As we watch the evolving global response to the COVID-19 pandemic, it is abundantly clear that organizations are facing a business continuity challenge for which most had not precisely prepared. With little to no strategic planning for it, organizations are being forced to shift from an on-premises employee base to a remote distributed workforce. The choice is clear, shift or shut down, and those trying to shift have significant hurdles to overcome. Enterprises need to protect their employees and ensure business operation continuity by making this immediate pivot to a remote workforce.
The aforementioned hurdles are numerous, indeed. A few key ones fall around maintaining compliance, ensuring security with developmental practices and keys, and maintaining visibility into risk when monitoring tools are overwhelmed with signals.
Meeting compliance rules in a diverse IT ecosystem is arduous on the best of days but can be overwhelming for organizations dealing with the unanticipated tide of remote workers, non-controlled devices, and unmanaged locations. Yet without access to the business-critical and sensitive information required to perform job responsibilities, productivity would grind to a halt. Organizations meet the competing priorities of employee access and regulatory compliance in spite of an ongoing pandemic. Compliance frameworks such as SOX, HIPAA, HITECH, and PCI, require implementing and monitoring a large number of controls to ensure compliance, even with remote workers. This is a herculean task, especially across multiple clouds, sites, and external work locations.
In order to establish compliance, many compliance frameworks require organizations to begin with a risk-based assessment of the ecosystem. The information gathered from this assessment determines what controls are necessary and how they can best be configured to integrate with the environment. For organizations needing to move swiftly, it is absolutely essential to utilize automated tools to manage this process and ensure that no controls are left out or partially implemented. Even after implementation, the ecosystem should be reviewed and monitored in order to maintain continual compliance.
Developers working from home come with the challenge of ensuring the codebase that they are working on is secure and that it can safely be moved through the development lifecycle. Fortunately, developers have already been moving down this path with the development lifecycle in the cloud using a CI/CD pipeline to streamline and automate the process from development to production. However, this requires the issuance of high-privileged keys to developers to move code between environments and execute the code. Protecting these privileged keys is challenging and can leave individuals with excessive rights that violate the principle of least privilege. In the worst scenario, a bad actor could insert malicious code, self-promote the code all the way into production, and have the code execute with a permanently issued privileged key, all without any checks along the way.
The best way to ensure that the CI/CD pipeline remains secure is to ensure there are zero standing privileges when they are not directly needed to perform functions in the environment. To aid in this effort, storing privileged keys and using a system to programmatically check them out at the time of code execution allows them to be available when needed but otherwise keeps them inaccessible. This can further be improved upon by using scoped keys that have an expiration built into them so that even if a high-privilege key was compromised, its ability to be utilized by bad actors is limited.
In order to maintain compliance, it’s also important for a solution to see and control when a developer may have a risky or toxic combination of access, such as the capability of both writing code and performing QA on that code. Keeping these duties separate is key to preventing poor code hygiene, and it also reduces the risk of a backdoor being written in and pushed into production.
Pinpointing Anomalous Behavior
When dealing with multiple external workers and the sudden change in traffic, the vast amount of real-time activity and behavior data coming in from different areas can complicate visibility into anomalous behavior. An IT ecosystem that ranges from on-premises assets to multiple clouds generates a huge volume of log data, and SIEM tools and vulnerability scans only add to the total. Each of these is generally contained in its own environment and has separate interfaces for reviewing and monitoring, and there is limited correlation to find anomalies that might not be readily apparent from any given individual interface.
While managing a strong remote work environment, an organization is going to need to double down on monitoring. In order to understand holistic risk and keep from missing trends only visible when broader data is analyzed, organizations should seek ways to integrate the data from these disparate systems to attain visibility not possible from looking at each as a silo. A quick response can make the difference between a bad actor being stopped cold and walking off with the keys to the kingdom.
When Business IS Usual
Whether adapting to a pandemic or evolving to follow the trend of offering remote work to attract top talent, ensuring your organization’s data is secure is top priority. Even when the IT landscape of your organization changes, you need to maintain business continuity with solutions that include automated response to risk while documenting continual compliance. Whether securing file access or enabling software development, ensuring only the right people have the right access to the right digital resources at the right time should be more than a clever catchphrase. It should be business as usual.
Diana Volere is a strategist, architect, and communicator on digital identity, governance and security, with a passion for organizational digital transformation. She has designed solutions for and driven sales at Fortune 500 companies around the world and has an emphasis on healthcare and financial verticals. In her role as Saviynt’s Chief Evangelist, she delivers Saviynt’s vision to the community, partners, and customers, addressing how to solve present and future business challenges around identity. Her past twenty years have been spent in product and services organizations in the IAM space. Outside of work, she enjoys travel, gastronomy, sci-fi, and most other activities associated with being a geek.