Rethinking security and access for hybrid work

Image: Ben King, Okta

Image: Ben King, Okta

Ben King sees a future without passwords for working remotely. That’s not a new prediction – password-less access is a reality in some organisations – but many companies aren’t there yet. This is something that organisations are actively looking at as they continue adapting to the pandemic.

We discussed this and related issues with King, who is Chief Security Officer in APAC and EMEA for identity company Okta. Our conversation below delves into the zero trust mantra now pervading security conversations and what it means in practical terms.

How has the pandemic affected the cybersecurity landscape?

As the pandemic accelerated digital and cloud transformations, as well as a global shift to remote working far faster than any could have predicted, all but the most agile organisations, had to adopt a ‘move first, plan later’ approach. For some, this meant punching holes in existing security controls in the name of business continuity, and most organisations have collected technical or security debt over the past 18 months that needs to be addressed without delay.

To paint a picture, we've seen many new threats as the landscape has evolved. We've observed attackers responding in a more agile fashion than most organisations can hope to achieve, capitalising on the rapidly changing environment. Combined with this we've also had record vulnerabilities in the background for the last four years, year on year.

The removal of the traditional security perimeter requires new thinking in a hybrid world. Enterprises must trust their staff to work remotely, and consumers must trust the brands they're buying from online. This is ripe for abuse. We've seen huge increases in attacks both socially and against organisations – everything from phishing and business email compromise, to social engineering, to supply chain attacks and ransomware. It's this multiple and varied change in risk profile that security leaders really need to be conscious of and plan through today.

We now live in a world of hybrid work and we're likely to remain in that world into the future. What role does zero trust play in that hybrid environment?

The problem space we're talking about is addressed by zero trust architectures and frameworks. In today's world, every network is a zero trust network. IT organisations can't manage a thousand home routers. But, we can control access to enterprise resources across non-trusted networks based on who wants to access what and in what context – it could be their location, their time zone, their behaviour - as well as the risk profile of the resource to be accessed.

And, much like the physical world, we do this best with multiple identity factors. For example, in the physical world, I might show you a driver's license, passport or utility bill to prove who I am. In the digital world, we don't have that option. So we use multiple factors to do something very similar. We use something you know, which could be your username; something you have, which could be a token or a trusted mobile device; and something you are: biometric verification, such as a fingerprint or facial recognition.

You'll note in this future, I didn't say the word password. ‘Password’ doesn’t need to be part of the future if we can authenticate in high confidence using those other factors.

Now, each of those factors are weak individually, but when they’re combined they become much stronger and incredibly difficult for malicious actors to attack against. This allows us to put authentication on the applications and resources that really need it.

Last year the emphasis was on rapidly expanding and enabling work-from-home scenarios. As businesses recover and shift to a hybrid office model, what is top of mind for information access management professionals?

We've seen a lot of research where respondents are saying they don't want to go back to the office full time. This means using tools our users are most comfortable using remotely, even as we move into hybrid work.

Identity and access professionals need to support this, as we support the business more generally, through provisioning and de-provisioning seamlessly, as well as enabling frictionless access to resources.

Hybrid offices also mean more devices on our networks, whether they're in shared workspaces or people from different teams collaborating more. The ideas of segregated guest networks or team-specific VLANs aren't going to work in this model – we need to move these controls closer to the user and closer to the data. That’s the shift to identity-centric zero trust.

One of the arguments in cybersecurity is if you make security too hard for users, they'll find a way around it. Multi-factor authentication is an important security control, but there can be a perception that it adds user friction. How do you manage this?

What we've seen is poorly implemented MFA causing friction. In my mind, this is all based on risk. We're adding context on a user and a device – are they trusted? Let's combine that with the resource requested, is it a sensitive resource that we're seeking access to? We put these together to create an adaptive MFA if you will. MFA which is smart in terms of when and why it fires.

So if I'm on a new device, I would very much expect MFA to fire on the device for me to authenticate who I am. But if I'm on a known device, I don't want to get that. And nor does security need that to fire all the time. Because we already know that device, we have its fingerprint.

If I'm looking for information on a public wiki within an organisation, I wouldn't expect MFA to fire, there's little risk. But if I'm accessing sensitive data or data I don't access very often, I should absolutely have to authenticate more strongly, to provide confidence on who I am, and that I should have access to the resource that I'm seeking.

Which zero trust criteria are important for organisations when evaluating or changing their Identity and Access Management (IAM) solutions?

I'd start with transparency, integration and having a solution that is agnostic to the software. I think that's very important as we want to enable ourselves to use the best of breed technology out there, and we've seen this shift to cloud workloads and remote working – we need people to be able to do their job.

The final factor would be availability – if we're going to have staff working remotely, we can't afford to have a service go down. I'd prioritise high availability – try to get a solution which has proven uptime as much as possible, because you don't want your employees not being able to do their job. Just as you don't want your customers not being able to access your services or transact.

Employers are struggling to find the right people to address these issues. How is Okta dealing with that?

Being a company that's working fully remote, we've opened up the gates in terms of recruitment.  If staff are not going to the office anyway, it doesn't matter where they are. You could be in regional USA, or you could be in regional Australia, or you could be in regional South America. It doesn't matter, so long as we can get the right talent

If you can work out how to manage high-performance teams remotely, it just puts you so far ahead of your competitors because you just get the best people wherever they are.

Yes, it's a challenge. I've done my last five years in between London and Australia working for organisations on the other side of the world. So it's hard to get right, but it's rewarding, allows flexibility, and lets me access a team full of talented individuals - which is 100% worth the effort.