Workplace technological advancements have enhanced productivity while also adding complexities. IT and security teams are struggling to comply with regulations and keep threat actors from breaching their settings. It’s critical now more than ever to have a system where trusted access and activities can be enabled with the minimum amount of disruption for the end user.
According to the 2021 Duo Trusted Access Report, a digital worker at an enterprise organization in the United States today has access to more than 50 applications and at least two devices from which to access them. It’s difficult to remember all of the user names, URLs, and passwords of the applications and it’s not getting any easier.
IT and security teams are continuously battling to comply with regulations and keep their environments safe and secure. The logical approach is to add extra security controls to all access requests, but this has the drawback of adding friction to the end user.
What’s the best way to strike the proper balance and strategy when it comes to providing trusted access to the workforce? Here are three suggestions for businesses to consider.
Also Read: Securing the Future of Work
All Users and Applications Need Strong User Authentication
The risk of a breach is significantly reduced when every application and user have robust user authentication. After all, passwords are easy to breach.
Even if a password is hacked, multifactor authentication (MFA) provides strong control. MFA is used by most enterprises, however it isn’t enabled for every application. Security is only as good as the weakest link. It’s critical to have a plan in place to implement multi-factor authentication (MFA) for all login requests in the company, with no exceptions. To avoid MFA fatigue for end users, IT and security teams can use single sign-on and adaptive authentication policies. They can only demand for authentication from a user if anything has changed or if the risk is severe.
The authentication factors used by enterprises for MFA are important. One-time passcodes (OTPs) sent by SMS, for example, are no longer secure since attackers can steal them via man-in-the-middle techniques or by tricking users into disclosing the OTPs using a hacking tool. Still, it’s preferable to having no MFA.
It’s critical to use stronger authentication methods like mobile push or U2F. Modern password-less solutions can also be considered by IT and security teams, which eliminate the need for passwords and instead rely on U2F and biometrics incorporated into devices for strong authentication.
Before granting access to applications, inspect the end user’s device
Keeping all operating systems and browsers up to date for all end user devices gives organizations the biggest bang for their buck. End users should be able to maintain their devices. They can, for instance, employ authentication technologies to alert users when their devices need to be updated. If a device is not up to date, security-conscious enterprises can prevent it from accessing vital apps.
It’s also important to check the device to determine if disk-level encryption is enabled and the host-level firewall is turned on. IT and security teams should create a checklist of attributes to analyze and implement a device posture program. They can, for example, make the installation of their corporate-approved antivirus agent a prerequisite for any device wishing to connect to the on-premises network or use applications.
Also Read: Securing Cloud Environments with a Multi-Cloud Security Strategy
Reduce friction for the end user at every step
Employees don’t want to think about compliance and security all of the time; they just want to get their work done. What if the quickest way to complete a task is also the safest?
To access a custom on-premises application in a traditional organization, for instance, the user must first log into a virtual private network (VPN). Using a VPN increases the amount of friction. Enterprises are also allowing users excessive access to the entire network if they are not properly configured, instead of limiting them to only the application they require.’
Remote-access solutions that don’t require a VPN make it easier to publish on-premises applications as cloud apps. As a result, the user just logs on without using a VPN, similar to how they log into a cloud application.
In order to decide whether to provide access, modern trusted access solutions inspect the device, the user, and the user’s behavior in real time. These systems are growing so that they can evaluate attributes once a user logs in and provide continuous trusted access.
Updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates.
