Op-Ed: Securing hybrid work: Why trusted access is vital to company security

In 2018, it referenced a survey that found less than 25 per cent of employees wanted to bring their device versus 74 per cent who preferred a company-issued device – suggesting that workers were reluctant to have their personal and professional worlds become so intertwined.

At the peak of BYOD, workers were forced to install software that purportedly “secured” their phones at the cost of personal privacy. At the same time, organisations were imposing restrictive policies on all devices under the guise of “enterprise security”. These measures offered zero benefits for end users, who challenged such limitations, wondering why they should have restrictions on their own devices – in addition to the fact that there weren’t even many applications to access via their mobile devices, apart from emails and calendars, back then.

Then, in 2020, COVID-19 hit, precipitating a large-scale shift to home working that has matured into hybrid working, which offers people the freedom to work partly from home or another location and partly from the office. Workers are choosing when to work and how to work. They are no longer working only within the campus perimeter, nor are they working only on company-issued devices.

The rise of BYOD and meeting increasingly complex security risks

Recent research by Adaptavist showed that Australia has the highest percentage of hybrid workers, at 34 per cent, compared to the global average of 29 per cent. Furthermore, half the Australian workplaces surveyed offered hybrid work choices to staff.

As hybrid working becomes the new norm, so will BYOD and the security risks that will naturally increase as organisations adopt this new business model. Some of the established security measures more commonly found on company-owned laptops and mobile devices to combat these challenges – such as the ability to wipe all data remotely – are likely to be considered highly intrusive when applied to users’ own devices.

At the same time, adopting hybrid work has increased the need for remote access to an organisation’s applications and data to mimic the on-premises experience as closely as possible, bringing additional security barriers that can cause considerable frustration for staff.

To bolster the cyber resiliency of organisations across Australia, the Australian Cyber Security Centre (ACSC) has designed the Essential Eight, a set of strategies to help organisations protect themselves against various cyber threats. These include application control, patching applications, configuring operating systems’ macro settings, user application hardening, restricting administrative privileges, patching operating systems, implementing multi-factor authentication, and performing regular backups. Unfortunately, many organisations have struggled to adopt the Essential Eight for modern devices, including those mobile platforms commonly used for BYOD, as the strategies have been effectively written with specific legacy operating systems in mind.

VIEW ALL

Organisations are turning to several solutions to address complex security requirements across an increasing number of devices used for work. There’s mobile device management (MDM), which is now being used to oversee the life cycle of devices and applications that are deployed for work; Identity and Access Management (IAM), a centralised approach to managing user identity, authentication, authorisation, and privileges across multiple systems and applications; and mobile threat defence (MTD), which offers specialised security tools specifically designed to protect mobile devices against cyber threats.

Coordinated oversight of device management, access, and security is essential to effectively prevent, detect, and remediate cyber attacks. However, such coordination is challenging with different solutions from different vendors for each function – as these solutions were never designed to work together and managed by siloed IT and security management teams.

Swapping disjointed workflows in favour of a streamlined approach

The collective goal of deploying these technologies is to ensure access from every device can be trusted not to have been compromised and secondly, that the person attempting to access company files is an authorised user.

Security needs to evolve to meet the new way of working, which could include the following:

• Workers must be productive on devices of all sizes, from desktops to mobiles, and on both company and user-owned devices.
• Businesses need assurances that devices are ready for work – that staff are not spending time figuring out which productivity tools are available to use – and that they are configured to be secure.
• In the context of personally owned devices, workers need assurances their privacy is being respected. Transparency is key.
• Everyone – employees, contractors, partners – need access to applications that enable productivity, regardless of whether they work on-premises or remotely.

Organisations initially looked to modernise their security stack by introducing a zero-trust strategy, but it has not been the silver bullet everyone thought it would be. There were simply too many vendors required to achieve the desired outcome and too much administrative complexity – resulting in lengthy implementation.

Trusted Access is a new look at zero trust, but through a lens focused on the end user. Trusted Access means that:

• Devices are enrolled using modern privacy-preserving techniques and put the user in the driver’s seat when appropriate.
• Both company-issued and personally owned devices, laptops, and mobile devices are supported, allowing the user to seamlessly transition between form-factors without losing productivity.
• A user’s work identity is built in, delivering improved security and enhanced productivity workflows. By reducing the number of sign-ins that users are required to go through, they can get into their productivity tools faster and without interruption.
• It creates a model to increase the security of devices over time, allowing organisations to turn up policy controls at their pace; for example, starting with device hardening and moving to malware prevention and more advanced protections as the team is able to scale.
• It incorporates modern application connectivity in a way that supports anywhere work and incorporates real-time risk assessments into every application policy.

A trusted access solution should allow access only from sanctioned devices – those enrolled in the management system. It must ensure those devices are safe to use by securing their access to company data and incorporating an active threat detection function. It must also ensure that each user is authorised and verified while providing them with an access solution that is easy to configure and manage.

Also, every security measure that imposes an additional barrier to user access or compromises ease-of-use in any other way will likely lead to an increase in calls to IT support, further impacting efficiency.

The takeaway: ‘Trusted Access’ is the way of the future

Hybrid working is now the norm. Securing access from remote devices, including users’ own devices, will be essential, but with large-scale hybrid working, security measures must be both highly effective and easy to deploy and manage. They must support rapid response to enable threats to be mitigated and must not compromise ease-of-use.

A trusted access solution can fulfil all these requirements by having components designed for each function to work together as an integrated system.

Michael Covington is VP of Portfolio Strategy at Jamf.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.