As the epidemic known as Coronavirus (Covid-19) continues, many companies including several of the world’s largest enterprises such as Google, Amazon, and Microsoft are shifting gears moving from on-prem workforces to a distributed remote workplace. Although this decision is based on ensuring the safety of their employees and the prevention of exposure to the virus, it comes with the additional challenges of securing digital assets and business-critical resources while allowing employees the access necessary to continue their work.
WORK FROM HOME
Working from home, once seen as the holy grail of job situations, has become increasingly common even before Coronavirus (Covid-19). For employees whose job descriptions include even partial work from home, organizations often provide pre-configured laptops remotely managed by IT administrators. For some enterprises dealing with Coronavirus (Covid-19) suddenly shifting the workplace paradigm, these resources aren’t always readily available. Employees may, for a time, find themselves using their personal equipment but even those with company-provided laptops may elect to use their personal machines whether for familiarity, comfort, or ease of use. This sounds reasonable, but personal devices are often behind on patching, many lack anti-virus protection, and the basic security and policy configurations deployed on corporate devices are missing. These vulnerabilities increase the organization’s risk.
In a world where working from home is a crucial aspect of containing an epidemic, organizations must alter their mindset and approach security in a new way. Identity Governance and Administration (IGA) is a key element supporting this new security paradigm. Cybersecurity research supports the position that identity is the primary control for security. Securing data by securing people and processes requires organizations to embrace innovation and address the challenge of a distributed remote workplace.
The Risk of Personal Equipment
Although there are tools to apply corporate security controls to personal devices accessing the network, features such as patch management, antivirus, encryption, and password protection are challenging to ensure without sophisticated technologies and stringent application of policies. For this reason, the personal device accessing organizational resources is assumed insecure. This leaves an opening for attacks such as credential theft or authentication hijacking, potentially exposing confidential data.
Saviynt is designed with identity at the core of its security practices. Saviynt crafts identity by viewing deep into the on-prem and cloud ecosystem of your organization to gather role and access information accessible to an individual in order to understand the full reach and scale of their identity. By utilizing this, Saviynt is able to identify Segregation of Duties (SoD) violations and facilitate risk-based decisions making. When access requests are made, this information is analyzed using risk-based logic to grant access or escalate it to a human approver for real-time evaluation. This decreases the impact of an attacker utilizing credentials and limits how much access they can gain
Filling in for Those Out Sick
A global epidemic isn’t the only time an employee might be out recovering from illness. Whether fighting COVID-19 or simply trying to shake the flu, employees cannot always be available to complete their regular duties, even if they are the only ones with access to do so. This single point of failure can bring an entire workflow to a screeching halt. The delay created while a replacement is found and proper access is established costs in terms of productivity and can negatively impact an organization.
Saviynt planned for these situations. When immediate access is needed to fill in for a missing person and time is of the essence, Saviynt provides break-the-glass access in accordance with your organizational policies and procedures. This access is time-limited, and all activity done with this temporary rights elevation is logged for future auditing. To ensure full governance is in place, the appropriate parties are notified when this occurs so they can review the logs and ensure that the individual only executed required tasks.
Utilize Collaborative Tools Safely (Share but Don’t Over Share)
Working effectively remotely requires collaboration with co-workers, superiors, and sometimes with other departments. Microsoft Teams is an industry-standard tool offering this functionality. Teams allows co-workers to collaborate in real-time with video conferencing, chat and file sharing. These shared resources make it easy to collaborate, but that collaboration comes with an element of risk if there is a lack of governance over the sharing of information. Teams by default allows a user to share any files to which they have access with any other user they are in a team with, without additional checks or oversight. If such files contain sensitive or business-critical information, there’s potential for unauthorized disclosure.
Saviynt’s solution adds streamlined governance to Teams with three important features: dashboard visibility into Teams configured with excess sharing capabilities, inspection to surface high value data, and visibility into data shared in Teams Channels and Teams Site Collections. To wit, Saviynt can first help see if a channel has been configured so that members could share data outside of the organization, or if a Team has members who are orphan accounts or outside accounts. Permissions to data in Site Collections is assigned many ways, even on the Site Collection data store outside of Teams. Saviynt enables organizations to scan Teams data stores, locate PII, PCI, intellectual property or other high value data, and see who has access to it. Organizations can restrict what users can do- such as not allowing a Guest to edit files- and also restrict access to sensitive data or remove that data from exposure.
For other collaboration tools and platforms such as O365, Box, Dropbox, or Sharepoint, Saviynt performs a check to analyze the risk when a user shares data. Risk is determined by a number of criteria such as the contents, how it is categorized, and who it is being shared with. Based upon how it is scored, it can be allowed depending on the enterprise’s risk appetite or temporarily blocked for an approver to review before going forward. Then to finish the process, the sharing is logged so there is a full audit trail of where the resource was shared from and where it went.
EVEN WITHOUT COVID-19
Whether adapting to a pandemic or evolving to follow the trend of offering remote work as a perk, Saviynt is a partner in ensuring your organization’s data is secure. No longer must security be defined by a firewall and a hardened security wall around your organization. Identity is the new security perimeter, focused on understanding who your users are and what your users can access. Saviynt can help guarantee the principle of least privilege and proper SoD is in place to protect your assets and limit the scope and scale of a breach. We’ll expand on this in our next post and look at how Saviynt is pioneering ways to enable businesses to empower their workers using smarter security.
Saviynt starts with people – who they are and what applications they need – to create a holistic set of identities across the cloud ecosystem. This approach enables customers to govern all identities access from cradle to grave, providing continuous visibility of access to enforce internal controls that align with regulatory and industry-standard mandates. Saviynt’s cloud-native platform offers flexible deployments, including on-premises only or hybrid/cloud to match your hybrid ecosystem identity needs.
Our suite of solutions enables you to create a holistic approach to IAM that enables you to mature your cybersecurity posture around remote workers and all identities by securing your ecosystem with identity-centric security.
For more information about mangining identity security for your remote workers, including securing your Microsoft ecosystem, contact us for a demo.