Time to Kill A Few Sacred Cows
In times of crisis the knee-jerk reaction is to close everything down, reduce risks as much as possible, aim for the never-achievable 100% security: “Quick, turn off the cloud”. However, security is not a binary discipline, you need a degree of confidence, not eradicating all of your risk, but quickly we need to decide what’s acceptable and what mitigation is available.
Threats are changing due to the changing nature of work, but not necessarily always getting worse, there’s always a balance between productivity and security. While employee stress levels are high, is now the time to be over-zealous in the application of strict rule-sets? Your own helpdesk staff are under pressure and may be short-staffed, so this isn’t the best time to set restrictive policies and cause more calls and upset. We IT people are here to encourage productive employees and instead here’s a chance to review and be open to change.
Now, a few weeks in, we have time to review the lessons learned and put in a longer-term strategy for increased home working that balances employees needs and control. Here’s a few suggestions for both short and medium-term actions.
Short Term Actions
Learn from your employees. Conduct a survey asking them to list the most useful applications they have used during lock-down, you may learn about a particularly effective app/service you should embrace.
Review your helpdesk tickets. Now is a great time to report on your user’s helpdesk needs – are there common threads – perhaps this results in new education or changes in policies.
Sacred cow 1: Block anything I don’t know…. For example, is it appropriate to block all previously unknown/uncategorised web sites? The aim here is to block new sites that may harbor malware, however, performed incorrectly, it can be over-zealous and is likely to result in unintended consequences. If an employee needs to access a previously uncategorised web site and is blocked on their company device, they may try to get through via a personal VPN, proxy site, install a new browser or use an unmanaged device to get around any block, now they are accessing the site without device and data controls - resulting in a higher risk than allowing those few new urls to be accessed from the secure device.
There are, as always in IT, other ways to address unknown web site risks – such as warning users but allowing them to reconfirm that there’s a business reason, allowing new urls while they are reviewed or deploying browser isolation technology to safeguard the end device – one should be right for most organisations.
Sacred cow 2: Email file attachment size. During times of change, let’s review the policies that have existed for years – and whether they are still appropriate. Perhaps a simple one is the maximum file size you accept through email. No doubt this policy was put in place when bandwidth was narrow, costly and file storage and email scanning were all difficult or expensive. Are those things still true? What do your users do currently if a file cannot be sent via email? Do they sometimes fall back to a more risky service without telling you? Then, surely it is better to allow large files to go through email – email is, after all, logged and you can deploy DLP and other controls.
Sacred cow 3: Forced password changes. Most organisation still force users to change their passwords regularly “because … well, security”. Papers from CESG and others point out that having to change passwords makes employees more likely to choose shorter passwords and simply increment digits when changing. Next time around tell them this is the last password change and entice them to try a long and difficult to guess phrase. See the CESG guidance here
“Regular password changing harms rather than improves security, so avoid placing this burden on users. However, users must change their passwords on indication or suspicion of compromise.”
Sacred cow 4: Ditch the VPN. VPNs are an option to deliver a few elements of security, mainly encrypting traffic and hiding IP addresses. The downside is cost, slowing traffic via inefficient traffic backhauling and congestion. Most web, email and cloud traffic is already encrypted today, so review whether VPN gives you any benefits – for example perhaps it is only relevant for heritage applications. At a minimum, consider which parts of your dataset require VPN. At a minimum, reconfigure VPNs to stop lateral movement, only allowing users into a single computing resource.
Publish and promote trusted cloud applications. Work with your employees and review all current cloud use to produce a list of those services recommended or advised by the company across many aspects of work – from collaboration to development, the average company has more than 1,000 cloud services in use each month, let’s guide our users to the ones we trust and encourage commonality across groups and departments.
Don’t tightly restrict cloud apps. Your employees need to collaborate with 3rd parties and those companies will want to use different cloud apps than you, so it’s not possible to demand, for example, only one video conferencing app. Instead decide on approved cloud apps based on security parameters to allow flexibility for approved users.
Make your helpdesk available 24/7. Lockdown employees will work at times best for them, this may be 3:00am!
Communicate with the employees. If you have to make a change, make it clear, have a central place where policies are explained as well as regular updates by email or other methods.
Medium Term Activities
Multi-factor authentication for all apps. You probably have multi-factor authentication and single sign-on for critical applications, but what about collaboration apps, videoconferencing and other cloud apps? You can decide to only support cloud apps that integrate with your corporate ID system, making sure your cloud apps automatically cope with moves, adds and changes of users.
Unify data policies. The greatest value in companies is your data. Reduce complexity by moving to one definition/consistent implementation – if a document is tagged by DLP as internal-only then the system should be able to implement multiple rules, such as block saving to insecure USB sticks, email externally, share externally via cloud etc.
Set up a policy committee that includes users and GRC. Bring employees into the policy decision-making (and education to fellow employees), check with these advocates on whether a decision will impact productivity. Work closely with governance, risk and compliance – help them understand how apps are used, you can facilitate this conversation between the LOBs and GRC. Give employees time to respond with things like warnings “this app will be blocked from June 30th”, don’t surprise them with a sudden block.
Assess employee apps and cloud services. The average organisation uses over 1,000 cloud services – get an assessment and look for the risk levels and decide which to support, which to block and which to tolerate. Review not just what these are, but how an app or cloud service is being used, a secure service may have insecure options (such as open link creation – is that OK?)
Embrace the breadth of cloud – but with controls. Employees will be using more cloud tools as they need to collaborate at a distance. Use of things such as Atlassian’s Trello for group task management, Jira for project management and Github for software development. You can’t assume that there’s just one cloud provider – you need a cloud security platform that can offer control for multiple services.
Educate senior management and users. Not everyone can be lucky enough to work in IT! It’s also our job to help educate everyone else why security matters for all of us and use examples and published documents to help educate them. As an example, this paper on the Cloud Security 3600 Shared Responsibility Model can help expand understanding outside IT.
This insight is part of techUK's Cloud Week 2020. You can find related news and insights here.