote work security
Mitigating remote work security risks doesn’t necessarily require extensive technical effort. What’s most important is educating end users, Marvania said, which can help protect companies from an uptick in phishing attacks that’s occurred during the pandemic. Phishing protection tools are being updated to look specifically for COVID-19-related solicitations from bad actors, but end users must also be aware of the risks of clicking on potentially bad links, Marvania said.
Miten MarvaniaCOO, Agio Inc.
“End users are your biggest [security] exposure — there’s a tremendous amount of information that’s being distributed to consumers,” he said. “People have a hard time knowing how much of that is from someone they trust and know and how much is from bad actors trying to exploit current [events].”
Market research confirms that the risks posed by end users’ lack of IT security savvy can be serious. A survey by research firm Pulse Q&A of 100 IT leaders polled between March 23 and 28 showed that 21% of company leaders still store their passwords on their computers, and 23% of execs are still using easy-to-guess passwords, such as their pets’ names. The same survey showed that businesses also began to shift spending in the first quarter of 2020 on tools that could help them address remote work SecOps — 60% of respondents anticipated their cybersecurity spending would go up 6-10% with the shift to remote work.
One firm, NTT Data Services, a subsidiary of NTT Data Group based in Plano, Texas, initially bypassed end user training and add-ons to endpoint security software tools. Instead, at the outset of the pandemic it shipped remote workers endpoint systems preconfigured to manage security risk. The company has also issued more frequent updates and patches to endpoint systems and mandated the use of strong passwords.
“We can send end users a self-configuring device, or one that’s preconfigured when it arrives,” said Eric Clark, chief digital officer at NTT Data Services. “The problem then becomes the supply chain for devices, and the fact that there may not be enough devices available.”
In these cases, NTT’s IT teams must provide remote support, which has led to overwhelming spikes in IT service desk demand. Here, again, solving the problem comes down to educating end users — not just about security risks, but about what’s available to them through self-service portals.
“Twenty-five to thirty percent of our ticket volume could have been handled in self-service if end users were aware of their self-service options,” Clark said. “We need to make sure that the right communication is going out to the users so that they understand that.”
The pros and cons of SaaS for SecOps
Many organizations have leaned on SaaS providers for videoconferencing, productivity and collaboration tools to keep remote workers connected, and these tools have presented fewer scalability obstacles than traditional VPN access to on-premises corporate networks. However, these services, most notably Zoom videoconferencing, come with their own security risks, and the rush to use them last month also made end users prone to overlooking security best practices.
“So many companies, in desperation to keep the lights on, put security on the back burner, and tried to implement unified communications or collaboration tools without talking about the privacy and security ramifications,” said Chris Steffen, analyst at Enterprise Management Associates. “Now it’s coming back to bite them in the butt.”
Zoom, for example, has mandated passwords for all meetings on its platform, previously an optional feature, in response to reports of “Zoom bombing” where trolls entered Zoom meetings and posted inappropriate or obscene material. The company has also come under fire for sharing user data with social media platforms such as Facebook and LinkedIn.
Such consumer-focused problems have gotten the most publicity. But companies may remain unaware of corporate security risk that may come with such platforms, and what they must do to mitigate it, Steffen said. For example, videoconferencing tools may record sessions and retain the ability to decrypt them, or store them in repositories that don’t follow a company’s data residency requirements, which corporate customers might not understand or know how to reconfigure.
Chris SteffenAnalyst, Enterprise Management Associates
“There are 20 of those tools out there, and it’s time to start remembering that GDPR and CCPA aren’t going away,” he said. “I’m not trying to be insensitive, but as a security professional you have to keep thinking about the long-term best interests of your business, and spur-of-the-moment decisions aren’t in that long-term best interest.”
Similarly, IT teams shouldn’t become complacent about the security risks that come with remote worker access to corporate data centers via VPN and RDP. In fact, the U.S. Department of Homeland security issued a warning on March 13 about a rise in attackers exploiting VPN vulnerabilities during COVID-19, and other security experts have uncovered risks in improperly configured RDP.
“In general, the tech industry has reacted pretty well, but we’ve seen issues,” said NTT Data Services’ Clark. “Where things have been easiest has been where companies had already been using public cloud – they haven’t had new issues around uptime or security, but people who were running their own data centers and the people running them had to all of a sudden figure out how to work from home, they suddenly had new challenges and concerns.”
Despite SecOps concerns that may accompany a hasty shift to SaaS, companies will reduce their dependency on specialized workers who run applications in private data centers as a result of the pandemic, Clark predicted. Instead, he expects NTT clients to expand their use of IT automation and public cloud services to reduce remote work risks in the long term.
IT pros ditch VPNs for cloud-based identity management
NTT Data Services itself has moved away from VPNs for remote access to IT assets, whether they’re managed on-premises or in public clouds. Over the last 18 months, the company has started to roll out identity and access management as a service and single sign-on from Okta and begun to resell Okta tools to its managed services clients.
“Having an internet-accessible single sign-on system means we don’t have to worry about how we allow workers from 38 countries to come back into some remote-access version of NTT Data,” said Steve Williams, CISO at NTT Data Services. “The same single sign-on you used at the office is now available in your home, a Starbucks, wherever you might find yourself having to work from, and I don’t have to change my security paradigm.”
NTT Data Services and Okta are working to expand the use of the identity management system beyond web apps in public and private clouds, to support IoT and smart building services the company manages as well. NTT’s Williams said he’s also looking forward to testing out recent integrations between Okta and various endpoint management and security vendors.
“Okta is kind of the center of the universe for us in making identity decisions, but we also need to be able to interface with something like Tanium or a similar product to tell me more about where a user is coming or what device they’re using,” he said.
Other companies have made similar moves away from VPN-based remote access using a combination of open source Okta alternatives such Google Cloud’s OpenID Connect and single sign-on (SSO) utility Pomerium, and also found such systems much more conducive to remote work.
“I got rid of the VPN a while ago — my people use an SSO proxy,” said Zach Dunn, senior director of platform operations and CISO at Optoro, a software company that manages return logistics for retailers in Washington, D.C. “It doesn’t matter if they’re in an office, coffee shop or at home, they’ve always been quote-unquote ‘working remotely’.”
Pomerium helps Dunn keep an audit log of user activities on cloud resources for compliance, and using cloud resources eliminates most worries about capacity, he said.
“The entire company decided to go work from home and no one’s opened a support ticket or said, ‘I can’t get to X, Y and Z,’” he said.