By Matthew Gribben, I’m a former Cyber Security and Cryptographics consultant at GCHQ / CESG and currently CTO / Data Protection Officer of a large online retailer

Working from home is nothing new, people have been doing it for years, but 2020 was the year that pushed the WFH model to its limits and may have been the first time for many companies that they have done it at all. The Covid-19 pandemic hit businesses hard and fast; employees were told to stay at home and social distancing was enforced in many countries. Businesses that were already working through digital transformation projects were suddenly forced to look at how they could prioritise home working and rapidly accelerate a movement that has been building over the past 10 years, what is known as “cloud first”.

A decade ago, the priority for most businesses when thinking about their cyber security was the firewall, what is known as the perimeter in cyber security terms, you can think of this as your barbed wire fence surrounding your office keeping the bad guys out. Most software and tasks carried out by staff lived inside this perimeter, your file shares, your office software, your servers the hold the crown jewels of your business, all safely inside the perimeter guarded by a set of firewall rules. Back then in the rare cases where somebody was working remotely, they would ‘dial in’ via a VPN connection, basically extending your perimeter outwards to their home.

Now in 2021 for a significant number of businesses that perimeter no longer exists, your staff use Office 365 and OneDrive where everything lives in the cloud, their identity and your data no longer authorised by a server that lives in your building but now out in the ‘cloud’ beyond the reach of your perimeter firewall. This has obliterated the security afforded to businesses in the past, and many businesses aren’t even aware of it.

Don’t get me wrong, “cloud first” is incredibly empowering for businesses. In a way never previously seen, businesses have the agility to spin up new IT systems in the blink of an eye thanks to the proliferation of SaaS (Software as a Service), suddenly need some project management tools? No problem SaaS delivers, suddenly need some new HR system? SaaS delivers! This is all great stuff, with a couple of minor issues, firstly now the IT department can have absolutely no idea a system is in use in the business (known as ‘Shadow IT’) because pretty much anybody can sign up to some SaaS application and start using it and secondly because all this lives outside the control of the traditional perimeter.

This is without a doubt one of the biggest security issues facing businesses going forward, it presents enormous risk even when the systems are known. Whether its data protection concerns, insider threats or external cyber-crime threats, managing identity and privileges is absolutely critical to a good cyber security posture, vulnerable identities are the pivot upon which many cyber-attacks now depend, be that weak passwords, phishing attempts, or stolen data from somebody else’s breach. The who, what, and why of access control is the new Siegfried line in defence against cyber-attacks targeting employees as well as the public.

So how does a business protect its user identities in this new normal of work from home? Thankfully there are tools to help us, most modern IAM systems (Microsoft Azure AD, Google, Ping, Okta, etc) provide us with at least basic two factor authentication (either via an SMS or an Application) but a less well known, and equally important feature offered to us is called ‘Conditional Access’ or CA. CA policies allow the IT department to define rules about how users can log in, where from, how often, when they should be asked for 2FA, what device they can use and so much more.

Policy enforcement is determined by scenarios and factors (signals) that exist within those scenarios. The rules and factors represent concentric rings of trust: starting with a robustly trustable identity, then fanning out to use signals such as robust 2FA, device type, attributes of a user, e.g., a role claim, operating system, location, and so on. These signals can be collated to build a level of trust that informs the access decision, i.e., can that user access this resource or not? Do they need additional credentials to provide access?

Signals are the perimeter now, and the drawbridge we can pull up is controlled by conditional access. The challenge for business IT departments now is how to define those policies, how to validate them and how to manage them. The more users you have with more varying access requirements the harder this becomes, and it is a challenge that hasn’t yet been fully met.