6 ways the pandemic has triggered long-term security changes

Some of the changes to IT environments prompted by the COVID-19 pandemic—primarily work-from-home (WFH) and cloud adoption—are here to stay and will require long-term revisions to enterprise cybersecurity strategies.

The often hasty measures that many organizations have deployed to ensure that remote workers can securely access enterprise data will need to be replaced or strengthened with controls that can address the requirements of a post-pandemic world, security experts say. There will be a need for capabilities that enable better visibility, control, and management of IT infrastructures where data is scattered across on-premises and cloud environments and users access it from both managed and unmanaged networks and devices.

The pandemic forced an acceleration of digitization and a move to the cloud that many CISOs were not prepared to support in such rapid fashion, says Joseph Carson, advisory CISO at ThycoticCentrify. “The change has forced many businesses to look for short-term solutions that enable the organization to continue operating and allow employees to be productive remotely,” he says.

In many cases, organizations have deployed technologies to support the new work environment without evaluating potential security implications he says. “Now is a good time for CISOs to measure newly added business software and how the increased risk and exposure impacts the business,” Carson says.

Here, according to Carson and other security experts, are some of the longer-term changes that organizations will make—or will have to make—to ensure data security in a post-pandemic world.

Faster adoption of zero-trust access models
The shift to a more distributed work and business environment in the wake of the pandemic will accelerate adoption of zero-trust access models over the next few years. Enterprise data and services are now permanently scattered across on-premises, hybrid, and public cloud environments, and users are accessing it from both managed and unmanaged networks and devices. Old models where users accessing enterprise data and services from inside the network are implicitly trusted will just not work in a post-pandemic anywhere, anytime access environment. To ensure secure access to enterprise data, organizations will increasingly have to adopt zero-trust models where every access request—from inside and outside the network—is authenticated and vetted.

The traditional IPSec client to VPN server approach was dying anyway, says John Pescatore, director of emerging security trends at the SANS Institute. “I think the need for flexible work remotely was kind of the last nail in the coffin,” he says. “Users need to connect from any device anywhere and only tunnel back to HQ for a small part of the traffic.” That means secure network access control along with strong authentication is going to become a critical necessity, he says. “I need to be really sure [about the] person that is connecting and then be able to judge how safe [their] device is,” he notes.

IDC analyst Pete Lindstrom expects the trend will play out in phases. The current focus is on the infrastructure layer and issues like granular access control and encrypted communications for networks and hosts. Over the next few years, expect to see enterprise organizations moving the zero-trust approach further up the stack to incorporate data and workloads. “This is where things like software defined networks and policy abstraction layers [will] start to shine,” Lindstrom says. The goal will be to get to a point where access is ubiquitous and secure and there is no distinction between cloud and on-premises access. Protection will remain persistent and follow data objects wherever they might move around, Lindstrom says.

Controls to protect a broader attack surface
The pandemic has fundamentally changed the way organizations work, says Rick Holland, CISO and vice president of strategy at Digital Shadows. Some will permanently operate in a fully remote model, while others will maintain a hybrid model for the indefinite future. He expects that organizations will eschew sprawling corporate campuses in favor of distributed regional offices and shared meeting spaces closer to their decentralized employees.

From a security standpoint, the trend will create a new and much broader attack surface for organizations to protect, Holland says. Employee access, for instance, will need to be protected no matter where they work from. Similarly, the need for social distancing and workforce shortages have accelerated automation and the use of AI in many sectors, including retail, hospitality, and manufacturing, he says.

This continued adoption of new technologies will create new attack surfaces that CISOs must address. “There will be more intellectual property to protect,” Holland notes. “New technology like robots and terminals must also be hardened, monitored, and patched.” The office shifts will have physical security implications as well for CISOs as co-working spaces, shared spaces, and hot-desking become more prominent.

Regulatory requirements will change to address new risks
Expect changes to regulatory, compliance and contractual requirements, says Holland. He predicts that regulatory authorities will modify or expand existing requirements to adapt to the post-pandemic hybrid working model. Regulations such as the Payment Card Industry Data Security Standard (PCI DSS) and the ISO/IEC 27001:2013 standard for information security are due for refreshes and could be among the first to introduce new requirements to address post-pandemic risks. The regulatory changes will likely be implemented in phases and over the course of several years.

Where change will happen much faster is in B2C contracts and security addendums, Holland notes. “Technology companies are already seeing changing security requirements in their customers’ contracts as these organizations want to ensure that the proper remote working and physical security controls are in place,” he says. “CISOs must ensure that their security controls adequately address these areas to help their companies win business.”

Stronger authentication and persistent encryption
The growing use of SaaS and other cloud-based systems such as Zoom, Microsoft Teams, and Dropbox to support distributed collaboration has resulted in a lot of business information ending up in a lot of different places, Pescatore says. Many organizations will need persistent encryption and stronger user authentication methods to support this kind of a work environment over the long term. From a prioritization standpoint, strong authentication will need to be implemented before data encryption can work, he says. “If attackers can still easily phish credentials, encrypting data doesn’t help,” Pescatore notes.

A survey-based study that Yubico conducted in partnership with analyst firm 451 Research earlier this year showed that most organizations—75%—plan to increase spending on multi-factor authentication (MFA) to address new long-term risks in a post-pandemic world. Forty-nine percent of the 200 security leaders in the Yubico and 451 Research described MFA as the top security technology they had adopted because of COVID-19 and the migration to a WFH model.

Better network visibility and monitoring
The hurried shift to a more distributed and cloud-first work environment because of the pandemic resulted in organizations losing visibility—to varying extents—over the devices connecting to their networks and data. In many cases, organizations sacrificed security in the interest of ensuring business continuity and availability. They adopted short-term approaches that allowed remote employees to remain productive and the business to operate without disruption.

“Unfortunately, these are solutions that the business embraced without evaluating the risks or enabling security to prevent attackers from abusing them,” says Carson from ThycoticCentrify. Going forward, CISOs will need to evaluate and find ways to address the new risks that were introduced into the environment because of rapid cloud adoption and work-from-home models since early 2020. “In the year ahead, CISOs need to measure remote access risks and accelerate deploying additional security solutions to enhance remote access security such as privileged access security, MFA and single sign-on,” Carson says.

Improved visibility will be critical for organizations in the years ahead, says Chris Morales, CISO at Netenrich. In permitting users to access enterprise data from unmanaged home networks using a mix of managed and unmanaged devices, enterprise security groups have lost the visibility—and control—needed to manage secure access. “IT and security [have] lost visibility to what devices [have] access to high value data, the applications on those devices, and state of health of connected devices,” Morales says.

Richard Stiennon, chief research analyst at IT-Harvest, expects that as enterprises transfer their infrastructure to the cloud, they will have to look for security technologies that mirror some of their on-premises capabilities in certain areas. These include asset discovery, configuration management, event monitoring and logging. “All these spaces are the fastest growing in cybersecurity and startups are getting tremendous valuations,” Stiennon notes.

Evolving cyber risk management practices
Many organizations will need to overhaul their risk management and business continuity practices to address risks in a post-pandemic IT environment. Areas for improvement include planning and preparation for adversity, enabling better visibility into enterprise-wide operational interdependencies for siloed operations teams, and the transformation of risk management into an operational activity, says Morales.

“Resilience requires bringing the areas of risk management, business continuity, and IT, development, and security operations together to produce a secure by design operational process supporting mission-critical functions,” Morales says. The long-term focus should be on improving situational awareness in a world where enterprise applications, data, and the people accessing it are scattered far beyond the traditional enterprise network, he says.

Pescatore says the chaos stemming from the pandemic has taught organizations a lasting lesson on the importance of having and testing procedures for better responding to events that might require a quick shift to alternate infrastructure. “Just like testing the datacenter switchover to emergency power, or testing switching to a backup internet connection, I think IT and security teams will be doing ‘short notice work from home’ tests,” Pescatore says. “[The goal is] to make sure they can make the transition rapidly, securely, and reliably if shut-downs happen quickly again.”

Source: CSO