Access vs security: A technological dilemma in a post-COVID-19 world
As a distributed, work-from-home workforce has become the new normal, organisations face a double-edged challenge: to ensure users have easy access to the corporate network while simultaneously protecting the network against unauthorised access.
That’s the view of Garsen Naidu, General Manager, Cisco, sub-Saharan Africa, who says what’s needed are authentication mechanisms that require remote users to prove who they are before they can access the corporate network. These mechanisms need to be sufficiently secure to protect against the rising onslaught of credential theft but remain easy to use.
At the same time, identifying trusted users is just one part of the secure access puzzle. Even a trusted user may be using a mobile device or computer that’s running out-of-date software, and out-of-date software leaves devices susceptible to vulnerabilities and open to threats like malware, ransomware and more.
Naidu was commenting on the 2020 Trust Access Report from Duo Security at Cisco. The report looked at the security state of thousands of the world’s largest organisations by examining 26 million devices used for work and 700 million user authentication events per month relating to more than 500 000 unique corporate applications.
He points out that although remote work has become increasingly accepted in many industries over the past few years, the emergence of the coronavirus pandemic in 2020 meant organisations had to quickly accommodate remote work at massive scale.
The report found the pandemic further accelerated the move to cloud and hybrid environments, and all but ensured the disintegration of the traditional IT perimeter. Daily authentications to cloud applications surged 40%, the bulk of which came from enterprise and mid-sized organisations looking to ensure secure access to various cloud services.
In addition, authentication activity to technologies such as virtual private networks (VPN) and remote desktop protocol (RDP) swelled 60% during the first few months of mandatory work from home, helping propel Duo’s monthly authentications from 600 million to 900 million per month.
The work-from-home trend is poised to continue in some capacity, with many large companies having announced they’ll extend remote work until at least mid-2021 and possibly beyond. Global Workplace Analytics has estimated that 25% to 30% of the total US workforce will continue working from home multiple days a week at least until the end of 2021.Twitter, for example, is one of several business to have announced that employees can work from home indefinitely.
“As the pandemic began, the priority for many organisations was keeping the lights on and accepting risk in order to accomplish this,” says Dave Lewis, Global Advisory CISO, Duo Security at Cisco. “Employees were forced to use personal or unmanaged devices to try and access their corporate networks, As a result, blocked access attempts due to out-of-date devices increased by 90.5% in the first three weeks of March.”
This is hardly surprising given that an earlier Cisco survey found that 81% of corporate network breaches involved compromised credentials and 52% of survey respondents stated that mobile devices were challenging to defend.
“Attention has now turned towards lessening risk by implementing a more mature and modern security approach that accounts for a traditional corporate perimeter that has been completely upended,” Lewis says.
“One of the outstanding findings in the Duo report is that long-established authentication mechanisms, such as passwords and SMS, are finally being acknowledged as no longer sufficient,” Naidu says.
Despite the fact that the National Institute of Standards and Technology (NIST) 2016 guidelines declared SMS to be no longer secure, SMS is still one of the most common methods used for two-factor authentication (2FA). Even presumably tech-savvy individuals such as Twitter CEO Jack Dorsey have fallen victim to SIM swaps.
Now, according to the Duo report, the prevalence of SIM-swapping attacks has driven organisations to strengthen their authentication schemes and the percentage of organisations that enforce a policy to disallow SMS authentication nearly doubled from 8.7% to 16.1% in the past year.
Passwords too – compared in the report to the ancient writing system “cuneiform” – appear to be reaching their sell-by date.
“Passwords have been proven ineffective as a security measure – they are relatively easy to crack because people tend to use the same password across multiple sites and applications or use passwords that are too short or too simple. Instead, businesses are starting to rely increasingly on biometrics,” Naidu says.
Mobile devices account for 15% of corporate access (iOS: 11.4%, Android: 3.7%). However, while there has been a significant increase in the use of phones with biometrics enabled such as Apple Touch ID and Face ID, and Android fingerprint scanners – the survey found that 80% of mobile devices used for work have biometrics configured, up 12% over the past five years – it can be almost impossible to ensure that employees are using trusted networks and securing their data properly.
“In these circumstances, it is imperative that organisations have policies in place to ensure good device health and establish device trust. Without that, even the most comprehensive security protocols could be compromised,” he concludes