At Tehama, we’ve been talking since Day One about the dangers of connecting remote workers through VPNs. Last week, the U.S. Department of Homeland Security echoed our warnings, announcing that VPN apps from four different vendors were improperly storing authentication tokens and session cookies on users’ computers. If stolen, those tokens would give attackers the same access as the legitimate user to a company’s apps, systems and data.
The story is alarming. But, of course, it’s not surprising. The continuing use of VPNs reveals an approach to supply-chain security that doesn’t take into account the threats inherent to a gig workforce. Today, thanks to remote workers, crowdsourcing and global freelancers, the corporate circle of trust has expanded to include more people and devices than any enterprise can realistically hope to oversee. Compliance is impossible to enforce. And the internet that connects all these entities doesn’t scrutinize their trustworthiness. In fact, it’s kind of like the office elevator. It has no opinion about whether its passengers are good or bad; it will happily bring any one of them to your place of business.
I had a chance to talk about these issues last week during a webinar hosted by Douglas Brown of IGEL Community. A lot of our conversation focused on the fact that the extended enterprise often doesn’t recognize itself as such, at least not in terms of its vulnerability to attack. This means that the typical security framework can’t tick off all the boxes necessary for protecting its data. (If you’re wondering how well your own business is covered, you can download my worksheet here.)
Consider, for example, the remote worker who travels with his laptop or has one shipped to him. Apart from the delays in getting this person set up and onboarded, the company now has to deal with a security risk. This remote worker might be loyal and compliant, but that doesn’t guarantee the security of the data in his possession. For example, when he logs on to the public wi-fi at the airport, you have no way of controlling the bad actor who might be helping himself to your company’s data.
Tehama provides real answers for the security of the extended enterprise. Tehama is a secure, SOC 2 Type II, SaaS solution that provides clean end-user compute white rooms. With Tehama, all activity is recorded, and all access is controlled from a dashboard with a zero-trust default.
As I write this, it seems the corporate world is finally getting the message about data security, and it’s demanding greater accountability from those in its circle of trust. Last week’s webinar included a good overview of that new accountability from John Cho, the COO of cleverDome, a platform that provides an ultra-secure alternative to the vulnerability of the internet. During our talk, John stressed that merely attesting to your level of cybersecurity is no longer enough. Today, there is an increasing demand for actual evidence of compliance. For John and cleverDome, Tehama provides that evidence. “Tehama allows us to gain traceability in the insurance game. For risk, it’s all about traceability...Tehama allows us to gain traceability down to the individual developer using that secure room...We can now bring on more third-party developers and make them carry their own form of insurance, and that insurance has to do with potential breaches related to their activities, thus mitigating our insurance requirements or lowering our insurance premiums.” That possibility of lower insurance premiums is more than theoretical. According to John, “about 1,400 advisors have received lower rates on their insurance based on how we’ve structured the use of Tehama Rooms in combination with cleverDome.”
John warns of the risk to players who can’t offer evidence-based compliance: “Before 2019, the financial services sector had a lot of bark and no bite, and this year, it’s the other way around...We’ve had firms already close based on fines based on access-management issues...and with this evidence-based compliance posture you must have today, the Tehama Room, combined with the IGEL products for endpoint management, is a fantastic solution to show the evidence...We’re a huge fan of it. We believe this is the future.”