In the traditional IT world, the edge of an organisation’s network, or rather it’s firewalls, were considered the perimeter and everything that occurred within the perimeter was trusted. In a world of flexible, remote or home working as the norm, coupled with modern threats like ransomware, phishing and social engineering, that definition of the perimeter is no longer true. Most businesses now also have some form of cloud presence, whether that’s Microsoft 365, Google, or cloud applications, they all sit outside of your fort, and have big targets painted on them. In this blog, we will be outlining efficient modern workplace security perimeters required to curb external threats.
Imagine the network is your home. You keep the doors and windows locked, but half of your stuff is outside. Sure some of it may be locked up, but the combination for the locks are written on notes that can be seen through the windows. It’s going to get nicked. Organisations that still rely on the legacy perimeter are in this situation.
So what is the modern Workplace Security perimeter and how does it work?
Well, it effectively has three separate pillars:
Each element protects the organisation in a specific way, but working together collectively they form a new, flexible perimeter that surrounds your organisation regardless of where users are, or what they’re doing.
How does each piece of the Modern Workplace Security fit in?
A phrase that’s thrown around quite a lot in the IT world in ‘Zero Trust’. It means lots of things across different areas, but with identity, the core component is ‘never trust, always verify, and loosely that means that just because someone appears to be in a certain location or on a certain machine, you still can’t be sure they are who they claim. They may also know a password, but that on its own isn’t enough anymore either.
Organisations need to have a centrally managed identity management platform that controls access to all their resources, wherever they are or whatever they’re accessed from. That needs to apply regardless of the device – Windows, Mac, mobile – company or personally owned.
They should also be challenged with multi-factor authentication when appropriate, ensuring almost without doubt that they are who they claim.
The behaviours of those accounts then also need to be monitored to understand what’s ‘normal’ for them, much like banks track spending behaviours. Where do the users typically work from and when? What’s usual, what’s unusual and what’s impossible? This helps to build a picture of the risk associated to each sign in, and block it when it’s high, even if the user passed through MFA successfully. Never trust, always verify.
Today users have high expectations when it comes to devices. They want to have the latest and greatest shiny thing, might want to use Apple vs Windows or just bring their own device to work. They’re also taking them to a wide mixture of places and connecting to the internet in a variety of ways; Costa, McDonalds, home, on the train. They might only be inside the network perimeter for 8-16 hours per week, out of 167. For the remaining 150 or so hours, unless the device is secured in a variety of ways, it’s a chink in the armour. Multiply that by a large estate of devices, perhaps as many as 2-3 per-employee and suddenly the perimeter is a sieve. And that sieve is full of company data.
Businesses need the ability to prevent devices that aren’t appropriately secured from accessing their data, whether inside the perimeter or out. If someone brings a personal machine into the office and plugs it into the network, it’s another hole, as are removable disks like USB sticks. Who knows where they’ve been or what could be on them? These devices need to be denied access until they meet a defined set of criteria.
The basic essentials are:
- Encrypted storage
- Software up to date
- Anti-malware up to date
- Strong password
- Firewall enabled
Taking it another level up, additional controls could be that the device must be company owned and controlled by the identity platform. You could also insist that removable storage is encrypted and scanned before it useable, or block it completely.
Keep in mind though that too many heavy-handed barriers will encourage users to look for workarounds. Security needs to be robust, but not obstructive, which is a shift IT admins must get their heads around in the modern world.
So we’ve secured our identities and our devices. Great, we’re safe when in or outside the perimeter. What about the data though? It doesn’t only live in these places, and what’s stopping people moving it around?
File too large to email? I’ll stick it in my personal Dropbox account and share it. Now it’s outside the perimeter and unprotected in an unknown location. We’ve no idea who it’s shared with or who they may have subsequently shared it with. Rolling back to email the same applies. Where has the data gone? Who has it and what are they doing with it?
There is no visibility and no control.
Data needs to be protected at the document level, and that protection needs to travel with it wherever it goes. It could define the lifetime of the data, who it can be shared with, who it can’t be shared with, where it can be stored. Right down to whether or not a screen shot can be taken of it.
The aim is to prevent both deliberate and accidental data leakage or theft, whilst avoiding any need to throw up those obstructive barriers that could tempt people to seek workarounds.
Overall the most important point to take away is that just because it’s happening inside your office or on one of your devices, that doesn’t mean it’s safe or secure.
Infinity Group have developed a suite of solutions designed to help organisations implement the pillars of the modern perimeter within their environments. Contact us for more information.
Read our other recent Modern Workplace blog.