How do you handle identity and access management for remote workers and devices?

For everything to work correctly, a password black list must be implemented in the organization, blocking common passwords by users, constant training of everyone involved, the best way would perhaps be passwordless authentication, and not just multi-factor authentication, excellent security is that which is done in layers until reaching the maximum desired level.

As we shift away from using passwords for ease of use while keeping strong authentication, other methods such as biometric must evolve to replace passwords wrapped by another layer of authentication such as MFA.

When we think about authenticating remote workers, we need to start by defining the types of workers we're dealing with: for example, a software developer in their home office, versus a field technician servicing telephone lines. These types of workers may have very different levels of understanding of authentication technologies, and have different things accessible. The WFH dev probably can have a Yubikey handy at all times, but the field technician may very well not. When thinking about the types of authentication factors we can implement, we should find something that will serve everyone's environment. Our biometrics, for example, we take with us everywhere we go.

Beyond the standard practices of complex passwords and multi-factor authentication (MFA), consider implementing adaptive authentication. This approach evaluates various risk factors, such as user behavior and location, to adjust authentication requirements dynamically. By using context-aware authentication, you can strike a balance between security and user convenience, providing stronger protection without adding unnecessary complexity for legitimate users.

In addition to these tools, we must also address conditional access, and a zero trust mechanism that brings together various signals to make decisions and impose organizational policies. It is important to highlight that these policies are imposed after the MFA is completed, but signals from these events can be used to determine the access.

Apart from RBAC, have location-based MFA triggers can help enhance security. Eg: if certain applications should not be accessed from outside a trusted network, or the country your organization is in, you can block access by not allowing MFA. For instances where employees can access apps remotely, the MFA prompt frequency can be adjusted to ensure more frequent validations when not on trusted networks.

Role based access for persistent needed access must be further tailored to have enough rights to perform tasks required and it can not be one role that encompass multiple functions for ease of configuration.

in addition to RBAC and ABAC, consider leveraging just-in-time (JIT) access provisioning. JIT grants users temporary access to resources based on approval workflows, minimizing the risk associated with standing privileges. By limiting access duration, you reduce the attack surface and improve compliance with regulatory requirements, ensuring that permissions align with the principle of least privilege.

There are some monitoring tools such as UEBA (User and Entity Behavior Analytics), to analyze user behavior, this helps in investigating a user who has connected to a VPN for example, who had never used it before, which is an activity anomalous.

All users may be required to authenticate when activating the VPN, in addition, users must be added to a conditional access policy, analyzing all events to detect anomalies and the security operator is notified and must take action.

Beyond using VPNs and firewalls, consider implementing a zero trust architecture (ZTA). ZTA operates on the principle of "never trust, always verify," requiring continuous validation of user and device identities before granting access. This model minimizes the risk of lateral movement within the network by attackers and ensures robust protection against evolving threats. Additionally, regularly test and update your security measures to adapt to new vulnerabilities and attack vectors.

Carry out regular checks, constant training of users and the IT team to get it done, there needs to be a standard nowadays we have AI that can be implemented little by little in organizations, it is always good to test the tools and methods to be used first.

Show your commitment by implementing the new protocols in your own daily tasks. Share your experiences, including challenges and successes, to humanize the process and inspire the team.

In addition to strong authentication and granular access controls, focus on a zero trust approach, emphasizing continuous verification of users and devices. Integrate advanced analytics for real-time monitoring and predictive threat detection. Implement just-in-time access provisioning to minimize risk exposure. Enhance data security with encryption and adaptive security measures. Regularly review and update IAM policies to address evolving threats, ensuring a secure and efficient remote work environment. Engaging in continuous learning and staying updated with the latest IAM trends will further strengthen your organization's security posture.