Many organizations – small, large, medium – across the world are having their employees work from home due to COVID-19. For many of these companies, this was something they had never prepared for. Moving to the cloud and using online tools sounds simple and easy, but when it comes to meeting regulation and compliance regulations, you need to take extra care. Enabling your workforce with cloud-enabled collaboration tools is not only a technical challenge but also brings about legal and cultural considerations. Luckily, I have seen many of the challenges that IT faces when moving to the cloud. In this article, I will address some common challenges brought about by remote work, but showcase some of the ways they can be addressed without impacting your employees’ ability to collaborate effectively and stay productive while maintaining security, compliance and privacy.
Consider the implications of document sharing on Dropbox, Google Drive and OneDrive where customer data is involved, especially in a highly regulated environment. For a situation like this you no longer need to setup a costly infrastructure and wait for days. Today with the power of cloud, Office 365 SaaS service such as MCAS and DLP and on Azure IP or Microsoft IP can be enabled in your tenant organization and put tight controls to stop data leakage.
Let’s take Microsoft Teams. If an organization decides to empower their employees to work remotely, they can’t just turn this feature on with the same level of access as their controlled environment. Microsoft Teams enables and empowers users with many collaboration tools in one place, which work best in the cloud. However, if you have a hybrid cloud setup this becomes a technical challenge because the way things works and configure on-premises may break when it comes to the cloud. An organization may not want their customers or employee PII data to be hosted in cloud and when you enable Teams -you must first put all controls and policies upfront, which can’t be done overnight. Organizations are challenged with technology and security controls are unable to transition from on-premises to cloud with the same security controls. As soon as an organization moves to the cloud, the boundaries of security shift which can introduce risk and potentially unknown gaps. For example, an organization may not want their employees to store a file on the cloud containing the names and email addresses of their customers. In another example, it is not easy to migrate data leak prevention control from on-premises platform to cloud platform. This is purely a technical issue where on-premises policy can’t be easily migrated to cloud platform. Some organizations may not provide employees with access to public internet even for email communication, even though public internet offers security and encryption in transit and features like OME (Office Message Encryption). It does not stop here, and there is a huge list of challenges and may not work in most of the scenarios. When it comes to remote work, how are they going to deal with un-managed devices, solution is available, but you can’t roll it out overnight if you are 100,000 seat organization. And raises question if they have enough people in IT support to handle the calls for any ad hoc changes made to IT Operations. Consider identity protection, how are they going to protect, do they have trained staff etc. You may implement MFA and what-if it breaks your application which does not support MFA. These are just few examples, in this situation IT leaders needs to come up with short term and long-term strategy. Organization do also need to re-develop their security controls with this sudden change. I’d say develop Cloud Security Policies and Information Governance around Cloud Architecture because existing policies dates back to pre-cloud computing era and causes many issues.
Employees are already collaborating across the organization, so it would be worthwhile considering adding an extra layer on top of existing monitoring and auditing tools to detect and remediate suspicious activity on the fly using Azure Security. Azure has a built-in AI algorithm which can trigger an alert if a user sign-in looks suspicious or falls into an atypical scenario. And again, this solution may not work for many organizations if they are not cloud ready and may need some time to implement such controls. In order to enable full functionality for real-time collaboration may not be possible, however there are workaround where it can be enabled with limited features capabilities avoiding in risk to organizations.
Some best practices for WFH from IT
- Educate employees to use strong password- strong long password (25 characters) are hard to break
- Email phishing awareness – run email phishing compaign to educate your employees
- Enable multi-factor authentication MFA – this is a must have enabled for any cloud identity platform
- Enforce location-based sign-in if possible – if you don’t do business outside USA why would you want to allow signing from everywhere, just lock it down
- Implement blocked country list – Follow FBI list of banned country list
- Monitor malware and spyware enable end-point protection
- Use jump boxes where as possible – don’t allow direct RDP access to the server
- Enhance policies and leverage cloud capabilities whereas possible – must enable AI and ML feature for risk signin and conditional based policies
Adnan Rafique | Global Security Architect
@iMentorCloud | www.ExchangeITPro.com