The industry is in the midst of a transformation. In this case, it isn’t the omnipresent digital transformation, but rather a sudden tectonic shift towards remote work. For many organizations built on the classic, communal office space, this can seem daunting.
Many employees have started to work from home, and some are throwing a wrench in the machine by connecting to unsecured networks and paths — reshaping what may have once been considered an “airtight” perimeter. Further complicating matters, employees can’t collaborate as effectively when remote, right?
Not exactly. Paying mind to recent trends, the remote workforce can be productive and work in a secure environment. International Workplace Group found that 85 percent of surveyed business noted an increase in productivity that could be directly attributed to remote work flexibility. And security can be ramped up to address the following issues: an influx of new device connections, a flurry of requests for remote access to sensitive information, and the looming threat of phishing and other web-based attacks as users hit rogue sites.
How are these trends supported? Largely in the form of these three familiar categories: unified endpoint management (UEM), identity and access management (IAM), and remote security infrastructure services.
IBM Security MaaS360 with Watson UEM, IBM Cloud Identity, and IBM Security Services professionals share three main pillars of remote work: remote support and management, remote access controls, and remote access infrastructure and device deployment strategies and best practices. This holistic approach is designed to give users a frictionless experience when they attempt to access resources.
Effective March 18, 2020, IBM is providing no charge access to MaaS360 UEM and IBM Cloud Identity IAM for new clients.*
Keep Mobile Bases Covered: Protect Smartphones, Tablets and Laptops Connecting Remotely
It’s important to note that the first function of a proper UEM platform is to perform the basics:
- Take remote actions (e.g., authorize device to access corporate network, push down apps and content, wipe device)
- Set policies needed to protect devices (e.g., set passcode policy, enforce encryption)
- Protect devices from threats (e.g., malware defense, jailbreak/root detection)
In a remote work environment, these basics become exceptionally important for a few reasons: over-the-air (OTA) enrollment may be the only way a new corporate device or a bring your own device (BYOD) can be configured for a user. In the case of a corporate device drop shipped directly to an employee’s home from a technology reseller or manufacturer, a UEM platform can be bound to the operating system for an out-of-the-box enrollment. Both Apple and Android have programs to support this in Apple Business Manager and Android Enterprise, respectively.
BYOD devices can be deployed via custom links sent to all employees to manually enroll a home laptop or tablet to gain access to critical applications and email.
Once employees have been properly set up, custom policies delivering anything from VPN profiles and app bundles to Wi-Fi, encryption enforcement, and download restrictions, can and should be configured to enforce corporate rules. If a user decides to go rogue and jailbreak a device or attempt to download a risky application, automated compliance actions can be setup to remove permissions and block access until the issue has been remedied.
Access Granted or Access Denied? The Decision Comes Down to Context
As remote workers access their critical apps – like Box, Salesforce, or digital classrooms – they shouldn’t have to jump through hoops – supplying one-time password verifications every time a new browser tab is opened.
With continuous authentication, deep context of a user is evaluated throughout their journey to determine an overall level of risk. While usage of a new device may prompt a user for multifactor authentication (MFA) the first time it is used for single sign-on (SSO), subsequent logins should remember this device within a user’s identity context. IBM Cloud Identity provides a seamless experience for low-risk users by delivering access on a per-application basis. Meanwhile, higher risk conditions can still be appropriately blocked or challenged through enforcement of robust access policies.
A smooth user experience and sense of security are often at odds with one another, especially with multiple devices in the equation; it doesn’t have to be that way.
Help Stop Hacks in Their Tracks with the Right Defense
Outside of tight device policies, automated compliance actions, and well-defined access controls, insidious things still lurk. Phishing is near-inevitable as 91 percent of cyberattacks begin with a phishing email. While corporate networks frequently have blacklisting built in to block phishing links from opening to a dangerous website or domain, residential internet service providers (ISPs) may not.
Thousands of users are suddenly interacting with the whole of the internet, unfiltered, as they traverse corporate resources. Bad actors are relying on public panic and misinformation to fool users into infecting their own systems for financial gain or to exfiltrate data. Once a user hits a phishing page and enters their credentials, they’ve crossed the threshold, surrendering sensitive information to a bad actor. The same actors are engaging in “SMShing” campaigns, where SMS messages are sent containing “useful” information about the virus. Simply tapping on these links can immediately infect your device and provide them with access. To proactively defend against these threats, help ensure your devices are UEM-enrolled and supported by Mobile Threat Defense (MTD).
Our IBM Security Services professionals also recommend setting up employee devices with the right device security, including next-gen AV software, host-based firewall, and/or endpoint detection and response (EDR). In addition, enable these devices to be remotely patched and updated with the latest firmware and software updates.
In addition to device defense, our experts recommend deploying remote access security for your core infrastructure, including servers, network, datacenters and applications. Every company will need to minimize risks to critical infrastructure, prevent the exfiltration of sensitive data and thwart lateral threat actor movement throughout the network. Your edge infrastructure (network connections, VPNs, and gateways) also needs to support the surge of users and the change in usage patterns. If bandwidth becomes a challenge, look at whether remote devices should route directly through the corporate network via VPN or if you can free up bandwidth with split tunneling.
Traditional VPN solutions can allow users to directly access the network with minimal control of lateral movement on the network. With the changing nature of remote access, the need to connect from any device, anywhere has led to solutions like Software Defined Perimeter (SDP) and Zero Trust Network Access (ZTNA). These solutions authenticate access to the cloud, restrict access with a “never trust, always verify” philosophy and can help enforce data loss prevention. Users can access public or private cloud resources but provides the security team inspection and security controls on the data being accessed.
Trust in IBM Security to Help Put Remote Work Within Reach
Now that you’re equipped with what you can do in the near term, how do you make use of it? Of course, time is of the essence as work-from-home needs increase at an exponential rate, and IBM Security wants to help ensure that the transition is smooth and successful for both your organization as well as — and in many ways, especially — for your employees.
To enable your organization to pivot immediately to address these new demands, IBM Security is offering at no charge access to two key technologies:
- Unified endpoint management through MaaS360 (for new accounts)
- SSO and MFA through Cloud Identity (for new accounts)
In addition, the IBM Security Services team is available to extend your security with virtual expertise through its Infrastructure and Endpoint Services.
Visit Think Digital Now
For more information about these capabilities, please visit these webpages:
* This access will be available for 90 days from account creation. Understanding that current circumstances are fluid, we will continually re-evaluate the situation; if conditions persist, the offer period may be extended. If you are an existing IBM UEM or IAM customer, we recommend working closely with your account manager to ensure you’re getting the coverage you need. IBM reserves the right to remove this offer at our discretion.