Shifts in the way that enterprises and government organizations implement identity management technologies already were underway before the coronavirus pandemic struck. The sudden influx of remote work, however, has forced security personnel throughout the U.S., and the world, to accelerate plans to mitigate cyber risk.
“When billions of people formed the largest remote workforce ever, overnight, pretty much we knew security, compliance and identity would not be small issues for folks,” said Ann Johnson, Corporate Vice President of Security, Compliance and Identity Business Development at Microsoft during a virtual presentation Oct. 21 at CyberTalks, the annual summit of security leaders from the government and private sector presented by Scoop News Group.
Johnson went on to provide insights on how chief information security officers have adapted to a world where telecommuting is now the norm. Now, she said, more people are starting to look ahead, too.
One such organization that was forced to consider the issue, Johnson said, was the City and County of San Francisco. There, municipal administrators helped 25,000 transition government workers to work from home by trusting Microsoft Teams with their service and security. The platform has provided San Francisco, among other clients, with chat and call collaboration opportunities throughout the government, while also supporting external-facing capabilities, such as live streams for public meetings.
Fifty-four percent of the chief information security officers surveyed recently by Microsoft reported that they had operational resilience plans that prepared them adequately for the pandemic. Meanwhile 42% of organizations reported that they expect their workforces to remain working from home for the long term foreseeable future.
Other organizations that were not prepared for the sudden shift, Johnson said, should consider implementing zero-trust concepts. Broadly, zero trust is a mindset that security personnel use to describe how they intend to verify each digital interaction. It means enabling strong authentication and authorization capabilities based on all available data points, including a user’s identity, location, device health service or workload.
Other principles of zero trust involve granting people access to data only when necessary, for the time period they need that access, and only for the specific purposes for which they need that authorization. Organizations also must “assume breach,” meaning they operate with the expectation that a data breach has occurred, and thus apply concepts like micro-segmentation to devices that cannot be patched and use real-time analytics to gain visibility more quickly.
“We encourage you to develop a cyber-resilient mindset so you can withstand a cyberattack and keep your services online for your citizens and for your employees,” she said. “We also encourage you to continue looking at the risk in your organization and mapping your priorities to the risk appetite of your organization and mapping your security to that. We want to future proof your organization against data rescue.”
View the full video recording on demand, on Day 3 of CyberTalks, at CyberScoop.
This article was produced by CyberScoop and underwritten by Microsoft.