In late 2019 or early 2020, the workplace environment would drastically change. The COVID-19 pandemic was sweeping the world, and people were told to avoid large groups and only go out when needed. The disease was very contagious and could be deadly for those with certain health conditions. The precautions people were told to take would not mix well with the typical office environment—many people sitting close together indoors.
Companies now had to figure out how to continue operations but with employees working from their homes. As time passed, we found that companies could continue even with their employees working remotely. More and more positions were offered remotely, often with company laptops being mailed out to employees. Fast forward to 2023, and the remote job movement is still around. Almost 13 percent of full-time employees still work from home, with a prediction of 22 percent by 2025. That translates to over 32 million Americans working from home in the next few years. Then add in hybrid workers (part of the time remote, part of the time on site), who make up 28 percent of the workforce, and the numbers show that working from home is here to stay.
Collaborative tools like Zoom and Teams have made working remotely much easier; however, people no longer work in the confines of a company’s private Internet or Intranet. Security risks now become important as people work from their laptops and review proprietary content over the “dirty internet.” Security teams must be more vigilant than ever to help protect a company’s assets while their workforce is dispersed worldwide. One significant way this happens is through Identity Access Management (IAM).
IAM is a web service that helps organizations securely control access to resources like O365, proprietary systems, and network infrastructure. The security team sets up IAM to control who is authenticated (signed in) and authorized (has permissions) to use resources. IAM can be configured at a granular level, granting different permissions to different people for various resources. For instance, Finance can have read, write, and modify permissions within a payroll platform, while a regular employee may have only read and print permissions. IAM can also run fully automated monitoring and remediation capabilities to prevent identity-borne threats in the cloud environment proactively.
To make access to resources remotely even more secure, Multi-factor Authentication (MFA) can be added. MFA requires users to provide a password or access key to work with an account and a code from a specially configured device (e.g., cell phone, tablet, etc.). An MFA vendor (e.g., Microsoft Authenticator) often has a six-digit number to enter that resets every 15 to 30 seconds. The user can only access the account or resource if the correct number is provided.
If you think MFA sounds familiar to Single Sign-On (SSO), then you would be correct; however, there are differences in how they operate. SSO has the mindset of authenticating with one set of credentials, while MFA requires a user to provide multiple forms for authentication. In other words, SSO prioritizes user convenience, while MFA focuses on security. This does not mean that MFA should always be used, but instead, both could be used in conjunction depending on the setup of the infrastructure and security requirements. For the case of remote workers, MFA would be a better choice to ensure the right people are remotely accessing what they have permission to access, and MFA aligns closer with the zero trust architecture that many IT systems are moving towards.
IAM Challenges in the Work-from-Home Era
The size and complexity of enterprise systems can be overwhelming for cybersecurity teams without the proper resources or personnel to keep track of the company’s changing infrastructure. IAM is only as good as the strategy that is in place to enforce it. In 2022, a study found that only 16 percent of respondents (1,043 surveyed) had a fully mature IAM strategy characterized by fully operating programs, skilled workers, and C-level/board executive awareness (Security Magazine, 2022). Thirty-five percent of those surveyed were confident that users complied with IAM policies.
A big reason for the low confidence is all the moving parts of cloud computing that bring the office to the remote worker. Components are refreshed, vendors can change, and other factors can affect the company’s infrastructure. A security team could easily fall behind if they are not provided everything they need to succeed. Further, IAM policies and governance need to be in place for IAM to successfully prevent unauthorized users from accessing resources. Here are some of today’s IAM challenges with remote work, according to professionals in the Cybersecurity field:
- Consistent Policies—One of remote work’s main IAM challenges is maintaining consistent and coherent policies across different locations, devices, and networks. Remote workers may use their own devices, personal accounts, public Wi-Fi, or cloud services, which can introduce security risks and compliance issues. Moreover, remote workers may have different roles and responsibilities, requiring separate access and privileges. Establishing and enforcing clear and uniform policies for remote work, such as password rules, MFA, encryption, and audit logging is essential.
- Efficient Provisioning—Another challenge is to enable efficient and timely provisioning of remote workers. Provisioning is creating, updating, or deleting user accounts and access rights. Remote workers may have frequent and diverse provisioning needs, such as joining or leaving a project, changing roles or teams, or accessing new or different resources; therefore, automating and streamlining identity governance, self-service portals, or workflow management is essential.
- Robust Monitoring—Continuously monitoring remote workers is a big challenge. Monitoring is the process of collecting, analyzing, and reporting on user activities and access events. Remote workers may be more prone to insider threats like data leakage, fraud, or sabotage. It is crucial to perform comprehensive and proactive monitoring of remote work and telecommuting, such as using identity analytics, anomaly detection, or alerting systems.
IAM Benefits in the Work-from-Home Era
As mentioned, IAM ensures that personnel with the proper credentials are authenticated to access specific company resources. The security benefits over traditional SSO make IAM a good match for remote employees. A mature IAM setup can provide the following for a company (TechTarget, 2023):
- Automation—Reduce operational expenditure by initiating, capturing, recording, and managing user identities and related access permissions.
- Security—IAM reduces cyber risk and secures the business against cyber threats by providing a robust security setup that authenticates and authorizes users (MFA).
- Personnel Changes—Ensures ongoing security during staffing changes by modifying permission as employees leave a company or move to a different position. IAM’s automation can handle this task when employees’ information is updated.
- Auditing and Compliance—IAM maintains compliance with external regulations and internal governance policies by providing audit trails and logs of user activities.
- Centralized Management—Provides a centralized platform to manage user identities and access rights across the organization.
- Adaptive Access Policies—IAM can analyze employee behavior and apply adaptive access policies based on anomalies or deviations from typical patterns.
- Scalability—IAM, like cloud computing, can be scaled as a company grows while maintaining security, compliance, and centralized access management.
- Service Desk—Drive down IT service desk demand by IAM handling employee onboarding requirements and changes in permissions.
The security team will need to take a few steps for a successful IAM integration. First, they must assess their company’s needs, the remote work situation, and existing IT infrastructure. A foundation of what exists will help with the following steps to implementing IAM. As with any solution, IAM is provided by many providers. The security team must determine what vendor to use based on needs from the first step, scalability options, and costs. Once a provider has been picked, the remote employees will need to be trained in IAM best practices and understand the importance of IAM. Training will help foster a security-conscious culture. The last part is ensuring we stay informed on IAM technology as it evolves. Maybe a new version is released, or a vendor provides a more robust offering for your needs. The goal is to have the best IAM configuration for your company and remote workforce that will keep information safe.
IAM is an indispensable framework in today’s remote work landscape, offering multifaceted advantages across various domains. IAM streamlines user authentication, authorization, and management, fostering heightened security protocols and mitigating the risks associated with unauthorized access. It bolsters regulatory compliance, enhances operational efficiency, and promotes a seamless user experience by granting appropriate access to the right individuals at the right time. Furthermore, IAM facilitates the integration of diverse technologies and applications, fostering innovation and scalability within organizations.