Richard Bird is Chief Customer Information Officer at Ping Identity. He is a sought-after speaker on digital identity and data privacy.
getty
It’s no surprise that 2020 saw a massive shift of workers to virtual environments. What was surprising was how well the remote model worked for a majority of companies — so much so that major employers have announced they’re permanently embracing a remote workforce when post-pandemic normalcy returns. It makes good business sense, as a recent study found that 94% of companies said worker productivity was the same or higher than it was prior to the pandemic quarantine.
Yet this transition has also seen increasing trepidation among business leaders in keeping employees, customers and operations safe from cyber threats. Specifically, the shift to remote work is driving new investments in information security talent and technology, despite the challenging economic conditions.
Our company recently commissioned a survey of senior executives worldwide on how the pandemic reshaped their IT resources and strategies, and we learned that many expect to have a portion of their workforce working remotely long term. Nearly half (47%) of executives expect a large segment of their workforce to work three or more days away from the central office in 2022.
This shift has triggered an urgent need for organizations to invest in identity and access security capabilities in a quest to implement zero-trust security models for their dispersed workforce and expanded online customer base. The zero-trust (“never trust; always verify”) approach treats everyone as potential threats and prevents access to data and resources until verified. Business leaders believe this transformation will address new challenges around security and compliance as well as boost employee productivity. Their goal is to deliver a superior online experience for employees and customers, regardless of where work gets done.
How deep did these security concerns run? Consider these spend estimates laid out in the report:
• “85% of executives surveyed said that investments in identity security are critical to their company’s mobile and overall user experience.”
• “71% of executives believe their company’s investments in zero trust will increase over the next year.”
• “55% have invested in new identity security capabilities since the start of the pandemic.
• “60% have increased their spending on strategic identity-related investments as a result of remote working and 69% of executives expect investment in AIM capabilities to increase over the next year.”
Their investments are warranted. These companies experienced a sudden jump in employees working remotely, with few contingency plans in place for the impact on their security infrastructure. With employee productivity and customer engagement shifting to online, IT departments were forced to take more responsibility for both security and business performance.
Nearly half (44%) of IT departments found themselves scrambling to provide new, safer passwords for employees’ home routers and Wi-Fi networks (44%) or helping tether mobile devices for backup access (42%) and supplying additional routers (30%). And the use of multi-factor authentication (MFA) nearly doubled because of the pandemic.
These moves were part of a major shift toward the adoption of zero trust rather than continuing security strategies that rely on corporate networks, the survey found. Companies had to quickly evaluate if employees remotely accessing corporate resources would overwhelm their identity management systems. The long-standing use of virtual private networks (VPNs) to give employees remote access wasn’t sufficient anymore because companies couldn’t trust employee identities. In fact, Zscaler’s 2021 VPN Risk Report found that most organizations (72%) plan to ditch VPNs altogether.
Moving to a comprehensive zero-trust architecture will require significant changes in how an organization authenticates people, devices, applications, transactions and other activity on the network. First and foremost is how to intelligently authenticate each user. Individuals will need to prove their identities with multiple pieces of evidence, also known as multi-factor authentication. The combination of factors often breaks down into a piece of evidence that the user knows, such as a password, a device they own, like a smartphone, and perhaps a biometric factor such as facial recognition or fingerprint. Different levels of activities and security risk may require employing different levels of multi-factor authentication.
But authenticating users isn’t solely sufficient for achieving zero trust. Even properly authenticated users can fall prey to using compromised devices. Authenticating devices is just as critical, as compromised devices can be exploited for things like enterprise data and passwords. Authenticating the device ensures that the user is working with validated, trusted hardware.
Even if the device has been proven not to be tampered with, it could be missing a security patch. That’s why it’s also critical to authenticate the application running on the device. For example, malicious malware could fool an individual into using an imposter application.
Lastly, if a transaction is taking place, it must also be authorized. Security systems that employ a central authorization engine typically determine whether a user is allowed to make the transaction, with the default setting being “no'' until sufficient authentication is established. Leverage a risk scoring system using weighted variables including behavioral biometrics, continuous authentication, time or location to identify if the transaction is malicious or not.
As this digital transformation acceleration continues, I believe identity and zero trust need to be central in all major business decisions to deliver the level of customer experience expected by modern employees and customers.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
