Federated security for the future of work, workforce, and workplace

A blog post by Jay Parekh, senior analyst, Center for Integrated Research at Deloitte.

COVID-19 has created tectonic shifts in how and where we work. The ratio of full-time employees working remotely versus from the physical workplace has almost flipped in a matter of a few months—from merely 3 percent of employees working from home in January¹ to more than 80 percent in May.² While remote working helped to ensure business continuity and to maintain social distancing, it hurled previously unseen security challenges to internal IT teams. Office closures made it almost impossible for employees to access on-premise infrastructure and networks.³ Simultaneously, the rise in remote working created a completely new and heterogeneous IT infrastructure configuration comprising home internet, personal mobile devices, and remote collaboration tools at scale. Ensuring maximum security for this increasingly distributed and, in some cases, new cloud IT infrastructure has raised new cybersecurity challenges for IT teams globally.

To address shifting security concerns, companies must change the way they approach security by implementing a more federated model across distributed work infrastructures. By focusing on proactive defensive monitoring and managing endpoint security, with an aim to enable dynamic sharing of threat information, organizations (across networks) can create a federation to enhance security against known and novel attacks.⁴ Federated security models can effectively mitigate challenges posed by the “new normal,” namely heterogeneous IT infrastructure, remote access management, ineffective physical perimeter security, and secure information-sharing and collaboration in the cloud.

• Perimeter security of the office: Office perimeter security was important to counter any physical intrusion into the workplace’s IT network; however, remote working is where work is happening, and therefore where security is needed. Federated security can be a key focus as the importance of perimeter security wanes in the short term. Organizations should now focus on securing remote access points, as well as securing every component through virtual alternatives, with a model that will be scalable and can expand to protect workplace infrastructures as return-to-work strategies are executed.⁵
• Federated security for complex remote work infrastructure: As more people work from home across a range of devices, locations, and technology types (cloud, edge, mobile, and IoT), the cyberattack surface area becomes wider and more complex. It is essential to have security models in place to target specific threats at each infrastructure tier, especially the endpoint level. This can be achieved through a federated security model across every infrastructure tier, device, and process to close security gaps with network segmentation.⁶ DevSecOps, along with AI-based predictive threat management, monitoring, and resolution, can play an important role. Proactive threat detection and remediation are crucial for any organizational IT system in the post–COVID-19 era.
• Trusted access in a remote world: Identity management was usually a lower priority, with on-premises enterprise solutions given credentialed access to the office itself and to the local network. But in the post–COVID-19 world, where enterprises have had to quickly migrate to cloud in order to facilitate remote work, trusted access and identity management are increasingly gaining importance. A study found that a third of enterprise security attacks on cloud infrastructure are related to poor role-based access control.⁷ A Zero Trust approach to cybersecurity (“never trust and always verify”) can help organizations preserve the integrity and security of their data and assets outside of the perimeter across a range of devices.⁸ Along with this, by enforcing “least privilege,” organizations are able to secure privileged identities.⁹ In one instance, a manufacturing firm implemented a decentralization model with access layers, based on user needs, to secure its data lake and critical information.¹⁰ In another, the Cybersecurity and Infrastructure Security Agency announced an interim Trusted Internet Connection Policy to deal specifically with telework.¹¹
• Integrated/federated IM solutions: Collaboration and information-sharing across the cloud cyber team in a remote working environment is essential to stay on top of the evolving threat landscape. Organizations are gradually moving away from single-vendor IM solutions to integrated, federated IM solutions to fully leverage cloud providers’ technology to provide coordinated security collaboration across a multicloud infrastructure while ensuring faster threat detection and remediation.

To summarize; yes, the coronavirus pandemic has posed numerous challenges to organizations, but it has also presented opportunities for digitally mature companies to stand out. With the work moving away from swanky and secure offices to homes of employees, securing these dispersed access points is essential for a protected IT infrastructure. That challenge comes with great complexity across an unimaginably heterogenous network, and a tiered (federated) security model needs to be implemented to enable dynamic threat intelligence and remediation. With embedded zero-anonymity security features, multifactor authentication, and privileged access management, organizations can effectively govern network access at scale. And lastly, with higher security system interoperability and team collaboration through federated IM solutions, organizations can achieve faster threat detection and remediation while working remotely.

Ultimately, a robust federated security backbone can enable organizations to effectively navigate through the complex virtual business infrastructure and thrive in these uncertain times.

This is the third post in a four-part series on the future work infrastructure. Click to read the first and second posts.

Click to read the related Article on Deloitte Insights.

Endnotes

¹ Roy Maurer, “SHRM: Employers Say Remote Work Not Here to Stay,” SHRM, May 5, 2020.

² International Labor Organization, “COVID-19 and labour statistics,” accessed July 30, 2020.

³ Joao-Pierre S. Ruth, “Next Steps for Cloud Infrastructure Beyond the Pandemic,” Information Week, April 29, 2020.

⁴ Weiliang Luo, Li Xu, Zhenxin Zhan, Qingji Zheng, and Shouhuai Xu, “Federated Cloud Security Architecture for Secure and Agile Clouds”; Department of Homeland Security, “Federated Security,” accessed July 30, 2020.

⁵ M. Hatala, Ty Mey Eap, and A. Shah, “Federated security: lightweight security infrastructure for object repositories and Web services,” International Conference on Next Generation Web Services Practices (NWeSP'05), Seoul, South Korea, 2005, pp. 6 pp.-, doi: 10.1109/NWESP.2005.41.

⁶ Yuri Demchenko, Canh Ngo, Cees de Laat, and Craig Lee, “Federated Access Control in Heterogeneous Intercloud Environment: Basic Models and Architecture Patterns.”

⁷ Bill Doerrfeld, “3 Key Issues With Hybrid Cloud Transformation,” DevOps.com, July 28, 2020.

⁸ Deloitte, “Zero Trust cybersecurity: Never trust, always verify,” Dbriefs webinar, July 30, 2020.

⁹ Louis Columbus, “Protecting Privileged Identities In a Post-COVID-19 World,” Forbes, May 10, 2020.

¹⁰ Nikhar Aggarwal, “Charting out your multi-cloud strategy,” ETCIO, March 18, 2020.

¹¹ Libby Bacon, Sean Morris, and Nicole Overley, COVID-19 and the virtualization of government, Deloitte Insights, April 28, 2020.