When we began this journey nearly six months ago, COVID-19 was just starting to get out of control and the various state shutdowns were on the distant horizon. While the scientists and medical professionals tell us we are still in the first wave of the pandemic with records numbers of new cases reported almost daily, many states are starting to re-open operations, schools are scheduled to open later this month in some states and many employees are returning to work in their offices. It might appear that business is getting back to “normal,” but it simply is not. A new normal that we have yet to fully understand has permeated both in the business world and society at large, and COVID-19 does not care if people are bored with talking about it.
Companies faced an unprecedented challenge a few months ago when they needed to figure out a way to move millions of workers from on-premises to a work-from-home model, but now we are now seeing the opposite scenario play out and it is just as confusing and difficult. From the perspective of the corporate security teams, those employees who are returning to the office face a challenge as big as the one when they left.
The digital transformation that companies were forced to employ to accommodate the new work-from-home staffers does not disappear just because they once again work from the office. Similarly, the asset management challenge companies faced when they sent their workers home does not go away just because many, but often not all, are returning to the office.
Shadow IT remains a huge issue, users creating new computing assets in the cloud is expanding in many companies and the information security staffs likely have not grown, and perhaps might well have shrunk.
If you are an information security professional who is trying to get your arms around the growing shadow IT environment and hoping against hope that the cloud resources that you employed, perhaps without a full vetting, are working the way they’re supposed to, you are not alone. A forced digital transformation program is never easy; trying to find the hidden assets in the cloud sometimes feels like a Sisyphean effort.
So, where do you start? As with any such effort, you start at the beginning. Imagine that you are walking into a new job in a new environment. Your first step should be to discover where the assets are.
Network scanning and identification of assets on your corporate network are good starting points, but perhaps the cloud and endpoints will give you better information. It is not enough to identify only officially authorized cloud providers; you need to go to each department and often, each employee, to identify cloud instances they use. Do not forget to ask about personal email and other cloud accounts that employees use for business purposes.
Remember that “assets” are not just hard assets like servers, but also virtual machines, cloud instances, bit buckets, cloud backups, email accounts, software and a plethora of other non-physical, for want of a better word, things. It also is important to remember that not all assets have IP addresses, so identifying and counting assets is often akin to hide-and-seek.
Remember, too, that many of the remote employees likely are using routers and cable modems that might never have been updated with security patches and perhaps are using default credentials from the ISP or manufacturer. Considering that you might not be able to touch every network device on the employees’ home networks, make sure you put policies and procedures in place, such as zero trust and other security controls, so that remote users and any device they use must be authenticated each time they try to access corporate data.
Returning employees might well be returning to work with potentially compromised devices — a veritable BYOB, or bring your own breach. Even corporate systems that have been out of the IT department’s control have potential vulnerabilities on them, so you should treat every asset that returns to inside the corporate firewalls to be suspect.
Do not assume that security controls you had in place before the pandemic are going to work as expected. Shadow IT and unknown assets on the network are always the bane of the CISO’s existence. Ensuring a fresh start by doing a thorough analysis of each and every endpoint, cloud instance and network-attached device will ensure that your network isn’t plagued by rogue devices, shadow IT or infected devices. That’s important because the pandemic is not going away any time soon, and nor are the asset management challenges associated with it.