KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
The, the thing I'd like to talk about is five recommendations to make your work from anywhere environment more secure. And we all know work from anywhere is for a certain share of our workforce. It's the reality, not for everyone, but for many. And clearly we have organizations.
So I, I was always work from anywhere person in some way, because ahead of the pandemic, I had this German ban card 101st. So the repair full year ticket and I, so to speak, I, I, I fully used it. So I worked a lot from the drain. I work still a lot from home. I worked from the office, whatever, but for us it was new.
And, and for many organizations, it was a challenge because the, the shift we have in the pandemic meant the way we work is changing. It will never be the same. I think we, we hear this also when we look at organizations and whatever, the McKinsey of the world advising about how will the, the work in future look like it will change. And I had some interesting conversation during that conference.
How do we, what, how will the, the office part of our work look like in future? These are interesting questions, but for today, I'm, I'm looking more at the, the secure I'll I'll, as I've said, five recommendations, have a look at five things. And the one I'd like to start with that is passwordless and MFA. So passwordless and MFA is when we think about how to make work from anywhere more secure, from my perspective, not only from it is even when you work from the office, it's important, regardless of where you are. It is the thing to do. If you are not MFA.
So multifactor indication today, then we have a problem. And the us sees a so they're cyber security agency that advises on, on what is a good practice or a bad practice, formally declared single factor, authentication, being a bad, bad practice recently, which also in on the other hand means if this is the only way to come in, then it's not the right way to do. On the other hand, if I look at eCommerce. So when I go shopping for something in the internet, I would say I'm still at 90%, maybe 95% or 98% of retail sites in the internet, which only only offer me username password.
Some are at least the smartest to say, okay, you can trust, check out via PayPal or Amazon pay. And we don't need to that information. We build under the other thing than, than it's one level more, but it's still a long way to go, obviously for many.
And, and when we think about MFM, we should think about password less password less at the end means there is no password traveling anymore, which makes a huge difference. Because if you have passwords somewhere, then whatever that LinkedIn has tens of millions, hundreds of millions of passwords or password hashes or whatever in one place, if you use your fingerprint, there's not a database of 70 million or a hundred million or whatever records describing the, your finger because it's held locally on the device. Keys are traveling, it's cryptographic information, which is traveling.
And the cool thing is passwordless what I like is, so the downside is you always are registering the device. So you always, you change your device. You need to rear you're using multiple devices. And for each device, you need to go through a step.
The first time you use it, that's a little bit, little bit annoying, but I think it's a hard, hard problem to solve, because if you would do it with the central Richard degree or for your devices, then you would build, again, this, this, this point of attack, the cool thing was password less is it helps with having both convenience and security, which we not that frequently managed to do. It's way more convenient than traditional keeping passwords in mind. And it's more secure. So good thing.
And, and the point is the, the more people are mobile working from anywhere, the more the risk is that devices get in the wrong hands. That, and they are approached by some form of fishing and fishing attacks still are thing and fishing attacks. Sometimes when they're targeted, if that they are sometimes very sophisticated. So what do we want to make this, this environment more secure? But people work is different devices from everywhere.
It all starts at the end with a strong but convenient authentication, which doesn't make our people carry around whatever small notebooks with their passwords or stuff like that. And that means go password less and MFA. The second thing I'd like to talk about when we, when we discussed the S being device aware, so understand, stand, which devices are used, what it means, what a risk brought in from the devices. If you can manage the device, then manage the device. If you can't manage the device, then understand the risk of the device is slightly higher.
Then if you have a corporate managed device, but also be clear about the fact that you, you will not be able to, to reduce this to a certain, to standard of, of devices, devices, people want choice, and people will need more choice in a work from anywhere environment. We we've learned this. I think many organizations learned this and we had this, this notebook shortage for the first time for years. So everyone said, oh, notebooks, this, this is a dying business. And even desktop even more.
And, and then, so, so it's interesting. The design of a, a friend of mine is selling notebooks for, for one of the large providers of notebooks. And he had best for right after the start of the pandemic and, and my wife working at an governmental agency in Germany for the first, I think, five or six months of the pandemic, she had to use her private Microsoft surface until the state of button bag was able to deliver a notebook to her. And it took another three months for delivering a working notebook, but that's a different story.
So, so we need to be aware of there, there will be different devices. We need to understand devices. We need to understand the risk of these devices. And we need to, to work with that and, and understand what we can allow, what we can't allow depending on, on the device, depending on, on everything, the identity, the context, all these things at the end impact our decisions. And we need to, to be get better in, in using this signals, et cetera. What is the third thing to make work from anywhere more secure?
And that's something which is true for everything in it patched have it as used standard, ensure that these patches work, that they are deployed, that they're applied, ideally understand also whether device someone is using to access your network is in a good state. Because if not, this might be the point where the attacker comes in, where the malware spreads from and given work from anywhere also means working from more sort of lesser controlled, potentially lesser, secure locations, over lesser secure networks where you don't have a CRI on.
It means we, we need to do everything to, to at least ensure that we are on the latest stage. And we know that even that latest stage is, is never enough because a zero day attack factually means the zero day. What says it, it says this becomes known or, or attack start when it becomes known, but attacks might have started. And sometimes we I've saw, we have seen this. Sometimes the attack started years ahead before somebody detected, oh, we have a problem here. And then it takes still a while until the patch is there. So it is always gap, but patching is important.
And I'm definitely, so there are special considerations when you go to OT and a few other environments, but when I take the standard endpoint or work from anywhere, world, then patching is a key and you might argue, oh, there's this risk that the patch then blocks my system stops it from working. And this is even more complicated to handle when, when we have to work from anywhere scenario. Yes. But how frequently has this happened in the last few years? Okay.
Well, 15 years ago, it happened a little bit more frequently that whatever this Microsoft patch or that auto patch led to problems during the patch process, but it's not the norm anymore. It's not the normal. And by the way, it's, and when, when we trust balance the risk, when we look at this realistically, then that risk is really way lower than it has been while the risk of being successfully attacked by not being on the newest patch status has massively increased. So this is a, from my perspective, it's really a no brainer.
This idea of saying, oh, we test all the pets 30 days, whether they run well before we roll them out, this is the past. You can't do that anymore. You're taking a huge risk for little benefit, if at all.
So I'm, I'm very clear on that. I don't like this idea anymore, and we need trust to automate patching, to pass these things through. And I think the good thing is we also get better and better at doing so, so, so more and more patches trust come in. We not even need to restart our office applications anymore or stuff like that. Things are getting better here. So yes. And then if you, once a week after patch Tuesday, restart our window system. Why not? What else do we need?
Oh, it's not only it's humans. We need to drain humans because at the end, they are the enter point for fishing attacks of whichever type they are. The humans are a, a weak, if not the weakest link we have and security, and this is not specific to work from home or work from anywhere. This is specific to everything in security, but clearly the, sometimes the, the way it's longer, if you are working somewhere to get an answer on, on, should I do that or not?
When you're sitting alone in your home office, it's different than when you're sitting in the office with five colleagues and can ask someone, Hey, what do you think? And even if the other one is not, or is not expert, it still is adding another layer. This is harder to do it's work from anywhere. It's even more important that people understand when should they be alerted and better ask, which also means you need to have an infrastructure where, where they can ask.
So who, who, who should they ask? Getting a quick response on that?
Oh, no, never click that link. But the good thing is I think this can be done re really easily. The training is not really heavy lifting. Like the picture might indicate it is relatively little, which helps everyone is doing a better chop or having a more security in the personal life. Because understanding what to look at when you get male, what are the strange things, make a mouse over, over link. Don't click the link, make a mouse over. And if this looks very different, because URL is hinting to a totally different domain, or then be scared, things like that can, you can explain.
It helps them in their personal life and everyday's life. So that is from my perspective, one of the always important things drain people. So we had authentication identity. We had devices, device management, as far as we can understanding device health status and keeping the device healthy by patching. We had the users and last not least data at the end of the day. And I think this is something we, we always should be aware of in security. We haven't thought enough about data.
In the past years, we try to protect data, which usually the ground tools are more on the data side, but we tried to protect data by protecting the network and the device. So it is something where we don't start with what we really want to do data security. But when we work from anywhere, then data is also traveling. If the user is traveling so to speak, then data is, is traveling more it's at the cloud or from the on-prem system to the device. And we need to protect data better.
We need to think about how we can first understand what we have to make it secure, ideally addressed in transit and in use across everything. So confidential computing is a, is a big theme, which goes well beyond that. But when we look at devices and it means, yes, we need to protect data on the device. We need to have not only a secure system, maybe with an encrypted hard desk, we should encrypt the data itself.
Again, also the file better. We do it than the ransomware attacker. And we should also have access controls at the data level, not just at a system level, because this is always indirect. If you say you're allowed to access the system with what, and then you use the system to do something with the data it's an in indirect approach. So my perspective is we should add this perspective, way more into everything we do. We need to extend our security.
And there, there are many more things, but at the end building also training is very important because it also helps you to, you know, to, to sort of leverage the good human ends and the vast maturity of people have a good human sense and the vast majority of situations. And they have it also when it comes to using their devices, the data of your organization, if you guide them, if you explain it. So at the end, it is, these are the five areas I see where I would start when it comes to making work from everywhere, more secure. Thank you.
