New Articles

Why the Keys to Maintaining Data Security in a Remote Environment are Control and Visibility

data security

Why the Keys to Maintaining Data Security in a Remote Environment are Control and Visibility

Remote workforces are nothing new to most organizations. According to Buffer’s 2019 State of Remote Work report, 44% of respondents noted that at least part of their team was “full-time remote,” and 31% said that everyone on the team works remotely. Further, at the time of the report, 30% of respondents said that their entire company worked remotely. However, the COVID-19 pandemic accelerated the work-from-home model. By March 31, 2020, the percent of users working remotely had increased 15 percentage points since the start of the COVID-19 outbreak. With that in mind, organizations are assessing how they can maintain granular levels of control and visibility when business data is being accessed remotely.

Adopting Contextual Controls to Protect Data

Most organizations already leverage role-based access controls. These controls, which align data access privileges and job function resources, provide a baseline for data governance. However, they often lead to excessive levels of data access and, in turn, produce additional risks. Contextual controls enable an organization to dynamically control access to data during varying contexts of access, often aligning to least privilege best practices. Migrations to cloud applications are largely due to contextual controls being a business requirement, simply because the interconnected applications required a more dynamic approach.

With the move to a remote workforce, organizations need to create more detailed and more dynamic access controls. With attribute-based access controls (ABAC), a company can incorporate additional context such as geolocation, time of day, and IP address to both ensure the appropriate user is accessing the resources and prevent users from having more access than they need. For example, if the organization knows that an employee should be working from Connecticut, ABAC can prevent access to resources if the user’s location is suddenly California – or a foreign country.

Contextual controls provide both the prevention of access policy violations, along with alignment between business requirements and security protocols. Because the organization can limit access according to the principle of least privilege, it reduces the risk of data leakage and financial fraud. Meanwhile, by creating more granular, data-centric access privileges, an organization can ensure that users do not get too much or not enough access – limiting the potential negative effects of restricting access excessively.

User Activity Monitoring for Security and Managing Productivity

Monitoring user access to resources and tracking how users interact with data provides an additional benefit for many organizations as their workforces move towards a remote model. Most organizations recognize the benefit of monitoring user access – but not just instances of logging in and logging out of applications. Understanding data access and usage is now a key requirement when maintaining visibility over business data. Organizations are turning to analytics platforms that both include granular access details, along with a visualization element (for example, SIEM). Data is only as useful as the insights it provides, and rapid aggregation and visualization of user access data is a crucial requirement for data security.

Using “Virtual” Work Hours

Looking at a common security use case, many organizations leverage “virtual” work hours to detect anomalies. For example, an employee usually works between the hours of 8 AM and 6 PM but monitoring and alerting to activity around sensitive data at 3 AM, for instance, can be indicative of unauthorized behavior. This uncharacteristic behavior may be an anomaly, but the organization needs to monitor the user activity more closely. If the user denies accessing the information at 3 AM, then the organization needs to focus its monitoring and have the employee change their password. If the organization detects additional unusual activity, then it may need to review the employee’s activities or investigate a potential data breach.

Monitoring User Productivity

From a workforce management perspective, organizations can leverage these insights to review employee productivity. Two use cases present themselves. First, many organizations have contracts that stipulate late payments incur a late fee. If the organization knows that employees should be processing payments ten days prior to the payment date, then they can leverage these reports to ensure that employees meet their timelines, even from a remote location. Additionally, by tracking resource usage data, organizations can monitor whether workforce members are appropriately prioritizing their workdays. If the employees are only accessing a business application at the end of the month, then they are likely waiting until the last minute to input payment information. Preventing these potential revenue losses or rush projects in other areas by speaking with the employee enables the organization to stay on top of its financials.

Enabling Visibility for Business Applications Has Never Been More Critical

Creating trust within and across distributed workforces ensures productivity. However, continued status update meetings across multiple time zones decrease workforce member efficiency. Organizations already monitor user access to their systems, networks, and applications. As part of a robust security posture, organizations should apply protections at the new perimeter – user identity. Rather than micromanaging employees via emails or chats, managers can gain valuable insight into how users are accessing resources and prioritizing work schedules by reviewing data and resource usage.

In an unprecedented time, companies need to find ways to enable their levels of control and visibility over business data. Whether a business application is on-premise or in the cloud, enhancing these solutions should be a mission-critical objective.

Risks against an organization are prevalent in a remote environment, whether those risks are security-related or employee-related by fraud, theft, and error. The keys to maintaining data security ultimately lie in your ability to provide oversight for your data, and the time to act is now.

_______________________________________________________________

Piyush Pandey, CEO at Appsian (www.appsian.com ) is a technology executive with 18 years of global experience in strategy, sales, mergers & acquisitions, and operations within software companies. Over the last 10 years, he has worked with enterprise software companies including Oracle, Epicor, Concur, Citrix and Microsoft on various transactions. He has held various leadership positions at Procera, Deutsche Bank, Stifel, Wipro Technologies and a wireless startup.

working from home

New to Working from Home Full-Time? Here’s How to Stay Productive.

As the coronavirus pandemic threatens public health and the U.S. economy, more people are working from home on a regular basis. The move follows social distancing guidelines as an attempt to slow the outbreak, but keeping scattered workforces connected and productive can be challenging for managers and employees.

“This is new terrain for all involved, but employees and their companies can come out of this stronger by learning how to work together even better while they’re physically apart,” says Dr. Jim Guilkey (www.jimguilkey.com), author of M-Pact Learning: The New Competitive Advantage — What All Executives Need To Know.

Optimally, working remotely can sharpen the skills you have and open new avenues of training that broaden skill-sets and increase results. But technology alone can’t smooth the transition to remote working, and both employees and business leaders must learn how to implement new structures and some new or tweaked processes.”

Dr. Guilkey offers tips for both managers and associates to make working from home work out well for their companies:

For employees:

Get started early. “When going to the office, you normally get up and out the door early,” Dr. Guilkey says. “At home, this is more difficult. Get up, take a shower, and get started.”

Create a dedicated work space. People who haven’t worked remotely may need to experiment with different approaches to find what setting works best for them. “Just because you’re not going to the office doesn’t mean you can’t have an office. Dedicate a specific room or surface in your home to work,” Dr. Guilkey says“You should associate your home office with your actual office. This creates the correct mindset for being productive.”

Structure your day like you would in the office. Workers need to adopt exceptional conscientiousness when it comes to dividing their day into intensive work, communications, personal time and family life,” Dr. Guilkey says. “Have an agenda. Schedule meetings and project time and stay on schedule.”

For managers:

Set expectations.“It is vital that employees know what is expected of them,” Dr. Guilkey says. “When will you be available? How long will it take to get back to someone?”

Create a cadence of communication. Without daily face-to-face interaction, there’s more importance on communication. “A rhythm of communication is vital – daily check-ins, weekly one-on-ones, weekly team meetings, etc. ” Dr. Guilkey says.

Take a video-first approach. “Video, with all the current technology, is the most effective means of remote communication,” Dr. Guilkey says. “Invest in reliable tools.”

Maintain company social bonds. One drawback of working remotely is the potential breaking of social bonds that are necessary for productive teamwork. “Video conferencing or a quick Google chat with a colleague is vital to keep relationships strong,” Dr. Guilkey says. “Employees miss face-to-face banter and impromptu discussions in the physical office, so seeing faces on the screen daily is optimal for morale and a sense of normalcy.”

“Employees and employers can take this unprecedented time as a time to improve individually and as a company,” Dr. Guilkey says. “Working from home and working well together can go hand-in-hand when everyone is pulling even harder in the same direction.”

_______________________________________________________________

Jim Guilkey, PhD (http://www.jimguilkey.com) is the author of M-Pact Learning: The New Competitive Advantage — What All Executives Need To Know. He is the president of S4 NetQuest and a nationally recognized expert in instructional design and learning strategy, with extensive experience in leading the design, development, and implementation of innovative, highly effective learning solutions.

Under his leadership, S4 NetQuest has transformed the learning programs for numerous corporations, including Johnson & Johnson, McDonald’s, Merck, Nationwide, Chase Bank, BMW, Cardinal Health, Domino’s, GE Medical, Kaiser Permanente, Yum! Brands, and others. Guilkey is a frequent speaker at national conferences and corporate training meetings. Before co-founding S4 NetQuest, Guilkey served as the assistant director of flight education at The Ohio State University. He received a BS in aviation and an MA and PhD in instructional design and technology from Ohio State.

maintaining

Maintaining Business-as-Usual When Nothing is Usual

As we watch the evolving global response to the COVID-19 pandemic, it is abundantly clear that organizations are facing a business continuity challenge for which most had not precisely prepared. With little to no strategic planning for it, organizations are being forced to shift from an on-premises employee base to a remote distributed workforce. The choice is clear, shift or shut down, and those trying to shift have significant hurdles to overcome. Enterprises need to protect their employees and ensure business operation continuity by making this immediate pivot to a remote workforce.

The aforementioned hurdles are numerous, indeed. A few key ones fall around maintaining compliance, ensuring security with developmental practices and keys, and maintaining visibility into risk when monitoring tools are overwhelmed with signals.

Uncompromised Compliance

Meeting compliance rules in a diverse IT ecosystem is arduous on the best of days but can be overwhelming for organizations dealing with the unanticipated tide of remote workers, non-controlled devices, and unmanaged locations. Yet without access to the business-critical and sensitive information required to perform job responsibilities, productivity would grind to a halt.  Organizations meet the competing priorities of employee access and regulatory compliance in spite of an ongoing pandemic. Compliance frameworks such as SOX, HIPAA, HITECH, and PCI, require implementing and monitoring a large number of controls to ensure compliance, even with remote workers. This is a herculean task, especially across multiple clouds, sites, and external work locations.

In order to establish compliance, many compliance frameworks require organizations to begin with a risk-based assessment of the ecosystem. The information gathered from this assessment determines what controls are necessary and how they can best be configured to integrate with the environment. For organizations needing to move swiftly, it is absolutely essential to utilize automated tools to manage this process and ensure that no controls are left out or partially implemented. Even after implementation, the ecosystem should be reviewed and monitored in order to maintain continual compliance.

Remote Development

Developers working from home come with the challenge of ensuring the codebase that they are working on is secure and that it can safely be moved through the development lifecycle. Fortunately, developers have already been moving down this path with the development lifecycle in the cloud using a CI/CD pipeline to streamline and automate the process from development to production. However, this requires the issuance of high-privileged keys to developers to move code between environments and execute the code. Protecting these privileged keys is challenging and can leave individuals with excessive rights that violate the principle of least privilege. In the worst scenario, a bad actor could insert malicious code, self-promote the code all the way into production, and have the code execute with a permanently issued privileged key, all without any checks along the way.

The best way to ensure that the CI/CD pipeline remains secure is to ensure there are zero standing privileges when they are not directly needed to perform functions in the environment. To aid in this effort, storing privileged keys and using a system to programmatically check them out at the time of code execution allows them to be available when needed but otherwise keeps them inaccessible. This can further be improved upon by using scoped keys that have an expiration built into them so that even if a high-privilege key was compromised, its ability to be utilized by bad actors is limited.

In order to maintain compliance, it’s also important for a solution to see and control when a developer may have a risky or toxic combination of access, such as the capability of both writing code and performing QA on that code. Keeping these duties separate is key to preventing poor code hygiene, and it also reduces the risk of a backdoor being written in and pushed into production.

Pinpointing Anomalous Behavior

When dealing with multiple external workers and the sudden change in traffic, the vast amount of real-time activity and behavior data coming in from different areas can complicate visibility into anomalous behavior. An IT ecosystem that ranges from on-premises assets to multiple clouds generates a huge volume of log data, and SIEM tools and vulnerability scans only add to the total. Each of these is generally contained in its own environment and has separate interfaces for reviewing and monitoring, and there is limited correlation to find anomalies that might not be readily apparent from any given individual interface.

While managing a strong remote work environment, an organization is going to need to double down on monitoring. In order to understand holistic risk and keep from missing trends only visible when broader data is analyzed, organizations should seek ways to integrate the data from these disparate systems to attain visibility not possible from looking at each as a silo. A quick response can make the difference between a bad actor being stopped cold and walking off with the keys to the kingdom.

When Business IS Usual

Whether adapting to a pandemic or evolving to follow the trend of offering remote work to attract top talent, ensuring your organization’s data is secure is top priority. Even when the IT landscape of your organization changes, you need to maintain business continuity with solutions that include automated response to risk while documenting continual compliance. Whether securing file access or enabling software development, ensuring only the right people have the right access to the right digital resources at the right time should be more than a clever catchphrase. It should be business as usual.

___________________________________________________________

Diana Volere is a strategist, architect, and communicator on digital identity, governance and security, with a passion for organizational digital transformation. She has designed solutions for and driven sales at Fortune 500 companies around the world and has an emphasis on healthcare and financial verticals.  In her role as Saviynt’s Chief Evangelist, she delivers Saviynt’s vision to the community, partners, and customers, addressing how to solve present and future business challenges around identity.  Her past twenty years have been spent in product and services organizations in the IAM space. Outside of work, she enjoys travel, gastronomy, sci-fi, and most other activities associated with being a geek.

culture

Maximizing the Mixed Culture of In-House and Remote Workers.

Your business has employees.  You might have 5, or you might have 5,000.  Regardless of what size your business may be, every business has the same challenge; how do you maximize productivity? One important way of doing so is to make sure you are maximizing the output of your employees. To do that, it is important that you are aligning them with the goals of the business while providing them an environment that supports and fosters their growth. This gets lumped into the concept of culture.

Fostering the proper kind of culture is an important way to maintain a motivated workforce and increase productivity. Too often business owners and managers look at culture as intangible or amorphous or as something that HR should deal with. Culture is easier to address than that. Culture is the direct result of creating an environment that fosters a positive attitude. It delivers an efficient approach and arms employees with the right tools while supporting a balanced workforce. Some businesses look at culture through the lens of perks, like offering snacks in the breakroom. More often employees value perks in terms of flexibility. Employees value being encouraged, or at least given the chance, to work flexible hours, work remotely, and more.

This kind of flexibility is enabled through technology. The workplace is transforming, and the future of work is here. It is no longer a fantasy or a future opportunity. Video conferencing, connected messaging apps, document sharing and mobile access to information are making the remote, connected, “always-on” workforce a reality. These innovations and the explosion of their adoption in the modern workplace are making it easier for employees to balance their work and personal lives, interweaving the two together. The shackles of being tied to a desk are gone and people are free to intermingle their personal and professional lives. Video creates the chance to see who you are engaging with, no matter where they are. Looking someone in the eye always establishes a better rapport. As a result, businesses see stronger inter-personal collaboration, better sharing of information and insights and an increase in productivity.

Your best employees appreciate this and balance better. They will work later knowing they were able to take an hour to drop their kids at school or attend a school meeting. They can get a work-out in at lunch knowing they can do a conference call remotely. They take pride in their work because they feel there is a reciprocal value exchange between them and their employer. They realize their employer wants them to feel empowered and treated fairly while they develop a sense of ownership and pride in the place where they work. That sense of pride can translate to better use of their time and less “corner cutting” (i.e. taking short cuts in meetings to get on with the rest of your day).

Beyond that sense of pride and confidence in an employer, there are more tangible results of providing the tools to enable flexible work schedules.

People can respond faster to issues and questions and create “durable” threads of related content. Messaging and collaboration apps enable you to ping co-workers and exchange ideas, ask questions and seek information quickly and less intrusively, but are accessible remotely. Expectations on messaging apps are different than that for phone calls, email or text and they are more useful after the fact. Messaging apps allow for thoughtful responses, with attachments and key information included, and saved in a thread for later use. This aggregation of information is valuable for extended teams and the information is collected quicker than it would have been over text or phone.  As a broader team gets involved, there is a record of conversation and relevant information that can be used to increase productivity.

I briefly mentioned this benefit, but employees can respond from anywhere and with video conferencing. Just because someone isn’t in the office doesn’t mean the project can’t move forward. Being connected through mobile video means information can be exchanged regardless of location, with clear body language in addition to audio. Remote workers and out-of-office employees can always be reached instantly and provide quick responses to important, time-sensitive inquiries.

This “always on” and interconnected approach creates an environment where collaboration can happen on the fly and innovation can spark from anywhere. One of the things I have always heard and understood is that the best ideas can come from the least expected places. A great idea may surface when you aren’t in the office, but if you can’t share the idea then it may never see the light of day. As inspiration arises, it can be shared with team members and built upon quickly, resulting in a potentially new and important initiative.

The best thing about these technology tools is that no person feels as though they are operating on an island. In the past, businesses have been hesitant to hire the right person if they can’t physically be on site. In some cases, amazing candidates are disregarded because they are not local. With the new era of technology tools, you can always hire the best person no matter where they are located. If that person is on video, it’s as good as them being in the office. As a result, no person is on an island and your business ends up with the highest qualified, best talent for the job.

Technology is also not expensive anymore. Whether your business is 5 people or 5,000, you can afford to act like a 50,000 person company and leverage cloud-based tools to increase productivity and balance the in-house people with a remote workforce for maximum results.