Why CIOs are Prioritizing and Investing in Identity and Access Management

  August 13th, 2020
Written by:

CIOs and IT leaders have two major priorities right now. The first is dealing with new cybersecurity challenges created by remote work. The second is how to make sure working from home is efficient, secure, and productive.

That’s what a recent survey, conducted by Pulse on behalf of Hitachi ID, found. When asked about their priorities for the rest of 2020, 89% of IT leaders said cybersecurity, while 82% said enabling a remote workforce.

When it comes to their cybersecurity goals, 43% of respondents said they were investing in identity and access management — the most of any of the tools listed. Some 34% are investing in endpoint security, and 17% pursuing security awareness training.

Why are so many companies prioritizing IAM and how will these trends play out in the years ahead?

I recently talked to TechRepublic reporter Karen Roby about the survey results, the drivers behind IT leaders’ priorities, and what companies everywhere are realizing about remote work.

Watch here:

Read the press release and full survey results to learn more about CIOs’ budgets, priorities, and goals for the rest of the year.

Lessons Learned from Remote Work during Covid-19

  June 5th, 2020
Written by:

For the first time, due to Covid-19, many companies experienced what it’s like to have a fully remote workforce. The experience has had both highs and lows, with some companies questioning whether they need as much office space as they used before, while others struggled to keep up with the pace of change to ensure every employee remained productive without becoming a security risk. 

Now, many companies continue to work remotely while others are heading back to the office. It’s a moment to take stock of how you handled the switch to fully remote work and what you need in place both now and in the future. Use this time to take what you learned and empower those working from home by preparing for any disruptions in the future, whether it’s a second wave of the virus, a natural disaster, or even a power outage. 

Here are some of the challenges companies faced while working from home, and what they can put into place to improve their work from home capabilities. 

Challenges companies have faced while fully remote

Before the pandemic, some companies were already fully remote, others had a handful of telecommuters, and some had never had any employee work from home. While there was a wide range of experiences, there were some common challenges: 

1. Breakdown of processes for legacy remote workers. Employees who worked remotely before Covid-19 were better prepared than most for the pandemic. But because they could no longer visit the office, some processes, especially around passwords, started to break down. For example, if they’re not using a VPN, they might not be warned of an expiring password. If they change their password remotely and then forget it, under some circumstances, they might be locked out until their device is back on the network, where the help desk can address the issue. 

2. Processing mass numbers of access requests. As most or all of your employees switched to remote work, processing access requests to remote work services, from VDI logins to MFA applications quickly became overwhelming. 

3. Rapid migration to SaaS applications. Whether for security, convenience, or any number of other reasons, you may have needed to quickly migrate some services to the cloud. By switching from on-premises Exchange to Office 365, for example, you could give users access to the services they need while still maintaining security, even if users didn’t have a corporate-issued laptop or VPN connection. But these decisions were likely made in a scramble.  

4. Quickly establishing VPNs or VDI. If users had to access certain on-premise applications, you might have had to quickly acquire more VPN licenses and bandwidth, or establish VDI, depending on whether employees are using corporate devices or personal laptops. 

5. Opening new security risks. An uptick in SaaS applications and VDI use also means you have more public-facing logins, and thus a larger attack surface for hackers who might try to guess or socially engineer their way into your system.

How to support remote work, both now and for future disruptions

Organizations have handled these challenges as best they could given the circumstances. But now that you have time to step back and reassess what you have and what you might need, you can procure new technology that both fits user needs and gives your workforce more flexibility in where they conduct business. 

Here’s a list of technologies to consider:

1. VOIP or softphones. If you don’t already use these for your telephone service, it’s worth a look so that users can simply take their desk phones home from work, plug them into the wall, and get the same call quality with the same phone number as they have in the office. This also frees employees from having to use their personal mobile or home phone for work calls. 

2. Videoconferencing. Everyone got a crash course in Zoom and other video conferencing software, but what you chose as a quick fix might not be the best platform for your organization. There are a number of options to choose from, including Google Meet, Microsoft Teams, WebEx, and others, all with different features and options. Take some time to determine if you have the best software for your employees’ needs. 

3. Expanded VPN resources. If you saw an uptick in requests for VPN connections, you’re going to need more VPN licenses, and you might also need more bandwidth and CPU capacity to handle more concurrent connections. Assess your current and future needs. 

5. Expanded VDI server farms. If users can’t take their corporate device home, they often use their personal device for work, which can introduce any number of security risks. If this is the boat your company is in, VDI is the way to go. The more users that need this, the more capacity you’ll have to set up to serve them. 

6. Procure mobile devices. There are certainly use cases for desktops, but in many cases, a laptop will allow the vast majority of your employees to do their jobs effectively no matter where they’re working from. Make it a point to supply them with corporate-owned laptops, tablets, or other mobile devices so they don’t have to use their home computer when telecommuting. It’ll keep workers productive and your systems more secure. If your company decides to do this, then consider deploying some full disk encryption such as Bitlocker, Checkpoint, or McAfee.

7. License MFA and other access management technology. MFA, preferably via smartphone apps, reduces the risk of intrusion through publicly accessible logins that only ask for a password. In addition, identity access and privileged access management tools can help you more easily manage passwords and identities, add MFA and federated access, strengthen authentication, and avoid many of the security risks of remote work. 

Whether your organization plans to keep employees remote for the rest of the year or you’ve already started to bring workers back to the office, the work from home situation we all experienced gives you a lot to think about. 

Take time to revisit the challenges you experienced and how you could avoid them next time. The lessons you take away and the solutions you identify will make your company and your employees more flexible, productive, and secure.

Hitachi ID and Pulse surveyed 100 North American C-suite executives at enterprise, mid-sized, and small companies in May 2020. The survey uncovered other remote work issues during the pandemic lockdown with 95% of North American CIOs reporting remote work issues during the pandemic lockdown. Employee password lockouts and inability to access on-premise applications were among the top challenges. Get a full copy of the report.

Secure Remote Access for Vendors

  May 29th, 2020
Written by:

IT work doesn’t wait for a virus, and with some of your vendors working remotely both now and for the foreseeable future, reviewing how they access your systems is critical to ensuring timely IT work without opening yourself to any security risks. Now is a good time to check up on your vendor security. 

These guidelines should sound familiar, since they’re basic features of a modern privileged access management (PAM) system. But they bear repeating: 

DO: 

  • Use multifactor authentication
  • Implement robust authorization models
  • Perform detailed forensic audits

DON’T:

  • Use static passwords
  • Lose track of shared passwords

Beyond these points, there are seven steps to securing vendor access, especially when they’re working remotely:

1. Delegate

Choose a trusted individual at each vendor to manage the users from their organization. For example, if you work with Dell, Hitachi Vantara, Oracle, and Microsoft, you should have four people—one from each—managing the access for their organization. 

Make sure the list of users with access remains small at each organization, but otherwise delegate the responsibility for who deserves a place on that list. 

2. Authenticate  

Don’t just use passwords. Make sure vendor logins are securely authenticated using multiple factors. Your preference should be for app-based multi-factor authentication (MFA). That way, any turnover at the vendor is less disruptive than if users have a physical token they need to return or hand off to another user. 

3. Confirm

Another option to authenticate users is to make sure a given user still works for your vendor when they sign in. Send a PIN to the user’s work email, and if they no longer work for the vendor, they won’t be able to access the email, the PIN, or your systems. 

4. Request and approve

Vendor users should connect only when you request specific work to be done. Set up a request and approval workflow before allowing vendors to sign in to your systems to ensure you’re aware of every login. 

5. Do Not Disclose

Best practice is not to disclose the password unless necessary. Instead, launch the vendor user directly into SSH, RDP, SQL Studio, etc.

6. Monitor

Record all vendor activity in your systems, and if you think it’s necessary, watch in real time. This way you not only have a record of the work completed, you also discourage—or quickly catch—any unauthorized activity.   

7. Protect

Don’t let vendors connect their devices to your VPN. Use a proxy, like virtual desktop infrastructure (VDI) or a web browser login. That way you don’t have to vet every device for security because those devices stay outside your network perimeter. 

All of these steps are best practices for granting elevated access to third parties and should be in place for all of your vendors. Of course, managing privileged access, especially across potentially dozens of vendors, can be time consuming and difficult. This is where a PAM system can help you simplify the process and ensure security while giving your vendors access to the systems they need to deliver quick and effective service.

Learn more about how PAM systems can support your business.

Infographic

Solve the Four Biggest Remote Work Login Problems

  May 15th, 2020
Written by:

Remote work has achieved a new peak so far in 2020. Some 62% of employed Americans said they have worked from home during the COVID-19 crisis. This large-scale experiment will have a lasting impact, as 74% of CFOs surveyed by Gartner expect at least some of the workers pushed remote by the virus will continue to work from home even after offices reopen. 

Not surprisingly the sudden transition to remote work hasn’t been all smooth. Companies are still dealing with a number of issues, from security to maintaining productivity. Others (us included!), are facing new challenges such as setting up employees on operating systems outside the company norm. Access to applications and data employees need to do their work can be particularly fraught. Here’s how to get a handle on four of the most common login issues companies are experiencing right now. 

1. Secure logins from attackers

Many companies have adopted or expanded use of SaaS applications, or are using virtual desktop infrastructure (VDI) to get everyone working from home but these options often have public-facing login pages that could put your organization at risk. Increased access increases risk and opportunity for external attackers who may try to guess passwords or attain them through social engineering. 

There’s a few ways to ensure your credentials remain secure despite public login pages: 

  • Externalize login screens. Rather than having a public-facing login page for every SaaS application, you can consolidate them on a single platform so users have one login page for a single sign on that’s more secure.  
  • Add multi-factor authentication (MFA). This should be standard practice, but many organizations and users still haven’t adopted it. Only 57% of organizations were using MFA at the end of 2019, and while that’s up 12% over 2018, it’s still low. Implement an MFA technology, preferably via a smartphone app, to add an extra layer of protection. 
  • Don’t ask for passwords first. The same goes for PINs and answers to security questions. These factors can be easy to guess. Require employees to use a hardware token, enter a PIN sent to their phone, or use a smartphone app to confirm they’re authorized before you ask for a password.
  • Consider using CAPTCHAs. By making this the first step in authentication, you can ensure it’s a human attempting to sign in, not a bot programmed to attack the page.  

2. Enable remote password assistance

There’s several issues that companies can run into specifically around passwords. If you haven’t experienced them already, look for: 

  • Expiring or expired passwords. Off-site users may not receive notification that their passwords are expiring if they’re not using a VPN. The passwords will still expire even if the user doesn’t know it’s happening. Consider other ways to notify users of expiring passwords and give them the opportunity to update their credentials remotely. Another option is to temporarily delay the expiration until the office reopens. 
  • Forgotten passwords. This is usually an easy problem to solve when a user can visit a help desk and their computer is connected to the corporate network. But with employees remote, forgotten passwords can become a bigger issue and even leave users with inoperable devices. Make sure you have some kind of remote mechanism to reset forgotten passwords. 

3. Tighten access after layoffs and furloughs

If you’re one of the many organizations that has had to furlough or lay off workers in the uncertain economic climate, you’ll have to close off their access either temporarily or permanently. There are a couple ways to do this. You can create a request and approval workflow that has you deactivate login IDs and set a status for each user. For permanent layoffs, you’ll need to take additional steps to move and archive that user’s content. 

The other option is to automate the process based on certain data and criteria, which can be set up in an identity and access management tool. When furloughed workers return, it’s just a matter of reversing the process to get them back up and running.  

4. Follow best practices for vendors access

Just like you, your vendors are probably working from home. When you need IT work done, you’ll need to grant them remote access.  

Make sure you’re following best practices for granting elevated access to third-party users: 

  • Designate a point person. One trusted user from every vendor should be in charge. Appoint that person to manage the short list of users from their company who need access to your systems. 
  • Keep vendors off your VPN. Don’t allow your vendors to connect their devices to your VPN. Use another method so you can keep the vendor’s device outside the network perimeter and reduce your attack surface. For example, use a proxy server for vendor devices to safely communicate with your servers without directly connecting to your network.
  • Double check they’re still employed. Any time a vendor logs in, double check they still work for that company. One way to do this is sending a PIN to their work email that they must enter to log in. If they no longer work for that vendor, they won’t have access. 

Secure access while working from home

Many organizations have quickly adapted to working from home, but there are a number of challenges you’re likely facing right now. With your users scattered, it’s even more important to consider security, who has access to what, and how to quickly resolve problems like forgotten passwords to keep employees productive no matter where they’re working. With increased distance and risk, now is the time to get serious about bolstering security as your workforce transitions to a new normal.

Three Password Issues that Could Complicate your Post-covid-19 Return to the Workplace

  May 8th, 2020
Written by:

The return to the office is coming. Some companies will bring workers back sooner, others later. Some will stagger the returns, others will open their doors to everyone at once. Some will have a smooth transition, others will find it just as disruptive as the sudden switch to remote working. 

There are plenty of variables to plan for, from checking up on devices that haven’t been used in months to maintaining security during the transition. As you put together a return strategy, don’t forget to plan for password snafus that could leave employees sitting around on their first day while the support desk scrambles. 

Three password issues in particular are likely to arise and formulating a plan now will ensure everyone has access to the systems and applications they need once they’re back at their desk. Make sure you’re planning for all of the following. 

1. Changing forgotten or expired passwords. 

After months of working from home, getting back into the swing of things will be tough, especially for employees that haven’t used certain systems or applications remotely. Furloughed employees face an even steeper climb. 

No matter the circumstances, you’ll likely have users who have either forgotten their passwords or had their passwords expire during the crisis. 

To avoid overwhelming your IT support team on the first day back, it pays to plan ahead. Do the following: 

  • Estimate how many users will need help. Based on who hasn’t signed in for an extended period and who had been furloughed, you can get a sense of how many people will need help logging in on their first day back. 
  • Scale your password reset strategy. For example, you could provide users a one-time-only link with an embedded random PIN. When they click, they sign into the password reset system and select a new password. That way they can reset their password without having to guess at security questions they may have forgotten the answers to. 
  • Communicate the plan. Connect with the users you expect will need help, explain the situation and process, and advise on how they should change forgotten or expired passwords. 

2. Reactivating access for furloughed employees.

Millions of Americans have been laid off or furloughed since mid-March. If your company has a high number of furloughed employees, you’ll need a strategy for how to reactivate their access. Plan for one of these scenarios: 

  • Everyone returns on the same day. Like handling forgotten passwords, this can easily become overwhelming. Look to automation. By automating the reactivation process using a list of identities, you can get everyone up and running a lot faster and more smoothly. 
  • Employees return gradually. If only a handful of users need to get back online on any given day or week, it’s better to handle the cases one by one. Create a request and approval workflow that everyone can follow as they return. 

In either case, look to an IAM solution to more easily toggle users back into action when they return to work. 

3. Review who has access to what. 

A lot has changed since March, and everyone will be returning to work in a new world. Some people might have new or different roles and responsibilities. It’s time to review everyone’s access rights. 

I know, that’s a huge undertaking. Which is why this is one project where you should bring in managers to divide and conquer. 

Invite managers to review the data for each of their employees to approve their access levels based on their current job responsibilities. By turning to the people most aware of each user’s role, you can enlist them to make short work of this review process. 

Again, an IAM tool will help you efficiently review and update who has access to what and whether that access is still valid.

Returning to the workplace doesn’t have to be disruptive

The workplace we’ll return to will not be the workplace we left, at least for a while. There are plenty of logistical and IT challenges you’re probably planning for to ensure the return is smooth and keeps everyone productive. 

By including these three potential password issues in your plan, you can ensure everyone is off and running, with access to everything they need, as soon as they’re back at their desks.