P2P

Spring2021

Peer to Peer: ILTA's Quarterly Magazine

Issue link: https://epubs.iltanet.org/i/1356436

Contents of this Issue

Navigation

Page 31 of 94

32 P E E R T O P E E R : I L T A ' S Q U A R T E R L Y M A G A Z I N E | S P R I N G 2 0 2 1 suffer, it is even improved. This realization may create long-sought-after flexibilities. It may be that for the legal industry, the future will look like a hybrid model that accommodates WFH while requiring some on-site presence as well. For example, now that WFH has proven efficacy, more flexibility and consequently more support for employees with small children may be in the offing. Work-life balance will surely improve as a result as well as the tensions between personal needs and work are, if not resolved, ameliorated: a sick child or unplanned school closing no longer forcing a choice between missing work and staying home to look after family. Certainly this would be a welcome new normal. But the benefits come at a price. The Attack Service Now Includes Starbucks This transition carries with it an unprecedented security burden. Put simply, the security risks absent perimeter-based defenses in a WFH ecosystem come with numerous challenges: • The need to comprehend and master data security in the cloud – whether public, private or hybrid. • The risk to corporate assets through infection from personal devices including IoT devices – is Alexa listening? –shared among family members or roommates, home Wi-Fi and router vulnerabilities and absence of firewalls. • Remotely scanning for vulnerabilities and managing patch cycles, particularly in light of bandwidth constraints outside the LAN. • Managing the risk of at-home "shadow IT." • Enforcing clean desk policies – particularly important for employees with roommates or using Starbucks and other working hangouts. • The increased risk of malware and ransomware attacks. Here the author predicts a rise in "spray-and-pray" attacks through ransomware as a service. • The need for new and enhanced end-user vigilance and training: particularly with regard to social engineering phishing attacks. This is not an exhaustive list. Many organizations lack the resources to effectuate the needed security protocols as quickly and robustly as these emergent risks demand. Still other lack the requisite know-how. It is, after all, a new security environment. As the April 2020 CrowdStrike report Securing Today's Distributed Workforce noted during the initial transition to WFH: "As organizations move their workforce outside of physical offices, their attack surface grows exponentially. They may need to rapidly provision fleets of new endpoints, such as laptops and mobile devices, and spin up new cloud workloads, while ensuring that every workload everywhere is protected with real-time security, even when the user is offline." (Emphasis added.) Of course, if you opt to have employees use their personal devices at home, organizations will need to establish the same security posture as that on company-owned devices. This may raise data privacy issues for those with employees subject to the EU's General Data Protection Regulation and other privacy guidelines. With many, these moves were made well ahead of the ability to instantiate the appropriate security posture (more to-dos on the IT department's list of priorities). Perhaps the first indication of this was the pervasiveness of trolls infiltrating Zoom meetings, aka Zoombombing. Security in the Cloud Is Different Cloud platforms like Amazon AWS, Microsoft Azure and Google GCP provide significant flexibility with regard to security. Importantly, cloud providers retain responsibility only for the security of the platform. The data an organization moves to that platform and its workflows are the client's responsibility. Cloud security is a "shared responsibility model," and the organization can opt for as much or as little security as it wants. How cloud infrastructure is monitored is different as well. Different tools are used, and different expertise is required, including understanding how the various platforms enable security. In short, how security is properly configured in the cloud is not the same as how it is configured on corporate-owned assets and also varies depending on the cloud platform chosen. Of course, an organization may put data assets across multiple cloud providers and use public, private or hybrid instantiations. F E A T U R E S

Articles in this issue

Links on this page

Archives of this issue

view archives of P2P - Spring2021