Editors note: My TechDecision’s sister-site Commercial Integrator has teamed up with the IMCCA, the New York-based non-profit industry association for unified communication and workplace collaboration, to produce a quarterly supplement that focuses on all things collaboration from multiple perspectives. Together, the organizations launched Collaboration Today and Tomorrow.
Pre-pandemic, the hybrid workplace was for many still an emerging phenomenon, from embedded freelancers with a different email address for each major client, to nomadic employees traveling the world. And, as concerns about carbon footprint, time, and expense of travel grew, virtual collaboration was already becoming more common.
Today, the accelerated digital transformation of many business models has spawned increasingly sophisticated hackers, and proliferating endpoints mandate new cybersecurity models.
Even before the pandemic’s onset, enterprise IT and operations managers faced continued security threats to networks, data assets, business continuity and intellectual property. Those are now coupled with a shifting pandemic and staffing shortfalls. These threats reflect the sheer volume of applications and services in concurrent use, many accessing or living wholly in the cloud, and limited integration with existing security measures.
The pandemic’s relentlessness, coupled with inconsistent mitigation measures, has challenged earlier hopes for a widespread “return to work” in corporate headquarters and field offices. It appears that for the foreseeable future, many employees and contractors will “work from home” (or wherever they can) at least part of the time, based on local conditions, personal COVID-19 exposure fears and family needs. This hybrid environment requires a 24/7/365 security blanket around all company data, devices and assets — while often lacking the staffing for high-touch intervention.
Technology Management: Engine of Project Enablement
When leadership considers the IT group’s roles and responsibilities; collaboration, planning and project enablement are usually not top of mind. However, when the balance of cybersecurity and productivity is optimal, employees can do their best work, and the enterprise reaps the rewards in multiple ways.
Public and private entities are increasingly called upon to manage initiatives with outside partners, vendors, sales/distribution networks, contractors, allies and the public. Accordingly, cloud-based applications that support shared file creation, video collaboration and team-based project management often drive productivity. From the courseware that compliance requires to virtual Happy Hours, all virtual connections rely on the concept of genuine, authenticated use of resources. Yet every device, user, application and network represent a potential loss of data, reputation and finances.
Fortunately, organizational technology managers are able to maintain cybersecurity more tightly and unobtrusively than at any other time in history – but only when given the appropriate tools and their optimal configuration. We can also specify a “minimum prescription” for the vast majority of enterprises, to which many already have access — but may not be leveraging.
‘Whack-a-Mole’ Isn’t Enough
We have all seen the costly data breaches and ransomware incidents that can result from configuration errors and unpatched software. Less visible causes include the difficulty of monitoring all the log files, alerts, new hires, terminated relationships, location changes and devices for which IT departments hold responsibility. And, as an organization’s digital estate grows, so does its volume of security data, much of it in the cloud. Often, they are managing this data within legacy systems that are typically siloed, creating a “Whack-a-Mole” scenario.
In conjunction with basic safeguards such as firewalls, a secure and easily managed active user directory, and basic software needed for operations, IT departments are increasingly finding that the most efficient way to monitor and manage users, their access and use of company resources is using a single identity platform that provides a secure connection among every potential user, device and datum.
Trust Must Be Earned
There are no perfect answers in cybersecurity, but the “Zero Trust,” or vulnerable-until-proven-secure mindset, has become the most viable. Zero Trust acknowledges ongoing threats inside and outside network boundaries. After all, any assets valuable enough to pay staff to develop and protect will come under attack at some point, whether from a professional hacker, unscrupulous competitor or disgruntled employee. In contrast to perimeters that presume serious threats are always external to the network, Zero Trust platforms support gated access to data and resources across the entire domain.
In addition to a “verify, then trust” philosophy, Zero Trust platforms bring together several critical but often-siloed functions: identity authentication, endpoint management, security monitoring and analytics, along with regulatory and third-party (e.g., ISO) compliance.
For integration with a basic cloud, mobile and/or desktop office suite, Zero Trust platform options include Microsoft 365 (e.g., E3 or E5), Amazon Web Services (AWS), and Google Workspace (e.g., Business Plus or Enterprise). Each of these is priced on a per-seat plus streaming and/or storage threshold basis, so they scale up or down as needed, and include some measure of the “security essentials,” among others, outlined below. Vetted ecosystem partners can provide additional components if/as needed.
Solutions providers such as Cisco and IBM also offer infrastructure that may be preferred for use cases not described here.
Shopping for Integrated Simplicity
Though comparing designed-as-one-stop gatekeeper platforms is beyond the scope of this article, key questions include the following:
- Ease of use of the administrative portal in which user, device, network, and application management occurs. What IT can’t staff, won’t happen.
- The extent to which conditional access can overlay all supported applications, such as document processing, spreadsheets, databases, graphics, presentations, meetings and collaboration (e.g., in grouping users, individualizing access to documents, project team portals, and meeting rooms).
- For sectors subject to extensive regulatory compliance documentation, such as healthcare, aerospace, financial services and public infrastructure, the availability of a fully integrated management and reporting portal to centralize and document security data and actions taken.
Using What You Have
It is always tempting to invest reactively in information security as needs arise, so some organizations have licensed or purchased dozens of freestanding products. However, just as a series of fence posts will not protect acreage, the piecemeal approach is flawed. Many standalone security products, by design, produce many alerts, most of which may be redundant, false, or low priority. “Alert overload,” in turn, obscures the events that merit high priority. Thus, managing security via one application, department, or network at a time is not only staff-intensive, but often ineffective.
For enterprises that already license a Zero Trust platform, it’s wise to explore all its security functionality before investing further, to avoid redundant and/or dangerously distracting security purchases.
Zero Trust Infrastructure: Key Building Blocks
- Multi-factor authentication (MFA): The foundational security layer for any network is multi-factor authentication (MFA) – requiring a user seeking network access on one device to verify their identity using another device (e.g., by receiving and then entering a multi-character code). The other device might be an RSA token, a phone or tablet, a laptop or desktop. Some Intranet portal authentication is limited to CAPTCHA verification, which confirms only that a human is involved, not necessarily an authorized user.
- Identity management with conditional access: Conditional access policies, integrated with an active user directory, allow enterprise technology managers to block or grant access to certain resources and apps on a policy basis, contingent on whether a user or device meets certain conditions, including successful MFA, login from a location and device within their known parameters, and using a compliant application.
Access can be managed in the background without impeding productivity. For example, anomalies such as logins within a short period of time from very far-removed physical locations, or multiple login attempts with different passwords over a short period of time, will trigger alerts to IT and a rejected login. At the same time, the platform can recognize and allow access to a team member who might log into the cloud remotely at one point and then work on premise, without separation.
Conditional access also serves as the network’s antivirus and anti-malware layer. Since authentication requires alignment of self-reported user identity, location, device and other pre-specified variables, in order to receive the access requested, this layer also protects against password hacks.
- Shared file mandates: Integrated document processing suites all have shared drive capability, but users are not always limited to saving files to that shared drive, nor to creating work within the company’s licensed applications. The result is that many files on local or even removable drives are not protected by the corporate “circle of trust.” On authenticated devices, making it impossible to save files on locations other than the shared drive also benefits the employee, who then can securely access and locate any file needed (presuming an intuitive taxonomy for shared resources has been established, as is strongly recommended). A shared drive mandate also reduces emailed documents, which is desirable for both security reasons and version control.
- Data governance: Ensuring that all organization files are in a shared directory enables file and resource-level gated access, set by users if/as appropriate, such as need-to-know access, or restricting print or external forwarding. In addition to adjusting sensitivity settings by document, type, or folder, users can encrypt any email manually. Administrators can also set default parameters to ensure that even if the user forgets manual encryption, trigger content such as passwords, credit card numbers, or Social Security numbers will result in encrypted transmission.
- Mobile device management (MDM) and mobile application management (MAM): These functions control how corporate-owned or user-owned compliant devices are used, including mobile phones, tablets and laptops. IT can configure policies to control devices and applications, including deletion of proprietary files when employees leave or contracts end, especially under adverse circumstances. This safeguard avoids the “What is proprietary?” question with which NDA signatories may struggle, or forgetfulness as to what files they have stored and where.
- Security information and event management (SIEM): Where information security and documented data flow are paramount (e.g., healthcare PHI, regulated medical devices, DoD, legal services, aerospace, public infrastructure), Microsoft Sentinel and other security information and event management (SIEM) products add a “single glass pane” to consolidate routine system transactions and security events, while sorting by type and priority. Actions from that point can be individualized or automated in a rules-based way. Important events include suspicious login attempts, attempted firewall breaches, antivirus software activity, and malware attempts.
When SIEM software identifies a threat, it generates an alert and threat level based on predetermined rules, which will also determine the action taken, if configured as such (e.g., locking out the user and/or device, sending alerts to a workgroup or shutting down a server). Or, of course, an IT staff member can evaluate and adjudicate the situation on a one-off basis if/as desired.
Leveraging Secure Collaboration: Flexible Schedules, Anywhere Work
Once an appropriate and properly configured Zero Trust platform is in place, the security risks of asynchronous, geographically dispersed and/or contracted project work, for a day or a year, are certainly better managed. Although we can’t predict the future in terms of COVID-19, military operations or any other global threats, we do know that the more options employees have, the happier and more productive they can be.
For example, with “early warning” of local surges still possible, employees might seek to visit family or travel recreationally in a “calm between surges.” In conjunction with HR policy flexibility around paid or unpaid leave, variable work hours and the amount of notice required, IT can support employees and contractors in balancing their work and personal well-being, a strong driver of high performer retention.
Complicating requests for leave or schedule accommodations is the fact that, whether a user is traveling in a pickup truck, on a train or through an airport, things are likely to take longer and entail more twists and turns for some time to come. Given understaffed security checkpoints, shifting COVID-19-related requirements and unforeseen route cancellations, employee movements will not always proceed according to plan.
Virtual Desktops and Remote Provisioning
Recently, my firm was tasked with a large-scale installation for a client with U.S., E.U. and APAC offices. To fulfill this contract, we dispatched third-party project managers and field installers across the world, while supporting each PM with Microsoft’s Azure Virtual Desktop. By accessing the Desktop via either a fat client or an HTML5-compliant hyperlink in a Web browser, PMs utilizing any device and OS, could log in and use any resources needed, with no localized applications required. Sessions were locked and users logged out within a predetermined number of minutes after their last activity.
In addition to BYOD and public network access options, new hires, transfers or contractors located anywhere in the world can be onboarded via company-owned computers or mobile devices that ship directly from the source, while configured to download all necessary applications and settings once identity is verified online. This flexibility, enabled by secure infrastructure, avoids the need to pay and wait for shipping twice (to the company and then to the employee). In addition, avoiding the need for high-touch, white-glove configuration conserves IT hours and prevents delays in getting the new resource to full productivity.
Project Success: It’s Still Personal
Today’s project management tools are more sophisticated than ever, yet many teams still use relatively simple yet powerful tools such as Microsoft Planner, Asana and Trello. Absent more granular project planning that some project types require, contributors want to focus on the work, the deliverables, not the process. This is particularly true when they must often work a bit harder to forge a virtual yet personal connection to better understand team members’ context and perspectives. The sidebars and lunches that often provided this insight pre-pandemic are simply more difficult to come by these days.
By the same token, most users expect cybersecurity to “just work.” Still, everyone wants to avoid the worst cases when it doesn’t, such as ransomware, unfair competitive advantage, and data breaches, which not only disrupt operations but affect enterprise reputation. Evidence of an internal commitment to collaborations that produce tangible results includes the extent to which IT provides clear, succinct “rules of the road” that are consistently enforced.
Of course, that road is never-ending. Cyber risks will continue to evolve. Our best line of defense is a platform and approach that evolves with them, administered by IT staff willing to play the long game, supported by leadership that understands the strategic importance of that mission. IT, its funders and advocates all support the most valuable assets of any enterprise — its people —with the freedom to collaborate, innovate and deliver — when, where and how they can.