BETA
This is a BETA experience. You may opt-out by clicking here

More From Forbes

Edit Story

Layered Security: A Holistic Approach For The Modern Workplace

Forbes Technology Council

Rajat Bhargava is an entrepreneur, investor, author and currently CEO and Co-Founder of JumpCloud.

A year into our collective adaptations to Covid-19, there’s little question that the fivc-day-a-week, in-person workplace has been permanently disrupted. For both enterprises and SMBs, the shift toward remote and hybrid work models has been the catalyst to reevaluate security strategy. 

Each and every access transaction — for files, devices, applications, networks, servers and systems — needs to be treated as a potential threat, from employees’ first touch at onboarding to their last day.

Gartner predicts, “By 2024, 30% of large enterprises will newly implement identity-proofing tools to address common weaknesses in workforce identity life cycle processes.” Let’s be clear: 30% is shockingly low. Modern businesses and the work-from-anywhere model can’t be secured through old models of authentication and access.

From Patchwork To Layers

Covid-19 accelerated the shift away from in-office work. The physical domain around which many solutions were built is gone. The castle-and-moat approach to security means little when the castle has disappeared entirely. With assets distributed around the world, the balance of security (ensuring files, applications, networks and servers are protected) and convenience (ensuring that end users have easy and quick access to their needed resources) has never been so critical.

As it stands, IT admins are cobbling together various tools, from directory services and single sign-on (SSO) to device management, creating a complicated patchwork of solutions in an attempt to bridge yesterday (legacy, often on-prem solutions that still power much infrastructure) and the future (cloud-forward next-gen solutions that evolve rapidly). Managing that patchwork is cumbersome. IT admins report managing 15-20 security tools for small business — and up to over 130 for enterprises.

Worse, the patchwork often isn’t working. Hackers are increasing their phishing attacks and deploying malware and methods that take advantage of vulnerabilities specific to remote work. 

A next-generation layered security (e.g., zero trust) approach manages users’ identities and how IT resources are accessed by remote workers. Organizations can achieve this by verifying users, devices, networks and authorization rights while confirming transaction context, effectively drawing a virtual security perimeter systemically around each access transaction. 

The Value Of Interconnected Layers

The key to securing the modern domainless enterprise is securing each access transaction. Such an approach begins by acknowledging multiple realities: 

• Legacy systems aren’t going to be replaced quickly. Solutions need to address the traditional model while preparing to migrate to a future-facing one .

• Teams must have a dynamic authentication stack that meets security needs across the spectrum.

• In the absence of standards, teams need to plan for various protocols to enable different types of resources.

• Security must be layered to protect every transaction.

• The world will no longer be an on-prem, in-office environment.

By addressing the five layers below, organizations can adopt a holistic security approach that offers modern protections against modern threats. 

Layer 1: Identity

Start by establishing whether the right identity (human or machine) is attempting to access a resource. Standard username and password combinations should be bolstered with multi-factor authentication (MFA), such as a token or phone app. Machine identities for automation need to be confirmed and verified on an ongoing basis, as well. Federated identities across resources and implementing SSO to web applications and all IT resources can simplify the user experience without sacrificing security. 

Layer 2: Device

The line between personal and professional is blurrier than ever, as kitchen tables become desks and shared devices among family members are common. One regularly overlooked step in addressing this is establishing and communicating company device use policies and security best practices.

For company-managed devices, mobile device management (MDM) can mitigate against theft, compromise or loss by instantly wiping or locking a machine. For bring your own device (BYOD) environments, consider installing company-managed agents that give security control to admins in the most serious cases of breach, and be sure to install or offer antivirus software. Foundational configurations, such as enforcing full-disk encryption, anti-theft components such as activation lock and “find my,” screen lock, and more should be straightforward to set up.

Layer 3: Network

There’s little question that securing the network is exponentially trickier with distributed workforces. Establishing network trust ensures that allowed network traffic is limited and safe. For remote workers, whitelisting individual IP addresses to implement trust/deny network authentication might be possible for smaller organizations; for enterprises, restricting traffic to a range of IP addresses might be more realistic — or funneling traffic through a VPN. Consider geofencing to limit access only from designated geographic locations, as well, if possible for your organization. 

Layer 4: Authorization/Context

Perhaps one of the most critical layers is ensuring that the right identity has the right level of access. Referred to as authorization rights, each person or machine identity should be granted the minimum level of access (don’t give admin access to someone who just needs to use the IT resource, not administer it). Combined with conditional access for setting rules for access/authorization based on context, such as the user’s identity and permissions, the location of attempted authentication and the device making the authentication request, this layer can be a powerful level of protection over a compromise.

Policies can be fine-tuned toward roles or behaviors. For a user known to work from home, a policy could prevent access from any unknown IP address; for an employee who has to travel, a policy could allow unknown IPs but require step-up authentication in the form of MFA or biometrics. 

Layer 5: Monitoring

Monitoring everything — authorization attempts, transaction frequency, time of day, IP deny rates, authentication preferences — is essential for instantaneous threat detection and provides the quickest way to mitigate breaches. Monitoring can catch risks (e.g., bad browser extensions, weak encryption and user pattern anomalies) while allowing for instant log access for forensic examination.

By considering a next-generation layered security approach revolving around the identity and access transaction, enterprises can safeguard against credential theft, social engineering attacks, phishing attempts and poor employee security hygiene while maintaining a simple and easy experience for employees.


Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?


Follow me on Twitter or LinkedInCheck out my website