The one thing that all CSOs have in common is that we are risk owners. No matter the situation, even during times of extreme business transition and the need to maintain operational continuity, we’re all responsible for assuring the confidentiality, integrity, and availability of data 24x7x365. Our job is to keep our heads during a crisis to make sure that things like rapidly transitioning an entire workforce from a fixed brick-and-mortar framework to a dynamic teleworker environment don’t overlook critical security fundamentals that could expose the organization to risk.
The primary objective is to manage risk. Regardless of how situational requirements might change, the goal is for the core functions of the organization to remain consistently available, reliable, and secure. Resilience is one of the critical elements of risk management – it’s all about delivering the same expected outcomes even when the environment producing and delivering those outcomes is experiencing rapid transformation and stress.
Of course, maintaining resilience in extreme circumstances is easier said than done. Here are some tips to ensure that security and productivity remain resilient irrespective of normal or extraordinary circumstances.
The Fundamentals of Ensuring Reliable and Secure Network Access
The first goal is to ensure that all users and devices have access to the resources they need to do their jobs. And that also means ensuring that they can’t access resources they don’t need, as well as preventing unauthorized users and devices from exploiting a transition to a new networking model to gain access to network resources for malicious purposes. Ensuring this access required two things.
First, all users and devices need to be classified. Here’s a timely opportunity to ensure your data and process classification is up-to-date. That way, regardless of how or where they access network resources, they can be quickly identified and matched to their corresponding network policy.
Second, based on their roles, users should be assigned access to specific resources based on a variety of contextual information. This is why data and process classification, along with understanding underlying dependencies, is so important. Access controls should be based on a need to know basis and assessed based on roles, the type of device being used, access methodology, geo-location, and even what time of day they are attempting that connection.
Know the Capabilities and Limits of Your Existing Resources
Next, CSOs need to understand the abilities and limitations of the resources they have in place so they can quickly determine what can and cannot be done with those resources. For example, it is not enough to know that an installed NGFW platform, for example, can terminate remote connections. The CSO should also know, or be able to find out quickly, the capacity of that device – such as the number of connections per second and simultaneous connections it can support, its capacity to inspect encrypted VPN traffic, its ability to scale to protect a new networking paradigm, and how much effort is involved in setting up those functions.
These and similar details need to be understood before additional technologies are brought in to shore up any gaps. And frankly, these contingencies should have been considered long beforehand to a) make sure that as many of the required tools and capabilities are already in place, and b) understand the ability of existing tools to support and collaborate with third-party systems and technologies. That requires having already deployed tools designed around things like common standards and open APIs.
Know and Support the Different Access Requirements of Your Users
If these precautions have been taken, then there is little need for panic when you need to transition your traditional workforce to a teleworker strategy. Essentially, all workers can be broken down into three categories:
Basic teleworker. This group represents the majority of your remote workforce. The basic teleworker only requires access to email, internet, teleconferencing, limited file sharing, and function-specific capabilities (Finance, HR, etc.) from their remote work site. This includes access to Software-as-a-Service (SaaS) applications in the cloud, such as Microsoft Office 365, as well as a secure connection to the corporate network. Most organizations should have most of the technologies needed to accommodate these users already in place. The biggest issue is likely to be one of scalability.
Power user. Power users are employees that require a higher level of access to corporate resources while working from a remote location. This may include the need to operate in multiple, parallel IT environments, such as system administrators, IT support technicians, and emergency personnel. They will need access to fixed, high-performance, and secure tunnels back to core- and cloud-based resources. Addressing the needs of these users will likely require the distribution of a secure access point or even a desktop-based NGFW that supports zero-touch provisioning.
Super user. A super user is an employee that requires advanced access to confidential corporate resources, even when working from an alternate office such as their home. This includes administrators with privileged system access, support technicians, key partners aligned to the continuity plan, emergency personnel, and executive management. In addition to the resources required by power users, they will also need access to advanced VoIP telephony and secure video conferencing.
Provide Additional Training and Support
It is critical as you move employees to a more autonomous and exposed remote worker status that you heighten their security awareness. While you can compensate for many of the new risks they pose to the organization (such as updating or upgrading your secure email gateway and web filtering solutions), it is also essential that you understand that these workers have become, in many ways, both your most vulnerable targets as well as your front line for defending the network.
Because of the widespread transition to employees working from home, bad actors are now explicitly targeting remote workers with phishing attacks designed to prey on their concerns about their health and well-being, or their novice status as teleworkers. End-user training, therefore, is critical in helping them spot, avoid, and report suspicious emails and websites.
Additional measures you should take as more work is done remotely:
- Confirm your VPN capabilities/utilization and determine if they are adequate
- Require the use of multi-factor authentication
- Log and monitor everything and pay attention to anomalous behavior
- Monitor the final disposition of data accessed by privileged access users
- Monitor your key applications and dependencies for anomalous behavior
In addition, you will need to identify your systems administrators, executives, executive assistants, and others with elevated access privileges to not only implement additional layers of authentication and validation but also to actively monitor and log their connections for anomalous behavior
There is an adage used by carpenters that goes, “measure twice and cut once.” The same goes for cybersecurity. It is essential that all plans and strategies are double-checked, and that things like data and process classification are under constant review to ensure that everything is up to date. All dependencies also need to be noted and followed up on.
And finally, make sure that you review your BCDR plan to ensure everything is up to date and accurate, including the contact information for your extended crisis and event response team.
Risk management and resiliency require careful planning, combined with an experienced team trained to deal with critical situations in flux. It is essential that teams keep their heads, understand their objectives, and execute strategies with a common goal in mind – maintaining operational consistency, including ensuring that your organization does not compromise on security for the sake of expediency.
Jonathan Nguyen-Duy, Vice President, Global Field CISO Team at Fortinet
The original article can be found here.