Hybrid work: How do you secure every identity on your network?

As organizations around the world continue optimizing their hybrid work environments, many are struggling to stay productive without compromising on security.

In this interview with Help Net Security, Ben King, Chief Security Officer EMEA / APAC, Okta, talks about the authentication challenges related to hybrid working environments, the state of passwordless authentication, and much more.

A hybrid working environment and an increased reliance on contractors has opened organizations to new risks. What are the main challenges when it comes to authenticating employees, partners and contractors?

Remote or hybrid working environments aren’t new, nor is using contractors to rapidly and flexibly add capability. What we’ve witnessed post pandemic is an acceleration of existing social, technological and digital transformations resulting in years’ worth of change delivered in weeks or months.

In the name of business continuity organisations have been forced to react rapidly, without proper planning, to ensure survival. In many cases this has generated technical and security debt which needs to be resolved before organisations can properly plan for their future.

When it comes to security there are multiple challenges top of mind. In terms of identity and access:

• How do we authenticate remote employees or external users? What factors are the most secure for our access requirements? What context can we gather to better enable this decision?
• How do we securely provision, manage and authenticate this access in a frictionless way?
• How do we govern privileged access?
• How do we interrogate and use what we know about user devices and context to help us make access decisions? Are access devices known, managed and secure?
• How do we govern access to sensitive resources? Is this risk-based? Role-based? How often do we audit this access?

In terms of people and process:

• How do we manage joiners, movers and leavers remotely? How can we automate this?
• Does security policy need to change? How do we best communicate that?
• Is the awareness training we’re providing effective to enable our people?
• Are remote staff still within their country of employment? Can they cross borders and does this generate legal or regulatory implications?

These questions are difficult enough for in-house teams. Adding partners or contractors to the mix means less direct control, so requires more due diligence up front:

• How do we assess contractors, suppliers and partners? How often do we revisit this assessment?
• Can we govern their device? How is it secured?

What advice would you give to an enterprise CISO that wants to enhance the security of a flagship customer-facing app while keeping user experience in mind?

Digital trust must be front of mind for businesses post-pandemic as consumer behaviour has changed for the long term. The focus is on digital consumption now more than ever. Digital trust is hard to build but easy to lose, as consumers and the media are hyper aware of criminal activity targeting them and the brands they follow.

In Okta’s recently released Digital Trust Index, 88% of respondents in the United Kingdom were unlikely to purchase from brands online they didn’t trust. This sentiment isn’t unique to the UK, and scores similarly across geographies. Most importantly, this figure is damning for organisations not taking digital trust seriously. An incident impacting trust, such as a data breach, gives rise to consumers readily taking their business elsewhere in an extremely competitive marketplace.

Consumers value their security and privacy, and appreciate transparency and control from the online brands they interact with. Often considered at odds with security, consumers expect a seamless digital experience at the same time.

But this doesn’t have to be a difficult problem to solve, and the answer is two-fold,

• Secure online channels and transactions, while
• Minimising friction to create seamless customer experiences

To build digital trust, security practices should be transparent to allow consumers visibility of the actions organisations take to protect their data. Organisations must demonstrate they are trustworthy custodians. In parallel consumers appreciate additional features demonstrating a responsive and proactive security posture such as the ability to submit suspicious activity reports, and organisations confirming access requests from new devices by email or another trusted channel.

The key to seamless experiences is using single-sign on (SSO) to allow users to access functionality using the identity provider of their choice, integrating their access throughout their online journey. This broad access against a single set of credentials does carry additional risk, so must be secured with multi factor authentication (MFA) to ensure access is legitimate.

The key to minimising friction is to define and operate a risk-based adaptive MFA experience, such that access to low risk resources is basic to authenticate into, while higher value resources require a step up in security to prove identity before access is granted.

To demonstrate with an example, users typically don’t mind having to authenticate with multiple factors to transact their online banking – this actually builds digital trust for a consumer. But, if they log in, navigate to another part of the website and are required to log in again they’ll become rapidly frustrated.

What’s your take on passwordless authentication? We’re seeing strong opinions on both sides.

Many organisations are already operating passwordless. In fact, Bill Gates predicted the death of the password in 2004.

Enabling passwordless operation necessitates that other, stronger factors are in use. Verizon’s 2021 Data Breach Investigations Report identified 61% of all breaches involved stolen credentials. If we can remove or reduce our reliance upon those easily stolen credentials we go a long way to stopping those breaches, or at least making them significantly more difficult for criminals to engineer.

Passwords are prone to being written down, commonly used, shared, re-used, phished, socially engineered, stolen, brute forced – or simply forgotten.

What’s important here isn’t the password, or lack thereof, it’s the combination of factors that creates strong protection. A password, passphrase or pin can remain a factor, the ‘something I know’, but needs to be used in combination with other factors to enhance protection – the ‘something I have’ and ‘something I am’. With enough strong factors enrolled the need for a password is reduced or removed, generating benefits for the user experience, IT service desk and security outcomes concurrently.

Security must exist to protect everyone, especially the more vulnerable in society. We need to be conscious that not everyone has access to all the factors we could propose. Not everyone has a fingerprint scanner on their phone, a camera on their desktop, a smartphone which can enable push notifications or a hardware token available. So, we need to develop solutions that work for everyone, which is why the broad variation of authentication factors is important.

Looking at the future, will we ever be able to secure every identity online? How close can we get to that goal?

Just as organisations and their security teams understand the increasing importance of identity in a remote or hybrid world, so do criminals. Targeted attacks to steal, manipulate or impersonate identities are increasing and this trend will continue. Securing every identity online may remain an aspirational goal, but by collectively investing enough in basic protections against credential-based attacks we can make these classes of attack less efficient or profitable.

Organisations have made progress securing their workforces and customers online. Identity-first security is a requirement for success in the post-pandemic world. Likewise governments are collectively moving towards modernising and securing citizen identities at a reasonable pace, within national boundaries (or within the EU for example).

If regulatory authorities can align on global norms in terms of data privacy expectations and know-your-customer requirements for social media, cryptocurrency, cross border and cyberspace transactions, the world would be a simpler and safer place. Like all good change, this will take time – and regulatory controls remain just one piece of a much larger puzzle.