The trend toward a mobile, distributed workforce, including working from home, has been underway for many years. Unfortunately, sudden events like COVID-19, the disease caused by Coronavirus, can shine a harsh spotlight on the need to provide a more comprehensive workforce access and productivity solution than what many companies have in place currently. Organizations like Google, Microsoft and Amazon have already encouraged employees to work from home. And JPMorgan Chase, as a precautionary measure for contingency planning, asked 10% of its entire workforce to work from home to test their global remote access capabilities.
Working from home is no longer just a perk to offer employees, but a critical alternative to keep your business running.
To fully enable a productive remote workforce, organizations need to make working from home seamless. They need to offer a smooth user experience while making sure that systems and data remain secure. In order to evaluate whether your remote working procedures are effective, here are a few questions to consider:
Is your organization moving towards an enterprise-wide Zero Trust strategy, or are you still relying on your network as your main security perimeter?
Does your organization have strong, intelligent authentication mechanisms in place beyond passwords?
Is your organization prepared for a majority of your workforce to work remotely? Can they use their own devices?
Can your organization control access beyond the network to the application, data and API layers?
Think Beyond Network Perimeters
For many years, virtual private networks (VPNs) have been the default solution for enabling remote access to work resources. However, the notion that a VPN should legitimize employee access to all of a company’s resources is outdated. In fact, VPNs have been the source of some high profile hacks and were even the subject of an NSA advisory.
Instead of solely relying on VPNs, organizations need a strong identity foundation. That means implementing Zero Trust principles, where by default no network traffic is trusted. Instead, everyone and everything must be verified via centralized authentication services relying on capabilities like single sign-on (SSO) and multi-factor authentication (MFA). By implementing strong, centralized authentication, organizations are less susceptible to the inherent weaknesses of VPNs. In addition, with an identity foundation based on Zero Trust, organizations can control access beyond the network to assets like applications, data and APIs.
Reduce Passwords Wherever Possible
In terms of security, strong authentication becomes even more critical when your employees are working from home. Passwords alone are not enough, it’s time to augment or replace them with smarter, more secure authentication factors. Using other factors can also result in increased productivity. For example, location tracking can be done in the background and continuously verify employees without interrupting their work.
Multi-factor authentication can mitigate many of the security and productivity issues that come with employees accessing critical business resources from home. It does this by layering various combinations of authentication factors:
Knowledge: Something you know (e.g., password, security questions, etc.)
Possession: Something you have (e.g., Yubikey, smart card, etc.)
Biometric: Something you are (e.g., fingerprint with TouchID, facial recognition with FaceID, etc.)
Behavioral: Something you do (e.g., how you type, hold your phone, etc.).
Leveraging easier, more secure factors than passwords gives enterprises the option of reducing password use or going completely passwordless. To reduce password use, organizations often extend the length of user sessions from days to weeks, only requiring password entry during this extended session when a new device is used to sign-on. Organizations can also implement rules around longer sessions, such as only extending session length for users logged in from known locations like a corporate office.
The next stage of maturity is passwordless login, where an alternative factor (fingerprint, authenticator app, security token, etc.) becomes the primary method of authentication. Further down the path of maturity is a bypass of both the username and password in a “zero login” scenario, enabled by storing a cookie on the employee’s device.
When talking about passwordless authentication, we would be remiss if we didn’t also mention Fast Identity Online (FIDO), a global alliance committed to solving the world’s password problem. By design, the FIDO standard for authentication does not allow passwords to be used under any circumstances. The Ping Workforce360 solution includes support for FIDO authentication methods including device biometrics, security keys and Windows Hello to increase resistance to advanced phishing attacks, password theft and replay attacks for web authentication.
Examine Your BYOD Strategy
Companies that are shifting to remote work out of necessity may not have the budget or time to issue employees trusted, pre-configured corporate devices. Allowing employees to bring their own devices (commonly known as BYOD) is not only a growing trend but perhaps the only option available in the short term. In order to make BYOD a reality and ensure employee productivity, enterprises require central authentication services that can easily integrate with and leverage signals from mobile device management systems (MDMs).
The integration of your user base and applications with your MDM can be accomplished with a strong identity foundation. Ensure that your central authentication services include easy admin set-up and quick user adoption. From there you can implement MFA to realize the benefits of user-friendly authentication methods (fingerprint, facial recognition) and contextual identifiers (detecting jailbroken devices, user location).
Implement Smarter, Adaptive Access Policies
Network, password and device security are crucial aspects of employee access, but there’s still more to secure. Organizations may be using outdated web access management tools to manage authorization policies for critical legacy or mainframe applications, but they struggle to secure modern resources like single page apps (SPAs), mobile apps and SaaS. They also may not be giving enough consideration to securing the data or API layers. Enabling adaptive access security is crucial to ensuring your workforce has the right access without introducing unnecessary friction.
The first step toward adaptive access security is to create a centralized authentication service that can extend across all your resources, whether they live in the cloud or on-premises. Once those centralized authentication and authorization policies are in place, you can introduce fine-grained authorization at the data level and analyze API traffic to learn, detect and block potential threats. But this shouldn’t come at the cost of productivity. Smart policies based on dynamic risk scoring can grant access to a user, require step-up authentication if necessary or deny access altogether.
Embrace Identity Intelligence
For a majority of organizations that have embraced cloud, mobile and “as-a-service” products, the days when the network was the security perimeter are in the past. Organizations need an identity solution that can operate at the speed and scale they’re used to. They also need a solution that can integrate with their existing technology stack and support open standards to future-proof their investments in new technologies.
Identity intelligence enables this vision by connecting all the resources within your enterprise, receiving contextual signals from multiple systems and working across the silos that have grown over time. It’s the ability to ensure secure access without introducing barriers. It serves as the organizational brain that can enforce smart policies with split-second decisions leveraging various sources such as devices, user directories, AI and fraud signals. With intelligent identity in place, your organization can break down the barriers between remote and office work and deliver exceptional employee experiences.
How Ping Can Help
The largest enterprises in the world trust Ping Identity to enable their remote workforces at scale. They use our intelligent identity solutions to speed up their businesses and allow their employees to get things done, no matter where work happens. Our platform, built on open standards to ensure extensibility, combined with our market-leading integration capabilities ensure that all of your resources are covered.
To support organizations in this transition, we’re offering up fast, free usage of selected Ping products. For organizations new to Ping, we are offering cloud-based single-sign on and multi-factor authentication. And for existing PingFederate workforce customers, we are offering free multi-factor authentication. These products can be deployed rapidly across unlimited users and applications, keeping your work-from-home employees secure and productive.