IBM: Protecting everyone as they work and engage remotely

Borkar (above) and Tummalapenta (below) break down exactly what it means to protect a remote workforce while supporting secure remote client engagement.

In our new normal, where face-to-face interactions are kept to a minimum, enterprises need to protect employees and the backend, as well as reduce friction for client interactions to encourage sales and satisfaction, said IBM during the IBM Security Summit 2020 ASEAN.

Srinivas Tummalapenta, Distinguished Engineer, CTO & Chief Architect, IBM Security Services, explained that the vulnerabilities are there. One global CIO shared that there has been an increase of 1,500% for spam attacks in just the month of April, he said, as well as more attacks looking for any kind of intellectual capital related to COVID-19.
Aarti Borkar, VP, Offering Management, IBM Security, separated what needs to be protected into three parts. "The first one (is devices) probably owned by the company or the enterprise and you have software to manage these devices," she said. "You have software that allows you to maintain and interact with these devices to ensure there are security levels, (that they) are where you want (them).

"The second set are the ones where you don't have agents on (them). They need to be remotely handled - but you are able to register them. So 'semi-managed' is the category we put them in. This is the category where you have some visibility on, but not entirely. Ideally you want a software backend where both of these categories are a part of your purview.

"The third part of this are devices where you have little to no knowledge about, and they are home machines, personally-owned devices and machines for a lot of your employees. Now given the volume of employees (who) are working from home and the fact that they are very often using personal devices, this has gone from a small set of your population to sometimes a very large set. They are using (them) to interact with cloud storage, devices are being used to interact with the variety of SaaS properties you might have, or supply chain activities etc, and these devices could be hijacked. The minimal information you have about them makes these the highest risk you have."

To protect them all, a unified endpoint management (UEM) technology that supports remote deployment is essential, Borkar said. Technology must also be in place to detect malware, hijacking, and fraud. Security should also be baked into the software.

People-related issues have to be addressed too, through multifactor authentication (MFA) across the entire network, as well as addressing risky behaviour. This means installing a risk engine at the backend that can determine whether a user is genuine and whether to give the person extra authentication. "This combination allows you to be more secure than just a purebred MFA type of solution," Borkar said.

When it comes to clients, authenticate with some context so that clients know why they're providing the information, in a low-friction way. "Why low friction? When was the last time you had somebody to answer four questions on a website and you continued to buy from that vendor? The same thing happens with your clients," Borkar explained.

Tummalapenta also elaborated on the zero trust approach to security that governs the entire strategy. He explained that there are four foundational elements for a zero trust framework: context, verification and enforcement, incident resolution, then finetuning.

For context, he said that policies have to be created to guide the provision of "the right application usage for right purposes at the right time through authentication methodologies". Other policies should be created to guide enforcement of any incidents detected.

"On an ongoing basis we have to be able to understand what is happening, analyse the progress that is made, understand what is good, what is not working, and then put in an improvement plan. So this is an approach where we identify and learn and apply additional policies and enforcement and continue to improve things," he added.

Borkar concluded: "We are trying to ensure that the right users, under the right conditions, always get access to what they need - the data that they need to get their job done, to keep their business coming and moving, but ensuring that it is secure at the same time."