Secret Double Octopus Named “Best in Class” | Read Aite's 2021 Passwordless Report
Aite Group Passwordless Matrix Report 2021

Best Practices in Remote Workforce Cyber Security

Remote
Users

Octocampus

The need for remote access solutions to allow remote employees to access business systems and applications has been around for a long time. During the COVID pandemic, this need has exploded. Authenticating the identities of users requesting access has been top-of-mind for defenders charged with preventing the next data breach. Passwordless authentication is changing how remote access solutions are authenticating users.

What is remote access and why is authentication such a big deal for remote users?

Remote access technology enables mobile and remote employees to be remotely connected to business systems and networks. Commonly used remote access solutions include VPNs, remote desktop or virtual desktop infrastructure (VDI) and web applications (e.g. web mail Outlook Web Access, CRM like Salesforce, etc.).

While remote access technologies increase employee productivity, they present a serious security vulnerability. A compromised account allows an attacker to easily bypass access controls placed on company resources within the network, and establish persistent access to business systems and in some cases, the corporate network.

Stolen credentials to a public-facing application puts the app’s data and capabilities at risk. Compromised passwords to a CRM app, for example, compromises customer data. Credentials to a web mail app leads to business email compromise (BEC) and all the attack opportunities that it enables. And if the accessed app is poorly built, then a skilled adversary can exploit it to access the underlying infrastructure supporting it as well (e.g. its database, network, connected services, etc.).

Compromised credentials to a VPN account means an attacker is in your network, able to move about, exploit additional systems on the network and hunt for sensitive data. Matters can’t get much worse from a security perspective. 

Protecting remote access users

Historically, the first place traditional multi-factor authentication (MFA) was mandated was the company’s remotely accessed business systems and VPN. Password vulnerabilities were patched with a hardware security token to make it harder to gain unauthorized access. The number of employees entitled to access via VPN was small, which kept the logistical and administration headaches and costs at a manageable level.

But over time, more and more employees were given the option to connect remotely. The COVID pandemic forced overnight entire organizations to enable its workforce to work remotely. The speed and scale at which this happened meant they had no time to prepare and train employees. And the inevitable result was unprepared remote access users falling prey to a host of attacks on their access credentials and attackers having a field day at the expense of everyone.

Protecting an entire workforce with hardware security tokens is an extremely expensive undertaking and a huge logistical nightmare. Passwordless MFA solutions are a lot better suited for these large scale deployments.

Passwordless Authentication to protect remote access

Passwords to protect remote access is clearly not enough security. Passwordless multi-factor  authentication is the perfect solution for protecting remote access because it takes passwords out of the equation, which means employees cannot surrender them to attackers, and they can no longer be used as a back-door/side-door bypass deliberately or inadvertently left behind for attackers to use. Passwordless solutions are also a lot cheaper and better suited for large-scale deployments.