The remote workforce has been collectively scrutinized where security is concerned, and in many ways has come up lacking. While that may come as no surprise, suggested changes are sweeping in their potential scope. The FBI suggested moving beyond traditional user identification methods like MFA, and one alternative to strengthen security for remote workers is certificate-based authentication. The NSA, in turn, came out with a decisive guideline concerning the types of telework platforms government agencies should be using. In four words, it was end-to-end encryption. Even as the debate over encryption remains unsettled, Five Eyes hasn’t backed down in their demand for backdoors—the necessity of the times has proven the utility of encryption.
NSA suggests end-to end encryption for teleworkers
What happens when work-from-home government employees use their own devices? The NSA issues guidelines for how those devices should be used.
“The primary audience for this guidance are U.S. Government employees and military service members engaging in telework, especially telework employing personally owned devices such as smartphones and home computers,” reads the NSA memo.
With so many first-time work-from-homers, it’s hard to tell what level of security is being used across the board. It may be safe to assume that whatever privacy and security protocols came out of the box are all that are in use on many teleconferencing calls. And it may, according to the NSA, be safe to assume that’s often not enough.
According to the guidelines, teleconferencing apps in use by government workers should meet this criterion:
- End-to-end encryption
- Use well known encryption standards (RSA, Diffie-Hellman, etc.)
- Multi-factor authentication
- Visibility over who connects to sessions
- Prevents data share with third parties
- Ability to delete data from repositories as needed
- Open source code (Only Signal and Wikr were open source, according to the NSA’s rundown)
- Certified by a nationally recognized security organization
They've included a chart comparing a host of popular videoconferencing options and measuring them against the above metrics.
Privacy and data security are no longer niche selling features but have become a premium in the stay-at-home environment. With schools, churches and businesses choosing between an array of online communication tools, it’s a buyer’s market and security is a key selling point. The NSA’s guidelines are more than good practice. They allow people to hold vendors to account for their security practices and pit their practices against an objective metric—something arguably needed in the world of consumer tech.
- Why Legislators Are Eager to Mandate Encryption Backdoors
- Budget for Encryption Increasing Over Time, Reveals Survey
- Is the War on Encryption a Fight Between Privacy and Safety?
Is it time to move from passwords to PKIs?
Multi-factor authentication is so ten minutes ago (at least according to some). With this being a common practice for many work-from-homers, what will it take to implement the solution?
In the mad rush to get everyone online and working (from anywhere, mostly home), we may have neglected to do our due diligence with security, to put it lightly. According to conservative reports, cyberattacks have increased by 33%. According to others, it was 500%. Either way, while we may have been neglecting the finer points of endpoint security, cybercriminals were ahead of the game.
Should we make it harder to play?
Moving away from consumer passwords and MFA
Black hats have had it easy when it comes to poaching user accounts. While the big payoff is in corporate breaches, the systems are a little harder to haggle than user accounts. Cryptographic keys and encrypted databases present a sharper challenge than usernames and passwords, especially when so many of those human identities are redundant and poorly executed.
Knowing the disparity between consumer security methods and current hacking abilities, the FBI has even suggested moving away from traditional MFA because it’s easier for cybercriminals to attack. How can we reimagine authentication? Encrypted protocols, for one, are mathematically based and are more difficult to crack. So, identifying users with digital certificates (and employing a strong personal PKI) can serve as a potential alternative.
Instead of passwords which can be misused or forgotten, stolen or hacked, digital certificates (already in use to identify machines) can be used to identify humans, as well as replace passwords on multiple use cases—WiFi logins, VPN access and DaaS (desktop as a service). The upside to moving to a fully digital PKI for private use is that in an exchange, the private key stays with the user and can stay on the device (making logins more seamless). You can’t reuse a private key, so the risk of hack-by-reuse goes way down.
Challenges of running a fully digital PKI for your remote workers
However, inherent in any new opportunity are a batch of new struggles. It’s one thing to have digital certificates – it's another thing to protect them.
To make sure your digital certificates are protecting optimally, they need to be issued from valid CAs (do your research), organized and kept up (full visibility) and renewed at regular intervals (automation, anyone?) among other things. It’s like having a dog – shots, vets, walks. You’ve got to earn it.
Switching all your employees from passwords and MFA logins to encrypted certificate-based credentials is a decisive move. But, when considering the average cost of a data breach, doing a full PKI overhaul for all your remote workers might be worth it. Cyber attackers have to stay at home, too—and we all know what they’ve been doing.