Author: Justin Dolly, CISO at SecureAuth
Long gone are the days of giving gold watches to 40-year career employees. For enterprises across industries, the gig economy is increasing. And while it provides businesses and employees opportunity and flexibility, when it comes to protecting data and other sensitive information, the gig economy can bring major security challenges.
“Gig economy” is a relatively new term, but it’s hardly a workplace anomaly. While employers have historically needed to rely on short-term work by freelancers, independent contractors and temporary employees, the term has recently become synonymous with ride-share drivers and food couriers. More and more, the gig economy applies to more conventional jobs such as software programmers, multimedia production specialists and even CPAs.
The rise of ‘gig economy’
According to Gallup’s The Gig Economy and Alternative Work Arrangements, 36 percent of U.S. workers reported doing gig work in 2018. For them, the major benefits are autonomy and acquiring new skills. Employers also benefit in many ways, but there’s a significant issue to address: How to intelligently provide gig workers with secure and easy access to the systems and resources they need while restricting access to areas where they do not need thereby limiting attack surface area.
The reality is that old, complex identity and access management (IAM) frameworks and strategies, such as two-factor authentication, have become inefficient to safeguard employees and businesses against today’s threat landscape.
Plus, those operating in “alternative work arrangements” are using their personal accounts – often from unsecure locations with public Wi-Fi connections in cafes, airports and communal work spaces – and they probably have more than one “gig,” too. New industry and government regulations have rendered legacy solutions inadequate, particularly with regard to the GDPR. The Dickinson Wright PLLC law group explains how tricky it is for human resources departments to comply.
The bottom line is, today’s workforce changes too rapidly for existing IAM implementations, which can’t just be tweaked to keep track of who should have access to what. Organizations need to account for orders-of-magnitude increases in abandoned and orphaned accounts while efficiently and effectively managing access to their data and systems.
Providing the right access at the right time
Here are five strategies to ensure that temporary gig workers have just the right amount of access to do their jobs while you simultaneously protect your most valuable assets and still comply with ever-changing regulations:
1. Ensure that your admins have clear visibility into what every worker – full-time or temporary – has access to.
Generally speaking, users should be granted the least-entitled privilege related to their roles. For example, sales reps should not have access to executive agendas. Human resources personnel shouldn’t have access to internal marketing data. Issues arise when positions change but the privilege doesn’t, which results in too much access. The problem here is that access reviews are generally time-consuming and tedious. Fortunately, contemporary IAM solutions include role-based access controls to mitigate the risk.
2. Employ adaptive authentication.
The vast majority of security experts – including The National Institute of Standards and Technology(NIST) – agree that two-factor authentication (2FA) is now easily circumvented by attackers. Just look at the last year’s rash of attacks bypassing 2FA, including those discovered by Amnesty International that targeted Google and Yahoo accounts. Adaptive authentication performs invisible risk analysis checks to confidently determine the legitimacy of each login attempt. For instance, device recognition, IP reputation, geolocation and behavior analytics.
3. Enforce recertifications for privileged assets.
The most effective way to ensure that only the right people have the right access to the right assets at the right time is to continually set and reset privileged-access parameters. This can be accomplished by looking at a wide variety of risk factors to check every user’s identity, such as the way they type, the time of day, their IP address and if their location changes (e.g., if someone logged in from California at 11:15 a.m. and then from Nebraska at 11:45 a.m., something might be awry).
4. Vigilantly monitor and close orphaned accounts.
Leaving accounts open without deprovisioning them after a contractor’s work concludes is like giving a handyman the keys to your house and never taking them back. Essentially, you’re inviting an invasion/attack. Regularly conduct audits of user accounts to ensure that orphaned accounts are properly shut down and access to your systems is deactivated.
5. Check, check and check some more.
While you don’t want to require your gig employees to constantly re-enter their credentials, one-time access isn’t enough to ensure they have the right type of access. By configuring your IAM system to intelligently and repeatedly verify the worker’s identity, you can both ensure secure access while adjusting authentication parameters only when they’re truly needed.
New ways of working mean a new IAM paradigm
The new-wave gig economy provides both workers and employers with greater flexibility, convenience and capabilities neither would have known or experienced otherwise. It also comes with significant risks and concerns regarding how to protect an organization’s most valuable assets. By following the above strategies and by making IAM truly integrated with their security postures, companies will be better able to operate and thrive in a world where old ways of doing things vanish, and better ones emerge.
This article originally appeared on SC Magazine on May 16th, 2019