Five ways to secure identities and protect assets in the gig economy

Long
gone are the days of giving gold watches to 40-year career employees. For enterprises
across industries, the
gig economy is increasing. And while it provides businesses and employees
opportunity and flexibility, when it comes to protecting data and other
sensitive information, the gig economy can bring major security challenges.  

“Gig
economy” is a relatively new term, but it’s hardly a workplace anomaly. While
employers have historically needed to rely on short-term work by freelancers,
independent contractors and temporary employees, the term has recently become
synonymous with ride-share drivers and food couriers. More and more, the gig
economy applies to more conventional jobs such as software programmers, multimedia
production specialists and even CPAs.

The rise of ‘gig economy’

According to Gallup’s The Gig Economy and Alternative Work Arrangements, 36 percent of U.S. workers reported doing gig work in 2018. For them, the major benefits are autonomy and acquiring new skills. Employers also benefit in many ways, but there’s a significant issue to address: How to intelligently provide gig workers with secure and easy access to the systems and resources they need while restricting access to areas where they do not need thereby limiting attack surface area.

The
reality is that old, complex identity and access management (IAM) frameworks
and strategies, such as two-factor authentication, have become inefficient to safeguard
employees and businesses against today’s threat landscape.

Plus,
those operating in “alternative work arrangements” are using their personal
accounts – often from unsecure locations with public Wi-Fi connections in
cafes, airports and communal work spaces –
and they probably have more than one “gig,” too. New industry and government
regulations have rendered legacy solutions inadequate, particularly with regard
to the GDPR. The Dickinson Wright PLLC law
group explains how tricky it is for human resources departments to comply.

The
bottom line is, today’s workforce
changes too rapidly for existing IAM implementations, which can’t just be tweaked to keep track of who should
have access to what. Organizations need to account for orders-of-magnitude
increases in abandoned and orphaned accounts while efficiently and effectively
managing access to their data and systems.

Providing the right access at the right time

Here
are five strategies to ensure that temporary gig workers have just the right
amount of access to do their jobs while you simultaneously protect your most
valuable assets and still comply with ever-changing regulations:

1. Ensure that your admins
have clear visibility into what every worker – full-time or temporary – has
access to.

Generally
speaking, users should be granted the least-entitled privilege related to their
roles. For example, sales reps should not have access to executive agendas. Human resources personnel shouldn’t have
access to internal marketing data. Issues arise when
positions change but the privilege doesn’t, which results in too much access.
The problem here is that access reviews are generally time-consuming and
tedious. Fortunately, contemporary IAM solutions include role-based access
controls to mitigate the risk.

2. Employ adaptive authentication.

The
vast majority of security experts – including The National Institute of
Standards and Technology (NIST) – agree that two-factor authentication (2FA) is now easily
circumvented by attackers. Just look at the last year’s rash of attacks bypassing 2FA, including those discovered by Amnesty
International that targeted Google and Yahoo accounts.
Adaptive authentication performs invisible risk analysis checks to confidently
determine the legitimacy of each login attempt. For instance, device
recognition, IP reputation, geolocation and behavior analytics.

3. Enforce recertifications for privileged assets.

The
most effective way to ensure that only the right people have the right access
to the right assets at the right time is to continually set and reset
privileged-access parameters. This can be accomplished by looking at a wide
variety of risk factors to check every user’s identity, such as the way they
type, the time of day, their IP address and if their location changes (e.g., if
someone logged in from California at 11:15 a.m. and then from Nebraska at 11:45
a.m., something might be awry). 

4. Vigilantly monitor and
close orphaned accounts.

Leaving
accounts open without deprovisioning them after a contractor’s work concludes
is like giving a handyman the keys to your house and never taking them back.
Essentially, you’re inviting an invasion/attack. Regularly conduct audits of
user accounts to ensure that orphaned accounts are properly shut down and
access to your systems is deactivated.

5. Check, check and check
some more.

While
you don’t want to require your gig employees to constantly re-enter their credentials,
one-time access isn’t enough to ensure they have the right type of access. By
configuring your IAM system to intelligently and repeatedly verify the worker’s
identity, you can both ensure secure access while adjusting authentication
parameters only when they’re truly needed.

New ways of working mean a new IAM paradigm

The
new-wave gig economy provides both workers and employers with greater
flexibility, convenience and capabilities neither would have known or
experienced otherwise. It also comes with significant risks and concerns
regarding how to protect an organization’s most valuable assets. By following
the above strategies and by making IAM
truly integrated with their security postures,
companies will be better able to operate and thrive in a world where old ways of doing
things vanish, and better ones emerge.

Comments are closed.