We asked industry experts: ‘How can technology leaders ensure the work practices of their colleagues do not put their company’s cybersecurity at risk?’ Here is the response from Neil Riva, Principal Product Manager at JumpCloud.
As a technology leader focused on identity, privacy and authentication I know what to do to protect my company and myself from cyberattacks. But how do I ensure my colleagues are on board and follow best security practices?
After all, the weakest link will break the chain. Now that much of the enterprise workforce is remote due to the COVID pandemic, the need to adapt and respond to provisioning and managing remote users and devices has increased.
The IT infrastructure has become decentralized and strategies for user and device identity management and access control have to leverage cloud-based products based on Zero Trust principles.
These three key principles help to mitigate the security risk that employees bring into the enterprise.
#1. Trust nothing, verify everything. We are in a world where the users and devices are no longer tied to a domain. To adjust to the new domainless enterprise and to beat back security threats, we must remotely onboard users and devices and ensure users can securely access applications with MFA, with guaranteed policy delivery and enforcement across this new distributed workforce.
While the phrase ‘Zero Trust’ is used regularly, what I mean by it is that we trust no person, trust no device, trust no application. Enterprises with no domain boundaries can secure users – and protect against users’ poor security practices – through robust identity management governed by policy-based, adaptive authentication built around device trust.
#2. Enable adaptive authentication. Following a least privileged user approach, applications should be provisioned for users based on devices, groups and protected by risk based adaptive authentication policies, including MFA, following a least privileged user approach. If implemented, then I can rest assured that my company has a solid cybersecurity stance which will ensure my colleagues and myself are not at risk.
I no longer have to worry about my colleagues creating weak or shared passwords, since any account attack or phishing attempts requires users to input their second factor required by the MFA policy or passwordless-based authentication
#3 Focus on the device. Imagine a world where I hire a new employee and the laptop is shipped to their house and it is ready to use and complete their onboarding as soon as they unpack it. Users enrol a second factor from their mobile device, and within just minutes, the device has been secured and ready to give an employee access to the applications they need.
By creating a policy driven access control for conditional authentication around device trust, organizations can secure users within a single enterprise Identity. The device is now trusted, regularly updated and, most importantly, managed remotely so that IT admins can wipe data, lock a device, or deprovision users to mitigate lost or stolen devices. Data can be wiped so that I can mitigate lost or stolen devices.
Strong and adaptive authentication rooted in device trust can establish and protect user identity and secure and protect all of their applications and resources.Click below to share this article