Over the past few weeks, we’ve received a number of inquiries from executives and practitioners about how best to address the challenges of business continuity emerging with the COVID-19 pandemic, and the need to quickly secure a remote workforce at scale. To help our security community, we launched a resource hub with insights and recommendations for PKI and security professionals.
We sat down for a Q&A with our Chief Security Officer, Chris Hickman, to gain more insights into how to tackle these remote-workforce security challenges.
Full transcript below.
How has COVID-19 affected an organization's day-to-day operations and the overall security posture of the business?
By and large, most organizations have pivoted very effectively to allowing their employees to work remotely to help flatten the spread of the virus by distancing people out of the workplace. It’s great to see this global response – although it's created challenges for business, particularly in the areas of security.
Larger organizations used to having a very diverse mobile workforce probably found the transition to be relatively straightforward. However, this is the first time that we've really tested these types of work arrangements at scale, and there's bound to be hiccups and problems along the way.
In talking to the folks that I know in the industries as they've attempted to put in place the business continuity plans, they've certainly had a real attention towards security, for obvious reasons. Trying to keep the business data secure while moving folks from their natural working spots to remote spots is a tremendous and daunting task. The scale of security is really being tested in a way that's never been tested before.
What types of conversations are you engaged with customers today about this new reality?
We're seeing a tremendous amount of conversation about how they can now or in the future leverage the cloud to mitigate these challenges.
They’re asking questions like, “How are we going to make sure that the data is secure where it sits remotely today versus where it has traditionally sat?” and “How can we still allow people access to their data while sitting outside of the four walls of the organization?”
And then last but not least, “How can we scale?” For example, when you only have 10% to 20% of your workforce working remote, that's a very different model than suddenly having upwards of 95% to 100% of our workforce now being remote.
A whole new set of risk factors have been introduced where companies are mitigating on the fly, and it certainly presents them with a challenging time in our space in our industry. However, there’s a great opportunity for us to look at security at scale and be comfortable that we have the right strategy and practices in place to keep our employees and data safe.
What are the challenges of shifting, essentially overnight, to a work-from-home model?
One big challenge is scaling security when all the planning in the world probably never considered this type of shift. Literally overnight thousands of people in each company moved from going into the office every day to now working at home with their families.
My role at Keyfactor requires me to be constantly on the go and travelling, so I'm very comfortable with all this change. I'm also comfortable with our company's ability to keep the data that I have access to secure. I'm also very conscious of how I apply that security when I'm in places like hotel rooms or connecting via a coffee shop Wi-Fi.
Another big challenge for security right now is the people. Employees who are not accustomed to this remote work style of data protection and implementation of policies to protect their data become vulnerable to security risks. Employees and employers need to rapid adjust to this reality and look beyond their office walls and cubicles to apply good security hygiene.
By and large there continues to be people trying to exploit the situation. We've already seen anecdotally an increase in COVID-19 related phishing attacks. Companies of all sizes need to be aware that where there's a situation like this there will be, sadly, those who wanted to exploit it.
Where does public key infrastructure (PKI) and digital certificate management fit into this picture? How can it be applied to kind of a work-from-home environment at scale?
There's an endless number of possibilities to leverage PKI in this situation and an equal number of potential risks if not properly considered or planned for. Digital certificates remain the number one way to identify your company assets, and make sure that they have secure communications through those assets to remotely manage them.
In a lot of cases, PKI is used to support remote employees with applications that we use for remote support. Companies use digital certificates in the background to secure helpdesk-type communications, which obviously are being heavily leveraged as people adapt today. Certificates are used how to identify employees: how to log them on the Internet, how to ensure they are the people who are supposed to be using the company assets.
Furthermore, they may be using some of these underlying digital certificates to decide whether data should be going to that endpoint or not. For example, if I'm trying to download a file to a home machine, without a certificate I’m free to download any type of information that may be safe or corrupted. Whereas if I'm on a work machine, I have a certificate from my company that allows me to download appropriate information.
PKI is a double-edged sword if not properly conceived and planned. Most PKI out there today is not designed to go beyond the traditional network of the four walls of the organization. It's not designed to scale to the cloud and does not have those capabilities built in to reach where the data lives versus just protect the things that are in my four walls. PKI can be leveraged, but the scale must be built in or the PKI must be reconsidered to address the scale.
Now that your IT and security teams are few to hundreds of miles apart from that server room, how can they manage PKI effectively in this new environment?
In a well-designed PKI there are multiple facets of the infrastructure that lend themselves to uptime. With technologies like remote management and remote desktop, it’s relatively seamless and transparent to know where you are physically located to where that asset resides. PKI presents a couple of interesting challenges because the root CA is traditionally offline and requires physical presence of multiple people.
There are some organizations that sadly have probably not considered, "How do I manage those physical assets that are completely disconnected in this sort of reality?" They may have built their business continuity plan around having certs but not thinking through, "How am going get three of five people to the server room when they're suddenly hundreds of miles away from each other?"
There’s also a compounding effect since one PKI issues all their certificates. Companies buy their certificates from a publicly rooted PKI. And, more traditionally, if you don't have good management of those assets, it's very hard now to prioritize what certificates are meaningful for the business in this time.
We like to tell our customers to inventory all the certificates in their organization and figure out where they live and what they protect. Once they do this, they can then prioritize those assets. And they’ll find those priorities have now shifted.
For example, VPN might have been a nice-to-have a week ago. Now it’s a need-to-have. Prioritization helps with getting a good handle on the shifting priorities and what I have to do as a business to adapt either my PKI and/or certificate life cycle management platforms.
Gartner and other analysts refer to cryptography as “critical infrastructure.” Any thoughts on this?
I couldn't agree more. PKI has traditionally been a back-of-the-server-room type of technology. I think this type of event helps bring it further forward. But the folks I communicate with are now being asked to do a lot with a limited budget, limited set of tools, and the challenges of distance.
When things settle down and get back to normal, people and organizations will come to the realization that this is something that we can't wait until this type of event to invest in. It needs to be a constant cycle of training and investment to keep these dependent applications secure.