Securing identities in hybrid environments

In the first post in this series, we identified four key challenges to securing your hybrid workforce: identity, shadow IT, the security vs. productivity tradeoff, and cybersecurity costs.

Today, let’s dive into identity and access management. (We’ll explore the other topics in upcoming posts, so stay tuned.)

Recap: The new perimeter

In 2023, 70% of data breaches involved an identity element, which can be a vulnerability as simple as a stolen password. And that number is growing – Forrester expects it to climb to 90% in 2024.

This is happening for a number of reasons, but hybrid work is high on the list. Instead of badging in to a secure workplace, or using a VPN to access a secure network, we’re working everywhere: from the office, from home, from the coffee shop, at the airport.

And instead of working on-premises solely from company-provided devices, we’re working both in the office and remotely from many devices, including our own personal devices.

We’re also using a ton of apps to get work done. Today we use twice as many apps for work as we did in 2019, according to Gartner.

It’s a lot. And as a result, IT has to manage and secure about 125 apps. We access them from multiple devices and from many different locations, and so the perimeter that IT is tasked with defending is porous and always moving.

It’s no longer possible to build a virtual wall around those company networks and company-provided devices. Instead, securing a hybrid workforce requires verifying identity. Not just “should this access attempt be allowed?” but “Is this person who they say they are?”

If a cyberattack starts with access, every access attempt starts with identity. When you verify identity, you secure the source of the access attempt.

3 aspects of identity security

But how do you do that? What additional security measures help verify identity to secure a hybrid workforce? To answer that, let’s start with a new technology that illustrates why strong identity verification works so well: passkeys.

Passkeys

Passkeys are a more secure replacement for passwords. They consist of two parts: a public key and a private key.

The public key resides with the service you create the passkey for. The private key stays on your device. The two keys are mathematically linked, like interlocking puzzle pieces. When you try to access a service, that service checks to see if the puzzle pieces fit together. If they do, you’re signed in.

Passkeys are often backed by biometrics. You give the service in question permission to check that your private and public keys match up using your device’s built-in biometrics, like your fingerprint or Face ID.

Let’s break down why this is more secure than traditional passwords.

Think back to what you know about multi-factor authentication (MFA). The reason it’s “multi-factor” is because it uses multiple factors to sign you in. Those factors come in one of three forms: something you know, something you have, or something you are.

MFA typically uses two of those three factors. It wouldn’t be particularly secure to back up something you know with something else you know, since both can be stolen.

The password, for example, is something you know. If you use a hardware key (like a Yubikey) for two-factor authentication, you’re combining something you know (your password) with something you have (the Yubikey). That’s harder to falsify.

Biometrics verify your identity with something you are (your face or fingerprint). So while passkeys are something you have (the private key on your device), they’re backed up with something you are (biometrics) when you give a service permission to access that private key.

That’s how passkeys verify your digital identity: by verifying something only you have and something only you are. And the private key never leaves your device, so it can’t be compromised in a phishing attack. In fact, that’s what makes it resistant to most social engineering attempts.

So, passkeys illustrate why verifying an access attempt at the identity level is the secure way to go.

Strong, unique logins

Partly for that reason – and partly because they’re so darn convenient – passkeys are the future (and the present).

But passwords aren’t going away anytime soon. They’re too ubiquitous, too widely supported, and everyone knows how to use them.

That doesn’t change the fact that weak, compromised, and reused passwords are still the weakest link against cyberthreats.

But if we’re juggling dozens if not hundreds of apps, how realistic is it to expect employees to create strong, unique passwords for every app they use – let alone manage all of them themselves?

Not very, which is why an enterprise password manager (EPM) is the key to securing a hybrid workforce.

It doesn’t matter if employees are signing in to an approved app on a company device from the office, or a productivity app on their phone from the airport. If they’re using an EPM, the EPM is doing the work for them.

Companies can set their own minimum security requirements, and the EPM will ensure that every sign-in, on every device, meets those requirements. It can also flag weak, reused, or compromised passwords so employees can fix the problem before it becomes an issue.

That being the case, employees don’t even have to remember, let alone manage, all those passwords. The EPM will simply autofill their credentials for them. This is what it means to make the secure thing to do the easy thing to do.

Most EPMs also support passkeys, to varying degrees. So employees can stop thinking about how they sign in (Password? Passkey? Something else?) and just… sign in.

Principle of Least Privilege (PoLP)

Finally, the principle of least privilege is another key aspect of identity security. PoLP is usually at the heart of a robust zero trust strategy.

The premise is simple: only give people the minimum amount of access they need to do their jobs, and no more. By minimizing the total number of assets someone has access to, you reduce your overall risk and your attack surface.

Again, EPMs make this easier by giving you control over how your employees access, use, and share items. Because you have control over user access, you can permit access in a way that aligns with your security policies. That might mean creating IP restrictions, mandating certain MFA requirements, or integrating with your SSO provider and policies.

Secure digital identities = a secure hybrid workforce

Passkeys, strong, unique logins, and the principle of least privilege help us secure hybrid workforces at the source of each access attempt. And that might be enough, if we knew exactly what employees were logging in to. But with hybrid work, we often don’t.

So in addition to securing access to the apps we know about (managed apps), we have to secure access to the ones we don’t (unmanaged apps, or shadow IT). We’ll explore how to do that – including the mindset shift it requires of IT and security teams, and why single sign-on alone leaves gaps in your sign-on security model – in the next post.

In the meantime, you can learn how to secure your hybrid workforce right now by downloading The new perimeter: Access management in a hybrid world.

Rob Boone

Content Marketing Manager