Strike a balance: Ensuring secure remote work without hindering productivity

Remote work will be a permanent scenario for many organizations, according to the CIO Pandemic Business Impact Survey 2020. This underscores the need for policies that secure remote data access without inhibiting user productivity.

“Given the paradigm shift to remote work, companies must protect their IT infrastructure — including networks, application servers, and VPN access points — against distributed denial-of-service attacks comprehensively on all levels and across all platforms,” says Mark Wilczek (@MarcWilczek), COO at Link 11.

We asked IDG’s Influencer community of IT professionals, industry analysts, and technology experts how organizations can balance strong, secure access with user productivity needs. Striking the right balance can be a daunting task.

[ Beware the 9 warning signs of bad IT architecture and see why these 10 old-school IT principles still rule. | Sign up for CIO newsletters. ]

“Users want to be secure, but even more so, they need to get their job done,” says Larry Larmeu (@LarryLarmeu), Service Transformation Leader at Accenture. “The prohibitive legacy method of securing networks by blocking ‘insecure’ methods only led users to seek creative workarounds, often ending up with data breaches due to random unsecured cloud stores or corporate data ending up in personal email boxes.”

***Microsoft’s Joy Chik and CSO’s Bob Bragdon discuss the best approach to providing seamless end-user experiences without increasing risk to your organization. Watch here. ***

Productivity and security begin with access

The IDG influencers say that striking the proper balance between security and user productivity begins with defining data and access.

“First, know where all of your digital assets are,” says Tristan Pollock (@pollock), Head of Community at CTO.ai. “List them out: Accounts, IP, photos, domains, etc. Make sure you have a vault of all of this information.”

Next, make sure the right people have the right level of access to the right data resources. That requires a shift in perception, says Jason James (@itlinchpin), CIO with Net Health: “If you ask any user, they will quickly respond they need full access to everything to do their job. Even as CIO, I do not have admin or root access to production environments, as there is no valid need for me to have such access.”

[ Prepare to become a Certified Information Security Systems Professional with this comprehensive online course from PluralSight. Now offering a 10-day free trial! ]

James advises his peers to do their due diligence. “While no one wants to impact user productivity, the greater risk would be to provide unnecessary access to silence a user request,” he says.

Next, create policies around data access, says Jack Gold (@jckgld), Principal Analyst and Founder at J. Gold Associates. “Keeping data accessible while also keeping it secure and/or private requires that data have a policy control mechanism, so that only relevant data is able to be accessed by individuals. You don’t want to completely restrict data access, as many users can gain meaningful insights.”

Gene De Libero (@GeneDeLibero), Chief Strategy Officer at GeekHive, agrees: “We’ve seen many instances where stringent security policies coupled with poorly managed company networks and improperly implemented digital asset management systems have contributed to a sharp reduction in employee productivity.”

Defining proper access controls is critical, says Ben Rothke (@benrothke), Senior Information Security Strategist at Tapad. “For example, even if a person has the funds in their account, they can’t just walk into a bank branch and ask for their $100,000 in cash,” he says. “Amounts like that need advance notice, authorization, and preparation. Data needs to be managed, controlled, and secured in a similar manner.”

However, don’t let access and control decisions become stymied. “The last thing organizations need today is analytics paralysis because no one takes ownership in defining the security and policies around digital and data assets,” says Isaac Sacolick (@nyike), President of StarCIO and author of the book Driving Digital. “A best practice is to assign data owners to define authorization, usage guidelines, data security policies, compliance requirements, and any data privacy, sovereignty, and regulatory concerns.”

Using strategy and technology for data access

The IDG influencers recommend that once access definitions and policies are in place, IT and security teams can do two things: bake them into an overall data strategy and use modern tools to maintain them.

“Security needs to be part of the digital asset creation and maintaining process — ideally, seamlessly to not introduce friction and process latency,” says Mike D. Kail (@mdkail), IT Director, Palo Alto Strategy Group. “When security is a periodic, scheduled activity, that’s when it tends to hinder productivity and cause contention amongst teams and users.”

When it comes to tools, experts recommend starting with a good data asset management (DAM) system.

“Developing a solid strategy for effectively deploying and configuring a digital asset management (DAM) system will go a long way toward providing the security and compliance corporate audit departments demand while fostering collaboration, improving workflow, and enhancing overall productivity,” says De Libero.

Gold agrees: “A good data management toolset will include the appropriate data policy enforcement capabilities, and should be a key part of any data strategy.”

Next, turn to solutions that make it easy for users to access the data they need.

“Organizations can ensure their digital assets are secure without inhibiting user productivity by focusing on user experience first,” says Will Kelly (@willkelly), Technical Marketing Manager at Anchore. “They should secure digital assets with single sign-on (SSO) or, better yet, a Zero Trust security solution on cloud collaboration platforms.”

On the road to SSO, security and IT teams can take a number of incremental steps, such as deploying multi-factor authentication (MFA), to make things easier on users.

“Some enterprises are implementing ‘remember me [MFA]’ for 30-day stretches to improve the user experience without a security tradeoff,” says Frank Cutitta (@fcutitta), CEO and Founder of HealthTech Decisions Labs. “But even more important, CISOs are trying to increase the interoperability of 2FA across disparate databases, warehouses, and edge devices so as to eliminate ‘2Fatigue’ on the user and the system.”

On the back end, deploy solutions with baked-in capabilities that help IT security teams more easily manage remote access.

“When it comes to safeguarding digital assets and avoiding business interruptions, it is generally important that modern security solutions are based on AI and machine learning,” says Wilczek. “This allows any anomalies in traffic patterns to be detected in real time. Through automation, human error in mitigation is precluded

Kayne McGladrey (@kaynemcgladrey), Security Architect at Ascent Solutions, agrees: “Microsoft 365, for example, allows for automatic classification and labeling of unstructured data, but also permits users to provide a justification when the automation gets it wrong.

“Combined with automated data loss prevention, this can allow a business to easily enforce and report on policies for sharing non-public data both inside and outside of their organization,” he says.

At the end of the day, IT should be an enabler. “Often it doesn’t have to be security vs productivity,” says Pollack. “It can be secure productivity with the right tools. Put the time in upfront and you’ll save countless hours on the back end.”


Posted

in

by