According to a Gallup 2017 survey, last year almost 43% of working Americans spent some time by working outside of their offices, while it also has been forecasted that approximately half of the UK workforce will work remotely by the year 2020.
Remote working will allow a business to become more dynamic and flexible, and a necessity to remain competitive in the recent years. You can also be confident that many of the businesses in the UK have recovered a lot of lost hours during February snowstorms which allowing the workers to log in from home slightly wasting hours stuck in the traffic.
The pervasive use of bringing your own device (BYOD) policies has also been helping escort in the age of some remote worker. The capability for the employees to access some cloud-based apps with their own smartphones and laptops which means that companies will no longer have to invest affluence in some new devices only to enable a mobile workforce.
However, this courageous new world has also been created some latest security challenges which necessitating a new strategy which is based on a perimeter-less, “zero-trust” approaches. This model will move on from the old school of thought that only users or devices within the corporate network should be easily trusted, and ending with the very idea of a definite corporate perimeter.
Cyber-Criminals Exploiting New Open Working World
Most of the enterprises allow their remote workforce to access work applications via Virtual Private Networks (VPNs). And once they are within the corporate network throughout the VPN, then they are considered as “trusted.”
Many of the strict data breaches involve the attackers who are taking advantage of this VPN-dependent approach to access. The attackers will easily gain access to the corporate network by either stealing the login information through the strategy such as phishing or by compromising the end user’s device through the malware.
Once the attacker logs into a VPN approach, then they can creatively move within the network and ultimately gain access to the critical data and also cause a data breach. The approach of trusting a device or a user, only because they are coming from a corporate network that is becoming outdated.
However, leading the shift away from the VPN approach and towards a perimeter-less era is a Google’s BeyondCorp framework which will set into the practice and grant them access to every work application which is based on verifying the trust of the user and device.
Although, the approach moves access towards the security verifications and direct controls from the network to an application. The model was developed in answer to the Operation Aurora, one of the Chinese attack campaign which gained access to the corporate data by more than 30 companies in the year 2009.
BeyondCorp is based on the principle that an access request for a work application from inside an enterprise network is as risky as an access request coming from utter a Starbucks or public Wifi spot.
Policies to Risk-Based Security
A central belief of this new perimeter-less approach is the new concept of trusted the access, which establishes, that only the trusted devices and users can access to the sensitive, restricted files and also applications irrespective of where exactly the access request is coming.
The Identity verification measures such as the two-factor authentication should be used as an average to confirm that the user is legitimate and not a pretender with some stolen credentials. Similarly, the device itself must be established healthy and not unsafe.
For example, allowing your computer or any other device with an unpatched, some out-of-date operating system to access mission-critical work applications which is very unsafe and should also be blocked. Some of the popular applications such as Adobe Flash and Oracle Java have numbers of vulnerabilities if they are not patched properly.
Some of the organizations are moving to the new model where the trust of the device and users are verified whenever they are trying to access an application. The modern adaptive or risk-based solutions have made it easy for some of the end user by reducing resistance and asking for some additional steps of verification when necessary.
Additional popular policies which enforced by the several organizations around the country or IP address. If any of the access requests are coming from a country where you do not have any of the business operations or might be from a known malicious IP address, then the request can be denied automatically.
The ability to implement these risk-based policies in every work application irrespective of that how the application is hosted, locally in the data center or some public cloud or software as a service (SaaS) app is a key factor.
However, with a zero-trust approach, it is becoming much easier for the organizations to balance the security and also ease of use for the end users. While the heave of war between these two given concepts will remain to continue, allowing the users to have friction-less access to the every work application and some of them is asking for additional the verification only, so when it needed just provides a happy medium. In the perimeter-less world, the network is not a longer control point, then the every work application is for the users.