The COVID-19 pandemic caused a sudden and drastic shift in how employees connect to their secure work resources. When working from home, many opted to use their personal devices for convenience rather than approved corporate devices.
Now, as hybrid, in-person office scenarios start to become the norm, CISOs and CIOs are partnering to figure out how to cope with personal devices being brought into the office.
Managing personal devices in the office
In the past, organizations exerted far greater control over access to resources through network availability and device usage. The hasty transition to remote work left many without answers on how to safely offer network access to employees without limiting their ability to work efficiently. Having a large segment of the workforce working remotely effectively removes the capability for a network-perimeter defense strategy.
Organizations had to quickly face the reality that many users may opt to access their secure work network and resources via personal devices. Most users choose the most convenient option available and unknowingly put their network at risk as a result.
So how can an organization ensure that only secure, managed devices and authorized users have access to corporate resources? And how can they enforce this remotely across all applications? Here are some strategies:
- Conduct a secure network usage audit.
When an organization seeks to take control of security on their network and manage it effectively, they have to truly know the user and device identity behind every network connection.
Security teams can accomplish this through a network audit to gain an understanding of who accesses resources on the network and through which devices. They can also embrace zero-trust network access (ZTNA). A zero-trust approach aims to ensure that network resources are limited only to those users who need them. The fewer people that have access to a resource, the less likely it’s breached. Network audits can help security teams accomplish this goal.
How can a security team restrict the usage of resources and applications to only trusted users and devices that require access? For starters, leverage the company’s identity and access management (IAM) systems to determine which user groups require access to which resources. Then, conduct the audit to ensure that IAM policies are accurately implemented and driving how the network is used. This will result in a functioning, zero-trust network.
- Leverage zero-trust and digital certificates.
In addition to a network audit, many are considering a restriction of trusted devices to only those managed by the organization. It should not come as a surprise that with the typical network user, their cybersecurity best practices are not held to a standard set by most network admins. So when it comes to device trust, personal devices are always a security gamble.
Many organizations are accomplishing this through a mix of zero-trust policies and digital certificates. These certificates cannot be shared or exported to foreign devices, cannot be stolen over-the-air, and are cryptographically tied to a user/device identity. Equipped with highly accurate identity information, enterprise device management software, and authentication, authorization, and accounting (AAA) servers, security teams can configure an environment for highly- sophisticated zero-trust resource segmentation. This allows employees to leverage their personal devices and home networks for flexible work but prevents them from accessing critical resources.
- Run secure networks in remote locations.
Some organizations have gone a step further and offer a secure network in remote workers' homes. It’s possible for an organization to configure secure WPA2-Enterprise networks in remote workers' homes with the advent of cloud-based RADIUS servers. This prevents Wardriving attacks and helps IT ensure corporate-owned devices are securely segmented from insecure personal devices at home.
As more countries gain the upper hand in the fight against COVID, companies are faced with a spectrum of different technical, security, and ethical issues.
An issue that has come to the forefront concerns privacy over health information. Some organizations may remain cautious about how to approach vaccination requirements and whether to track this information in their employees. For most industries, this has not been standard in the past – should they make an exception now?
The transition to remote work and now hybrid environments happened much faster than anyone could have predicted. It has brought about IT challenges that many organizations were not ready to face. But these issues were thrust upon us, and security teams will need to develop unique solutions to face the new working environment.
Bert Kashyap, co-founder and CEO, SecureW2