In the days of old, organizations had all of their people and resources in select locations. That enabled businesses to protect their data and devices with perimeter security. Like a moat around a castle, this kept out the enemy by surrounding the enterprise with a defensive shield.
But perimeter security doesn’t adequately address the world in which businesses exist today.
COVID-19 Broke Down Corporate Preconceptions and Expanded the Distributed Enterprise
In recent years, organizations became more distributed with the expansion of telecommuting and other remote work. Telecommuting increased an estimated 159% between 2005 and 2017.
This year, the coronavirus pandemic took the work-from-home (WFH) movement to a whole new level. As this cartoon illustrates, COVID-19 acted as a wrecking ball – demolishing excuses that had prevented businesses from embracing digital transformation and organizational change. Microsoft CEO Satya Nadella commented “We’ve seen two years’ worth of digital transformation in two months.” Meanwhile, a Gartner survey suggests that 82% of company leaders will allow their employees to work remotely some of the time, even after the pandemic.
This points to the need for a sea change in the way company leaders think about security.
Remote Access to Critical Systems and Data Call for a Broader Definition of Cybersecurity
The fact that the WFM population has rapidly expanded is not the only change prompted by COVID-19. Because many businesses want to keep employees at home for health reasons, they needed to open up their critical systems to enable their remote workforces to get the job done. This is different than how it worked in the recent past, when organizations with remote workers only allowed those people to access select business applications such as email.
Now it’s more important to use multi-factor authentication (MFA) in the form of biometrics, PIN codes and other methods to certify the identities of the devices and people that are trying to access corporate data and systems. Businesses need to understand whether the person using a machine to gain access is a credible and identifiable person. They will also want to know the locations of the devices trying to access the information and have the intelligence to detect when things don’t make sense – such as when a location, like China or Russia, in which the company doesn’t have employees is trying to access applications it has never before used.
Organizations also need permissions governing who has access to what applications and data. And, if all else fails, businesses should use end-to-end encryption to ensure that their data and communications are secure. These practices are now just a vital as traditional network security.
Smart Businesses Are Employing Encryption, HSMs and PKI, and Ensuring Ease of Use
Some businesses may start off by encrypting their most sensitive information. But, ultimately, organizations will want to embrace an encryption everywhere strategy.
Organizations will also want to be sure that their high-assurance, identity-based solutions are supported on the back end with public key infrastructure (PKI) and hardware security modules (HSMs). HSMs provide digital signing, encryption, key generation and protection to enable organizations to enforce their encryption policies across different devices and multiple clouds. This establishes a root of trust within the business, providing a central and auditable point of control for encryption and key management policy.
Businesses should educate employees on what security tools they’re using and why they’re being implemented. To make life easier on employees and ensure adoption, enterprises should enable a secure, single sign-on (SSO) to all applications that workers are authorized to access. After all, nobody wants to have to sign on to 40 different applications, 40 different times.
Don’t Get Stuck in Outdated Thinking – Address the Moment and Prepare for the Future
Securing the enterprise using a moat-based approach simply no longer makes sense. Yet security leaders are still spending the bulk of their money on network perimeter security.
Perimeter security may have some value. But organizations need to invest in data and identity security to protect their assets and create rules for who can access what data and applications.
Forward-looking security leaders have made the jump from thinking just about the perimeter to securing the identities, the data and the edges of the network. This makes sense because there is no longer a standard, trusted perimeter. The perimeter continues to move and expand.
To learn more about how leading organizations are securing their enterprises and applying encryption at a time in which data is proliferating, there’s increased mobility and protecting customer data is a top prior, check out the webinar “2020 Global Encryption Trends Study: Are You Protecting What Matters the Most?” with my colleague John Grimm and Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.