Out with the old, in with the new – Remote Work and Identity Management

The past year has seen many companies take serious measures in order to remain operational during the pandemic. Traditional offices have made way for remote workers logging in from across the globe on a variety of different platforms.

This in turn meant that a lot of the traditional security measures that IT teams implemented were no longer viable or strong enough to protect their staff and their companies.

When the pandemic started, we saw a huge influx of SMBs whose sysadmins were really at breaking point. First off, they were trying to juggle dispatching their entire workforce to their homes and expecting them to operate at the same level that they were while in the office, and with the same access to resources, all at relatively short notice. Second, they had to continue doing their job of maintaining a high level of security for their companies.

Why the old approach no longer works

Many of these smaller companies will have been around for a decade or so and, generally speaking, will have been using on-premises style technologies for security and for access control. It was clear that these simply weren’t sophisticated enough to operate with a remote workforce. Peter Steiner’s New Yorker cartoon captures this: “On the Internet, no-one knows you’re a dog.” For many sysadmins at those SMBs, this was brought abruptly home to them in the pandemic. Was it really their employee logging in to resources from those remote work locations?

In the world of IT management, the office network is typically referred to as the ‘domain’. Since the COVID-19 pandemic hit and lockdowns were rolled out across the globe, employees can no longer easily connect to the domain and access their applications which often are protected behind perimeter-based (e.g. ‘domain-based’) firewalls, and companies cannot rely on that domain to keep things secure. Typically companies would have a domain-controlled set of security standards that consist of approved equipment and software connected to internal networks – this is the standard, pre-remote approach that offers what we would consider base level network perimeter-based protections.

Many companies, particularly those in the SMB bracket, had hit a brick wall as they simply weren’t prepared to embrace home working and become what we’ve coined as the domainless enterprise. This term describes the ability for an employee to work from any location, on any trusted device, without running into barriers.

When March 2020 arrived and every company had to shift their entire workforces to working from home, sysadmins were faced with some big dilemmas. Should they allow access for employees working on tens or hundreds of independent networks via their home routers? How secure are those home networks – do they have strong encryption in place to keep them secure, or do they rely on a standard username and password assigned by the service provider? Are they working from a company-issued machine with security we know is in place – or perhaps on a home computer we know nothing about? This is compounded by a multitude of variables that need to be verified like user credentials, known networks and devices. If a company’s IT department can’t verify these, they put their organisation at risk.

When employees are inside the walled garden of domain networks, there’s theoretically  nothing to worry about when it comes to security. When that all breaks down and work happens outside that security construct, companies have to change their approach. When companies can no longer rely on the traditional approach, they have to adopt new models that take into consideration the variables of remote work. The industry has adopted a term for this: Zero Trust. In its simplest definition: trust nothing and verify everything when you are not within your network.

Everything from the user, to the hardware, to the network must be verified before any sort of transaction or connection can be made. Thankfully this approach isn’t complicated – often it involves using a form of multifactor authentication to prove that each employee is who they say they are using something they have, such as a code requested from the user and sent to their mobile phone. This has now become the standard for many companies to ensure security standards are met while also making the process of authentication as straightforward as possible for employees

Where do we go from here?

Many countries are now in the process of lifting lockdown restrictions, and some companies may start to return to the office. For many, the COVID-19 pandemic and lockdown has completely changed the work landscape. Employees have got used to the flexibility that comes with remote working where the office is now their kitchen table, study or living room. Equally, companies have seen productivity continue for many of their staff, making them think about whether they need as much office space as they had in the past.

Most companies will have found some benefits over the past year around flexibility for workers, and so even if they do return to the office, they will want to keep those benefits over time. At the same time, planning ahead around security can help everyone work more efficiently.

The most effective way to keep pace with this is to adopt a trusted device approach. Remote working means that being able to identify and verify a device is absolutely crucial. This works well for SMBs because it’s easy to roll out and manage while providing the right kind of security. With trusted devices implemented, the edge of a company’s corporate network is then wherever an employee is located when they connect.

This will be a huge relief to sysadmins who can gain back the time and energy required to manually approve individual employee devices and networks, and also to employees who can avoid the often complicated process of gaining access to resources. Trusted devices essentially say: “I am who I say I am, let me get on with my work.”

Looking ahead, it seems more than likely that we will continue to embrace a balance between office and remote working. One thing the pandemic has shown us is that the tools needed to adapt are available, and it’s the job of sysadmins to respond to this shift with the right services for their companies, whether they work for a huge multinational or an SMB.

Identity management is a key component of successful remote working, but getting it right means finding the balance between security and accessibility. Employees don’t want to have to jump through hoops in order to access company networks and resources as well as other infrastructure like Microsoft 365, Google Workspace, and so on. All of these currently have their own respective security “gates” that have to be unlocked, so a service that can unify all these into one point of access is going to make the entire process easier for everyone in the company.