Jason Sabin of DigiCert
Digital trust has always been a fundamental aspect of connected computing. People need to be able to trust the technologies that they’re working with and systems have to be able to trust each other to safely interoperate, says Jason Sabin, CTO, DigiCert.
As networked computing has become an ever bigger part of our lives and work, digital trust’s importance has grown in kind. In only the last few years, there has been one development which has made digital trust a more important factor than ever: Remote work.
How we all became remote workers
Remote work has been slowly gaining momentum for a long time. Technologies like Virtual Private Networks (VPN), WI-FI and video telephony have allowed people to work remotely for many years. As those technologies have become more widespread, remote work has grown in kind and according to Global Workplace Analytics, remote work has grown by 159% since 2009.
When the pandemic hit it went from a progressive feature to a survival necessity for many businesses. Government-ordered lockdowns forced workforces to leave offices and shelter from Covid-19 in their own homes, and businesses struggled to maintain continuity.
Many businesses struggled during that time but one of the main differences between those that survived and those that didn’t was the ability to enable remote work between employers and their locked-down workforce. According to one survey, from Gartner, 88% of companies all over the world encouraged their employees to work from home by March 2020.
The advent of mass remote work came not as a workplace benefit, but a means of survival. VPNs quickly became a tool of fundamental importance to these bootstrapped operations, helping to police secure connections between remote workers and their erstwhile workplaces. Companies migrated to the Cloud en-masse, as workers needed to share the same resources on a location agnostic basis and could no longer rely on on-prem applications and services. Communications software such as email and teleconferencing underpinned it all, replacing the in-person interactions that would have otherwise occurred in the office.
Remote work post-pandemic
But while the pandemic has receded, remote work has endured. It’s popular amongst employees who value the greater freedom a hybrid model brings, and employers enjoy lower costs, greater flexibility and a more relaxed, satisfied workforce.
Some companies have made it clear that their employees never need to come into the office again if they don’t want to. Many other organisations have made similar moves and rolled out hybrid working practices that allow employees to choose to work remotely for part of the week. One 2021 report from Mckinsey found that 52% of employees preferred a hybrid model for working, in which part of the week was spent in the office, and another part remotely.
It’s now a growing reality of modern business. Nearly three quarters – 74% of professionals predict that remote work will become a standard working practice going forward. According to a report from Upwork, nearly a quarter of American citizens will work remotely by 2025. That represents an increase of 87% from pre-pandemic levels.
Abusing Trust
Given that remote work is no longer merely an emergency measure or fringe benefit, digital trust has never been so sensitive or as important. Without the face-to-face contact of the office or the security perimeter of the traditional enterprise network, remote work relies on the digital connections and the trust therein between organisations, workers and the technologies they rely upon. Those connections, and that trust, can be a critical vector for exploitation.
Cybercriminals understand this well. As mass remote work was rolled out during the pandemic, attackers targeted the very digital trust that made business continuity possible. Phishing attacks skyrocketed as hackers tried to exploit the digital trust of email and messaging technologies. Between February and March 2020, phishing attempts rose by 600%. VPNs and Remote Desktop Protocol (RDP) technologies were also regularly attacked as hackers attempted to cripple the digitally trusted technologies that kept remote work secure.
Digital identity
Identity is a crucial part of trust. This is observably true in the office in which we know and trust our co-workers while they’re physically working in the same space. Interactions can take place in-person with the understanding that the people we are talking to are the people they say they are. The same is true of the technologies and data we use, which are ring-fenced inside a secure perimeter which endow trust by policing entry and exit to the office network.
Remote work brings about a fundamentally different arrangement. Workers are suddenly dispersed and interact digitally. Similarly, the technologies and data being used are no longer confined within an office perimeter but connect corporate networks with potentially insecure home and public networks.
Without those perimetered, in-person interactions, digital identity becomes a crucial part of preserving digital trust.
It’s from a basis of digital identity that we can endow remote work with the digital trust that it so needs. Public Key Infrastructures (PKIs) offer a way to do that by using digital certificates to tie cryptographic public-private key pairs to individual identities.
PKIs enable organisations to assign people, systems and things with identities by connecting them to a certificate. Those certificates can be centrally issued, managed and revoked through the PKI, should threats arise. In doing so, it can ensure that software is safe to use, that data hasn’t been tampered with, and that people and technologies are who they claim to be.
VPN
VPNs are a key provider of trust for remote work connections to office networks. As a result, they’re a prime target for many threat actors. The common means of login for those VPNs is a simple username/password combination. However, using digital certificates to supplement authentication to those VPNs provides both greater security and accessibility as well as the ability to centrally manage those certificates and revoke them if a threat is detected. The same is true for Multi-Factor Authentication (MFA), which can be enabled with digital certificates to authenticate device identities.
PKI with digital certificates are also a valuable means of reinforcing trust in email, which continue to be a baseline method for business communication, and as a result, a prime vector for attack. Technologies like S/MIME can tie digital certificates to individual messages, digitally signing and encrypting and thus ensuring that the content of that email has not been tampered with in transit. DMARC with Verified Mark Certificates (VMC), on the other hand, can ensure that only authorised parties can send emails from a corporate domain thus preventing attackers from spoofing corporate email addresses and carrying out phishing attacks.
Document signing
PKIs with digital certificates can also be used to endow trust into document signing. The handwritten signature is the age-old authenticative asset. However, in our remote reality the same kind of trust can be attained by using digital signatures, which use certificates to authenticate the identities of the parties involved in the transaction.
Digital trust isn’t just necessary for remote work. It’s crucial for the rapidly innovating digital world. As more and more interactions become online, digital trust is the thing that allows us to trust the actors and technologies that we engage in on a day to day basis – that includes the websites that we visit, the online identities which we use and interact with and the very technologies that are transforming the world around us. Remote work is just one of them.
The author is Jason Sabin, CTO, DigiCert.
Follow us and Comment on Twitter @TheEE_io