JumpCloud CTO Greg Keller explains how SMEs can adapt to changing workplace policies, improve security and reduce costs
Many companies were forced to leave the office when lockdowns were enforced in 2020, and since then the past 12 or so months have completely transformed the work environment. Remote and hybrid working practices are now the norm for many employees. What’s more, those employees now expect choice when it comes to where they work from. To support this successfully in the future, small and medium-sized enterprises must ensure they have the correct security infrastructure in place.
The big challenge here is that working outside a traditional domain-based security model is a lot harder to secure, due in part to many SMEs not having the right resources in place. In an office environment, where typical domain-controlled environments are physically controlled, an employee’s computer, the resources they are accessing, and the networks they are computing within have all been provisioned and are managed by the IT team. Each of these has also been secured in a manner that was predicated on working within the domain, not necessarily external to it. When teams leave the office and begin remote working, most often entering unknown networks and potentially unknown devices, these traditional security and safety measures can no longer be relied on.
Are your remote users secure?
Once remote working has been established across an entire team, each employee represents several potential security risks for IT teams. Though SMEs may provide company-approved hardware such as laptops and cellphones, many users will opt for their personal devices instead, each with its own level of security ranging from adequate to non-existent. This is compounded by each user connecting to a network outside the secure office – this could be their home Wi-Fi and broadband, or through a public network such as a cafe, depending on where they are located. These networks have similarly varied degrees of security and run the risk of endangering confidential company assets if they are compromised.
Sysadmins will face countless challenges and an overwhelming workload to ensure each of these devices, networks and users are secure. For many SMEs, there just aren’t enough adequate measures in place to ensure an employee is accessing company resources from a device that is known and trusted. When trusted, there are guarantees that the machine is protected and is in a compliant posture to protect the company from data loss, compromise, and so on. To combat these risks and successfully roll out a remote working policy, there are three areas to focus on: education for employees, consolidation of tools, and removing security responsibility from individuals.
Education is perhaps the simplest initiative to roll out, though it is also crucial to ensure a consistent approach across the business. Developing a policy that outlines the company’s approach to security, and the fundamentals employees must adhere to, will ensure each user understands the importance of security and is aware of the risks they might face. Keeping this simple, straightforward and informal can help users to remember the rules. It is also worth looking at security products that your employees can use if you are worried about the standards of their home networks too.
Do you know who your users are?
With every employee working at home, knowing that people really are who they say they are is crucial. The directory is at the heart of this process – it acts as a single source of truth that is responsible for user identities and what they are approved to access. For example, when an employee logs into a company network with a known device to access resources, their identity can be recognised and access granted.
However, traditional directories can be challenging to implement for smaller businesses as they often require additional tooling such as multi-factor authentication and related products to verify identities and establish zero trust security architectures where no one is trusted and all activities verified.
Today, when employees are outside the domain-based network, implementing a source of authentication and verification through a cloud directory can help instead. This can galvanise any SME’s approach to improve security, simplify the management process for IT teams and improve the experience for remote employees. Cloud directory services remove the need for physical hardware or complex deployments, while providing the same level of access management and scalability as businesses grow. Further, they provide flexibility into the types of resources that can be governed, ranging from device operating systems, web-based and SaaS applications, and resources that remain in offices such as file servers.
Alongside identity, shifting security responsibility is a key component of a successful remote working policy. Without the consistency and straightforward approach that a cloud directory provides, security policy can become complicated, time consuming, and affect employee productivity. If a user must manage multiple sets of credentials for various resources, and are constantly challenged by second factors of verification unnecessarily, they are more likely to adopt bad security practices to get around these hurdles. To avoid this, SMEs should adopt technologies such as single sign on, conditionally triggered multi-factor authentication, and an underlying cloud directory that centralises all employee identities and devices.
Automating idenfication makes it easier to manage for the organisation while also improving efficiency for each user too. The result is a policy that is easy to roll out, scalable and gives time back to employees and IT teams previously spent either constantly requesting access or manually monitoring and approving individual devices and networks.
Remote and hybrid working appears to be the new norm, and its success will lie in adopting the right practices to ensure security needs are met while swerving the barriers that can affect productivity or put businesses and employees at risk. Thankfully, the right tools are available regardless of company size.
To find out more about JumpCloud’s cloud directory platform, visit https://cloud.jumpcloud.com/teissTalk.
by Greg Keller, CTO, JumpCloud