You may not know where each of your employees will rest their head tonight, when they will next log in, or even exactly what they are working on, but, whenever someone uses their identity to access corporate resources, you must be confident of who they are.
The June 2022 issue of Collaboration Today and Tomorrow features an article by Yorktel President Ken Scaturro, Secure Collaboration for the Hybrid Workplace, that will be relevant to many HR, operations, and IT managers. In this article, Ken lays out the dual responsibility of supporting employees and contractors anywhere they might be, while safeguarding proprietary information and infrastructure. Ken notes that the “Zero Trust” framework is the recommended underlying technological approach, but that an understanding of the humans involved is just as essential. Here are a few pieces of advice from the article:
Don’t look back
The pandemic is far from controlled, unfortunately, and the more autonomous, anywhere, anytime work styles that it spawned are here to stay. Moreover, with many staff taking the opportunity to reconsider their lifestyles, even established employees may change their location(s), hours, and responsibilities in the not-too-distant future. By the same token, if/as employees do find greener grass elsewhere, mobile device management (MDM) and mobile application management (MAM) can help ensure that all proprietary files to which the person has access are deleted, from each relevant device.
See IT as project enablement
Too often, information security is presented as a “boring but important” topic, rather than an enabler that helps employees and contractors worldwide innovate, collaborate, and meet both personal and professional objectives. However, in truth, factors such as overly officious IT policies, lax information security, and/or the Wild West in terms of shared drives, make work more difficult and can serve as a pretext for underperforming or leaving.
In addition, Ken points out that collaborations with external entities often entails cloud-based shared files, online meetings, ongoing chat, and team-based project management, all of which require far more infrastructure than simply handing implementing multi-factor authentication (MFA) or uploading this week’s project files to Teams.
Trust no one
A “vulnerable until proven otherwise” mentality implies that threats can come from inside or outside the network, supporting gated access across one or more domains. Ken notes that Zero Trust platforms such as Microsoft 365/E3/E5, Amazon Web Services (AWS) and Google Workspace will serve many companies well. These platforms allow managers to combine essential functions such as identity authentication, endpoint management, security monitoring/analytics, and regulatory/third-party compliance. Often, these platforms are under-leveraged, while expensive piecemeal approaches may be licensed a la carte, though the latter may produce more alerts than incremental security.
IMPLEMENTING SECURITY TODAY: STARTING WITH ZERO TRUST
Download our free whitepaper to discover the steps you should be taking to implement a Zero Trust strategy in your organization.
Embrace conditional access and proactive data governance
“Conditional access” is a powerful tool for ensuring that only users with a “need to know” (or comment/edit/forward/print) can access shared files, folders, network drives, portals, team pages, meeting rooms, and other assets. Data governance can also be used to restrict printing or external forwarding, through adjustment of sensitivity settings. Thus, even if a user forgets manual encryption of sensitive material, prespecified “trigger” content – sensitive data such as Social Security numbers – will result in encrypted transmission.
Consider virtual desktops and remote provisioning
Using Microsoft’s Azure Virtual Desktop can help avoid the need for localized applications for on-the-move project managers and field installers. Since authorized users may be logging in from the sketchiest of Internet cafes or coffee shops, locking sessions and logging users out after a pre-specified timeout is wise.
When onboarding new hires, computers and mobile devices can be shipped directly to the employee, and, once their identity is verified, they can download everything they need to start work, from the cloud.
Look for simplicity over glitter
A glitzy administrative portal for a Zero Trust platform has no intrinsic value if it’s not easy to manage users, devices, networks, and apps while using it. And “conditional access” has to be comprehensive, covering all document types, portals, meeting rooms, and applications, or there will be security gaps. On the other hand, those overworked humans in IT only have so many hours in the day. So some careful up-front thought and clear documentation as to how the privileges of new hires, established staff, and contractors will be established and re-evaluated if needed, can save considerable time and angst in the end.
Support life outside work with anytime work
For the foreseeable future, employees and contractors will likely plan travel around COVID conditions at their point of departure and destination(s), as well as the ebb and flow of their professional obligations. They will also need to allow extra days for travel in case of cancellations, especially for connections and one-time events, and may use more unconventional/mixed modes of travel for safety and predictable travel times. Conditional access rules should support each of these scenarios, and more.
It’s a long game
Secure collaboration mandates both technical innovation and human action. To defend against unintentional breaches and bad actors requires (1) a platform that monitors and stays abreast of threats, (2) IT administrators that don’t “set and forget,” and (3) corporate leadership that fully supports operations, HR, and IT’s mandate to communicate and apply the rules consistently.