5 Recommendations for a Secure Transition to Normalized Remote Work

The end of enterprise infrastructure as we know it

Empty office.jpg

It's July 2020, and in many countries around the globe the pandemic lockdown has disappeared, or has been eased. In many other countries, numbers are still surging. We're wise enough to know that there will be more outbreaks and new lockdowns; offices will not be crowded spaces anytime soon.

In addition to any government decisions and social distancing measures, many companies are giving their employees the benefit of deciding whether and when they want to go back to the office. It can be expected that it will become entirely normal to work from home 3 days per week or so.

Corporate infrastructures will have to be rethought and redesigned. Of course, offices will change greatly, with less open spaces and shared tables. But that's only part of the picture.

Technical infrastructure will also be up in the leadership agenda for the rest of the year, with IT architecture and applications undergoing deep scrutiny. 

Security considerations must come first, realizing that the cloud architecture of the enterprise today includes the home connections and devices of all remote workers. The implications for Atlassian customers are no different. Every Atlassian tool is gated with user passwords that can be compromised. Jira databases, Confluence pages, and Bitbucket repositories are packed with sensitive information.  The following recommendations are aimed at helping transition to this new standard of work.

#1 Beware of ransomware

How will cybercrime evolve in the new remote landscape?

Screen Shot 2020-07-06 at 4.09.49 PM.png

Symantec recently warned about WastedLocker, a new form of ransomware

Phishing scams are a tried and tested strategy for hackers. It works with grandpas, and it works with enterprises for incredible sums. But according to recent reports,  ransomware is emerging as a strong new candidate: Symantec has admitted as many as 31 affected corporations in the US this spring alone. Injecting malicious code can be done at an unparalleled scale when firewalls can't protect your enterprise assets. Use Insight Discovery to create a comprehensive map of every enterprise asset included in your closed networks. Although cell phones are not covered, it will include any pc laptops or macs connected to your networks during the scan. This will allow you to have a full picture of how many external devices you have to protect in order to prevent ransomware attacks.

#2 Create (and Document) a Culture of Remote Security

It's security first, everything else second. Every enterprise is only as secure as its smallest vulnerability. Those vulnerabilities ink can take many forms: a disgruntled employee whose accounts were not disconnected, a poorly designed application, a leaky database, a faulty firewall configuration, or an employee who works in good faith but is simply oblivious to security risks.

If your company offers many attack surfaces, attackers who can identify them will exploit them. And once they're in, they can propagate so rapidly you won't know where or how to eradicate them.

Illustrate this landscape to your employees. Explain what's the difference between sending information over the corporate LAN as opposed to a distributed workforce. Teach them how to build strong passwords for their personal networks. 

A knowledge base with security tutorials is a must to spread security best practices and recommendations. Make sure to include easy to read tips, guidelines, the basic do’s and don’ts and to refer to the library on different messages and channels.

Remote employees should be power users of your security documentation, which must be always current, up-to-date, and with enough detail to require a technical walkthrough from a human. An interesting addition to make sure that your most critical information doesn't lose rigor is to add Better Content Archiving. Despite its name, the app doesn't only help with archiving. You can set review processes to maintain critical security information so no one follows obsolete instructions.

#3 Minimize The Number of Passwords

This might seem counterintuitive, but we do need to manage as few password as possible. Password fatigue is a reality, and every time a password has to be recovered it will be replaced by a simpler, more memorable combination that is easier to exploit.

The solution? Stop pretending that humans can be tasked with managing hundreds of unique secure passwords. Since the adoption of password management software remains relatively marginal, every enterprise should erradicate bad password habits with single sign-on. 

The idea behind Single sign-on is ironically simple: use only one password for every tool and govern it from a central identity provider.

You will find Identity Providers on the mainstream side. For example, if your company has Outlook365, you can get Azure Active Directory for free. On the GSuite? Also an option.

Remember:  it’s easier to maintain or even remember one great password than to keep separate, secure passwords for potentially hundreds of applications.

When it comes to Atlassian server applications or to advanced Data Center configurations, you will need to rely on a Marketplace App like resolution's SAML Single Sign-On.

(For full disclosure, note that resolution is my employer).  

The current best practice is to combine 2FA (2 Factor Authentication) and single sign-on so that a single password is protected with an additional factor. If your current Identity Provider does not support 2FA, there are some alternatives in the Atlassian marketplace like 2FA for Confluence.

#4 Synchronize Logout

SLO is the symmetrical action of single sign-on. Unfortunately, not all providers have it. And you won't find it in the Atlassian Data Center capabilities, for instance.  But would you like a key with which you can open doors and not lock them? Sounds like a sweet deal for burglars and like a headache for enterprise security teams.

Keep reading to learn how to enable Single Logout on Atlassian Data Center.

#5 More control for Shadow IT Risk 

If shadow IT was already an important security threat in the pre-COVID times, it's increasingly more so in a situation where employees are connecting from their homes and through their wifis.

Zapier, for example, provides access to over 1,000 cloud apps and endless integration possibilities with Atlassian products. The potential of these integrations is undeniable, but the read and write access to APIs is concerning. 

What will employees do when their actions are unchecked? And how will corporations react? How many will create surveillance systems for all their employee's digital activities?

There are less invasive ways to keep shadow IT under control, especially when it comes to governing access to the API. Personal access tokens can replace passwords with better granularity: one token for each connection or script. Check out resolution's API Token Authentication if you're interested in adding permission schemes to the creation and usage of tokens.

What happens if an attacker is able to compromise a token? To start, he won't be able to log into Jira with it and propagate the attack. But on the other side, a compromised token can easily be replaced without affecting any other integration or the user account per se. 


Conclusion

Securing enterprise information these days can’t be an afterthought: it requires careful planning, proper resources, and extensive training. Involve your leadership now and reconsider your entire IT infrastructure to prepare it for the security challenges of this decade before risks materialize. Besides a full-scope enterprise user management framework that includes Atlassian applications, don't forget to expand your definition of digital assets to include every employee's remote connection!

0 comments

Comment

Log in or Sign up to comment
TAGS
AUG Leaders

Atlassian Community Events