I D A P T I V E . C O M

W h I T E P A P E r

FIVE ACTIONABLE TIPS FOR Securing Work-From-home Arrangements

Table of Contents

©2020 Idaptive. All Rights Reserved. idaptive.com

3 Introduction

4 Tip 1: Pick the Right Options for Enabling Remote Access

5 Tip 2: Scale Multi-Factor Authentication

7 Tip 3: Secure Endpoints

8 Tip 4: Enable End-Users to Help Themselves

9 Tip 5: Communicate with Your Team

11 Next Steps

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, email addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of IDaptive, LLC.

Idaptive may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Idaptive, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

3

FIVE ACTIONABLE TIPS FOR SECURING WORK-FROM-HOME ARRANGEMENTS

idaptive.com

In response to the spread of the COVID-19 virus, organizations of all sizes are rapidly scaling their support for a remote workforce. In addition to the strain this puts on IT support and helpdesk teams, it raises critical operational and security challenges. For most organizations, supporting remote employees isn’t new. However, the scale and speed at which organizations are forced to expand the work-from-home arrangement have caught many CIOs and CISOs off-guard. Instead of focusing on the existing projects, IT leaders now must prioritize tools that enable remote workers while safeguarding home work environments1.

In this whitepaper, we have gathered five actionable tips that will help you scale and secure your remote workforce without making it difficult or painful for your employees to work.

Introduction

IT leaders now must prioritize tools that enable remote workers while safeguarding home work environments.

1 https://www.mayfield.com/mayfield-cxo-survey-post-covid-19-impacts-to-it/

4

FIVE ACTIONABLE TIPS FOR SECURING WORK-FROM-HOME ARRANGEMENTS

idaptive.comidaptive.com

T I P # 1

Pick the Right Options for Enabling Remote AccessHistorically, enterprises have relied on Virtual Private Network (VPN) technologies to enable remote access to applications and data residing behind a firewall. With the transition to cloud-based infrastructure and apps, the need to access corporate networks has diminished. However, some of the key applications remain hosted in private and on-premises data centers resulting in a “hybrid” infrastructure. IT teams managing such environments typically default to VPNs for remote access primarily because they operate invisibly to the end-users and introduce no dependencies on applications or resources. Unfortunately, VPNs also come with a few downsides.

Installing and maintaining VPN solutions requires time and effort. All VPN systems must be regularly patched to eliminate newly discovered vulnerabilities. Deploying VPN to remote employees could be difficult as well. For example, an employee who has never done remote work and hasn’t set up a VPN might find it challenging to do so remotely because of the in-person or on-site initiation requirements. In addition, IT must maintain or procure enough licenses to support the increase in demand for VPN services.

A more significant concern with VPN, however, is security. Allowing access to your corporate network based on a single password is a huge risk — and this risk exponentially increases when you suddenly give access to everyone in your company. One way to mitigate broad VPN access risk is to require Multi-Factor Authentication (MFA) for everyone that uses the VPN. We will talk more about that in the next section.

Once users are authenticated and connected to a VPN, they can theoretically access any resource on the entire network, limited only by policies already in place at the authentication and authorization step. In other words, VPN provides “all-or-nothing” access, which greatly increases the attack surface that can be exploited by cybercriminals.

Even if you have an existing, secure VPN solution in place today, it still may not be optimal for providing the best experience for all users or scaling rapidly to a large number of employees. For example, an always-on VPN connection might not be necessary if a user only needs to access a few on-premises apps and mostly works with cloud-based apps and data. Instead, these users should leverage a reverse proxy.

VPN provides “all-or-nothing” access, which greatly increases the attack surface.

5

FIVE ACTIONABLE TIPS FOR SECURING WORK-FROM-HOME ARRANGEMENTS

idaptive.comidaptive.com

With reverse proxies, also known as application gateways, you can provide users app-specific access based on their roles. This eliminates the possibility of lateral movement within your on-premises environment and allows you to integrate your on-premises apps with your Single Sign-On (SSO) solution. Similar to VPNs, reverse proxies do not require changes in application code. As an added benefit, they also do not need any additional infrastructure, making them a better option for IT teams struggling to quickly respond to increased remote access demand.

Regardless of the option you select, ensure you fully understand the remote access requirements of your employees before investing and deploying any product.

T I P # 2

Scale Multi-Factor AuthenticationThe need to leverage Multi-Factor Authentication (MFA) to secure access to enterprise resources should be a foregone conclusion. The analysis of nearly every recent breach shows that if there had been an additional authentication factor, these breaches might have been prevented. However, MFA is still not mandated in the majority of companies. Frequently, the underlying reason for not requiring MFA is that it has a reputation of being a nuisance - admins just don’t want to bother their users with it. Additionally, there are so many poorly designed MFA solutions on the market that if organizations approach these types of initiatives in a crisis mode without being aware of the pitfalls, they are bound to find themselves in the security vs. user experience limbo.

Several practices make the rollout of MFA more manageable. According to the research done by McKinsey2, prioritizing the MFA requirement for users who have elevated privileges and work with critical systems allows security teams to pilot rollouts on a smaller scale and learn from the experience. With the knowledge gained from working with these technical end-users, IT can develop more extensive implementation plans for the rest of the organization.

2 “Cybersecurity tactics for the coronavirus pandemic.” By Jim Boehm, James Kaplan, Marc Sorel, Nathan Sportsman, and Trevor Steen.

Nearly every recent breach might have been prevented with additional authentication factors.

6

FIVE ACTIONABLE TIPS FOR SECURING WORK-FROM-HOME ARRANGEMENTS

idaptive.comidaptive.com

Another practice that enables faster adoption and acceptance of MFA is the support for a broad range of authentication factors. It is essential to keep in mind that whatever token might be the best for IT might not be the best for the end-users. The MFA solution that you select should support a variety of token types to handle any use case. For example, phone-as-a-token authentication could be suitable for employees accessing low-risk applications and systems. On the other hand, users with access to financial or customer data should be required to use strong authentication factors such as physical tokens or biometrics.

Finally, instead of harassing users with MFA challenges for every access attempt, IT and Security teams should evaluate the risk and context of each request. This can be accomplished with adaptive MFA. It enables companies to build a profile for every user, evaluate contextual factors of each access request, and render a risk score that can be used to create intelligent access policies. For example, an employee on the sales team accessing Salesforce from a known home location, on an enrolled laptop at 9:00 a.m. could be considered a low-risk attempt requiring no secondary authentication. The same employee, requesting access to an Finance application from a new location, on an unknown device, at 1:00 a.m. is risky and should be required to provide secondary identity verification. The more advanced the adaptive MFA analytics engine is, the more precise IT admins can get with the risk-based rules, therefore, reducing employee frustration with MFA.

Whether you implement a traditional or adaptive MFA, every access channel must be protected. MFA should be required for remote access with VPN, to login to endpoints, and to access applications through a Single Sign-On solution.

Support for a broad range of authentication factors enables faster adoption and acceptance of MFA.

7

FIVE ACTIONABLE TIPS FOR SECURING WORK-FROM-HOME ARRANGEMENTS

idaptive.comidaptive.com

T I P # 3

Secure Endpoints Securing endpoints should be at the top of every IT organization’s priority list since every company now has employees working from home. This drastic increase in the number of remote endpoints is not going unnoticed by cybercriminals – they are fully embracing the opportunity by launching creative phishing attacks3, fake websites4, and malicious apps. Endpoint security becomes even more critical if personal devices, which often lack security controls found on company-issued hardware, are used to access corporate resources.

You can take several proactive steps to protect your endpoints, starting with ensuring that all laptops and other hardware issued to employees and contractors are enrolled into a Mobile Device Management (MDM) system. With MDM, you can assess the security posture of all endpoints connecting to the corporate network, track and enforce security policies, and gain visibility into end-user behavior. In addition, a robust MDM solution would allow you to remotely wipe devices of all the stored data and reset them to factory settings in case devices are lost or compromised.

Enrolling new devices in the MDM solution could prove challenging, especially when both the IT team and employees are working remotely. Traditionally, IT would set up devices on the corporate network and then ship them to end-users after this is done. Once received, remote users would establish a direct connection to the corporate network via VPN to complete the enrollment process. A less complicated alternative to this process leverages cloud-based Single Sign-On solutions with endpoint security capabilities. With an SSO solution, IT simply installs an agent on Windows or Mac devices, which then enables remote users to log in with their corporate credentials and complete the enrollment process without being connected to a VPN or corporate network.

3 https://cloud.google.com/blog/products/identity-security/protecting-against-cyber-threats-during-covid-19-and-beyond

4 https://www.mimecast.com/blog/2020/04/will-coronavirus-finally-move-you-to-multi-factor-authentication/

Hackers are launching phishing attacks, fake websites, and malicious apps.

8

FIVE ACTIONABLE TIPS FOR SECURING WORK-FROM-HOME ARRANGEMENTS

idaptive.comidaptive.com

Requiring Multi-Factor Authentication for logging in to endpoints, in addition to accessing VPNs and apps, is also crucial in keeping your organization secure. Endpoint MFA ensures the person trying to access the device is the authorized user, by requiring employees to pass additional authentication challenges during the process of logging into their devices. Deploying MFA on endpoints is not complicated – IT can leverage the same agent used to enroll devices into the SSO solution, and employees can use the same authentication factors they already use to access their applications.

Some users, such as those working with personally identifiable information (PII) or confidential data, pose more risk than others. You can leverage the adaptive MFA capabilities to monitor their endpoint behavior (such as logging in from a brand new location or at odd times) and prevent security breaches by requiring secondary authentication for any risky access attempts. On the other hand, low-risk users logging in from known devices and locations can be allowed to access their devices without additional verifications.

If your existing security solution does not contain endpoint MFA or MDM functionality, deploying a cloud-based SSO solution with those capabilities can help you quickly reduce the number of unprotected endpoints and prevent endpoint-originated breaches.

T I P # 4

Enable End-Users to Help ThemselvesSupporting work-from-home users is always challenging, as you can’t just ask the person to drop by the IT Help Desk to get support in-person. To further complicate the situation, the volume of requests coming into help desks since the beginning of the pandemic has spiked5 by double-digits across all types of businesses all over the world, overwhelming IT teams, and impacting user productivity. To take some of the pressure away and help IT teams to continue supporting employees, you could look into allowing your users to help themselves with self-service tools.

The volume of requests coming into help desks since the beginning of the pandemic has spiked by double digits.

5 https://www.zendesk.com/blog/zendesks-benchmark-snapshot-impact-covid-19-cx/

9

FIVE ACTIONABLE TIPS FOR SECURING WORK-FROM-HOME ARRANGEMENTS

idaptive.comidaptive.com

Help desk tickets for password resets and account unlocks are the two types of requests that both take up precious IT resources and can be quickly resolved by employees. The critical thing to be on a lookout for when evaluating self-service tools is the ability for end-users to reset passwords or unlock accounts without the need to first login to their computer. In other words, it is not reasonable to expect your users to log in to their work computer with their forgotten password or into a locked account to use the self-service portal. Instead, self-service options should be made available at the login screen or through a cloud interface that can be accessed from any web browser.

The other key aspect of self-service password reset and account unlock, is related to adding an appropriate level of authentication assurance. IT should have the ability to verify the user identity by using authentication factors other than just the user’s password prior to allowing self-service actions. To that end, leveraging the MFA capabilities discussed earlier will enable you to keep your employees’ identities, resources, and data safe.

During critical times for businesses, employees are frequently asked to expand their roles and responsibilities, often requiring that they gain access to new applications and resources. Traditionally, this has meant that employees would have to submit helpdesk requests to get access. The helpdesk would then provision access to new applications upon the IT administrator’s or the employee manager’s approval. The alternative that saves IT resources and time is a Single Sign-On solution with Lifecycle Management (LCM) capabilities.

Lifecycle Management functions should include searchable application catalogs and access request workflows for end suers. The LCM solution should also provide specific users or roles the ability to approve or reject access requests without IT intervention. For example, an app request workflow may include notifying the employee’s management chain, an application administrator, or a group of users to review the request and, if legitimate, approve it directly in the SSO portal or a mobile app.

Enabling self-service tools will not only reduce the strain on your IT teams but will likely increase your user satisfaction and overall productivity. With a properly implemented self-service portal, your employees will be able to resolve their issues without the need to email, call, or wait on the Help Desk team for assistance.

Self-service tools can reduce the strain on your IT teams, and increase your user satisfaction and overall productivity.

1 0

FIVE ACTIONABLE TIPS FOR SECURING WORK-FROM-HOME ARRANGEMENTS

idaptive.comidaptive.com

T I P # 5

Communicate with Your TeamWhether working from the office or home, employees must exercise good judgment to maintain information security. Even the strongest security controls might not prevent intricate social-engineering attacks or breaches that result from a human error. In addition, some employees working from home may choose to engage in online behavior that opens them to threats, such as visiting malicious websites that office networks block. Proactively and creatively communicating with your employees about good security practices is essential to keeping your organization secure.

According to the research6 done by McKinsey on cybersecurity tactics for the coronavirus pandemic, a high volume of crisis-related communications can easily drown out warnings of cybersecurity risks. To mitigate this possibility, your IT and Security teams need to use a mix of approaches that resonate with remote employees to get their messages across. For example, companies can host internal webinars, share best practices via email, and open direct lines of communication with IT via Slack channels.

It’s important to point out that telling employees not to use certain tools, such as consumer-grade web services or freeware that users believe they need to do their jobs, is counterproductive. Instead, you should explain the benefits of using approved tools — such as security, productivity, and availability of training and support. While eliminating the so-called shadow IT systems (software set up without formal approval or support from the IT team) might be especially difficult with a large remote workforce, your IT team should be ready to step in and provide IT-sanctioned alternatives.

IT should also build an end-user policy document to help reduce the possibility of users installing unapproved software to compensate for in-office capabilities they are unable to access from home. According to recommendation7 from Gartner, this document should be approved by stakeholders, including human resources, legal, security, and compliance, and be physically signed by all employees.

Use a mix of approaches that resonate with remote employees to get your security messages across.

6 https://www.mckinsey.com/business-functions/risk/our-insights/cybersecurity-tactics-for-the-coronavirus-pandemic

7 “Solving the Challenges of Modern Remote Access” by Analysts Rob Smith, Steve Riley, Jeremy D’Hoinne, Nathan Hill

1 1

FIVE ACTIONABLE TIPS FOR SECURING WORK-FROM-HOME ARRANGEMENTS

Increasing the awareness of safe online behavior, proactively explaining the various tactics cybercriminals use to trick employees and gain unauthorized access, and communicating security policies will go a long way towards keeping your organization secure.

Next StepsSecurely scaling a remote workforce requires appropriate tools and resources. One of the tools you can leverage is Idaptive Next-Gen Access. Idaptive is an integrated Identity and Access Management (IAM) platform designed to help companies secure access everywhere, for any user, to any application, from any device.

With Idaptive, you can deploy a modern Single Sign-On service that integrates with both your cloud and on-premises apps, as well as Adaptive Multi-factor Authentication that intelligently protects your VPNs, applications, and endpoints. Idaptive also includes comprehensive self-service and Lifecycle Management capabilities to help you reduce the burden on your Help Desk, and endpoint management functionality to strengthen the security of devices accessing your resources.

If you’d like to give Idaptive a try, we are offering no-obligation use of our platform through our Free Trial program. Any company, regardless of the size, the number of employees, or apps, can leverage our solution to secure access for their entire remote workforce.

The Idaptive Next-Gen Access solution combines Single Sign-On, Multi-Factor Authentication, Lifecycle Management, and Endpoint Security Management in one integrated platform

Idaptive delivers Next-Gen Access, protecting organizations from data breaches through a Zero Trust approach. Idaptive secures access to applications and endpoints by verifying every user, validating their devices, and intelligently limiting their access. Idaptive Next-Gen Access is the only industry-recognized solution that uniquely converges Single Sign-On (SSO), adaptive Multi-Factor Authentication (MFA), Enterprise Mobility Management (EMM) and User Behavior Analytics (UBA). With Idaptive, organizations experience increased security, reduced complexity and have newfound confidence to drive new business models and deliver awesome customer experiences. Over 2,000 organizations worldwide trust Idaptive to proactively secure their businesses.

idaptive.com©2020 Idaptive. All Rights Reserved.

3300 Tannery Way Santa Clara, CA 95054

hello@idaptive.com