Remote Work in 2021: Security Leaders Reveal Their Top App Integration Strategies for Strengthening IAM

Work from home is here to stay. With the WFH workforce expected to double in 2021, executives are increasing their efforts into building secure, productive remote employee experiences. Optimizing this growing model begins with ensuring strict identity verification and centralized authentication, made possible by tightening integration strategies around work-from-home applications to create frictionless and secure user experiences.

To provide understanding into what major organizations are planning, we interviewed Chief Information Security Officers from six large enterprise companies across several industries on their top app integrations plans for 2021. Here’s a summary of their insights, along with a look at key security initiatives they are focusing on for the new year.

Overwhelmingly, the CISOs surveyed cited “remote workforce” as the top priority in the coming months. Not only are enterprises seeing a massive shift to remote work, but they are also bringing on a large number of vendors and contractors who are remote. One executive from the manufacturing industry summed it up thus: 

“Remote Workforce is the clear winner given the times we’re in. COVID-19 has certainly accelerated initiatives around digital transformation, remote workforce support and digital strategies to allow work from various devices. The state of the workforce in general has been moving more remote already, given new generations of employees expecting more flexibility from a location and device perspective. We have to make sure as a security industry we are adapting to this shift, and providing mobility strategies to support a remote model.”

This is not to say Zero Trust and passwordless are being ignored; both are key security strategies that continue to take priority with this group. In a WFH world, the CISOs generally agree that Zero Trust capabilities are needed to manage hundreds of enterprise applications. One mentioned that continuing to adopt strategies around Zero Trust is important for employee retention as the remote workforce becomes natural, inherent and expected.

Access friction was mentioned several times as a large issue. While one CISO from the financial services industry said removing passwords as a point of friction and risk is a desired end state, they pointed out that to be truly frictionless—i.e., passwordless—you need a true authentication platform, which helps enable a company to take a user-centric view on security and align that view to the assets they are trying to protect.

As one healthcare executive put it,

“We have been moving down the remote work path, but COVID greatly accelerated our journey to the point where we believe, long-term, remote work is our future state. Due to this, we consider Zero Trust and Passwordless to be part of the remote workforce. So Remote Workforce would be the umbrella with Zero Trust and Passwordless being two high-priority improvements for our remote workforce.”

Lastly, one CISO in insurance described the main cybersecurity initiatives their enterprise will continue to focus on:

1. Cloud Security. Properly protecting and managing environments as more IT capabilities move to the cloud.
2. IAM. Evolving the managed trust model (right person, right access, right time) and putting an emphasis on digital identity lifecycle, which is considered a cornerstone of a robust and resilient program.
3. Application Security. Protecting applications from vulnerability exploitation by threat actors.
4. Insider Threat. Enhancing capabilities to detect and prevent insider threats.
5. Vulnerability Management. Ensuring consistent identification, prioritization and remediation of vulnerabilities.

Large enterprises face complex remote work challenges in 2021 because of their workforce size and extensive application portfolio. When a company has several hundred SaaS apps, as one education executive pointed out, the challenge is to get those identified and onboarded into single sign-on. The CISO went on to say that a lot of shadow IT has come out of the woodwork, and authentication is needed to leverage cloud-native platforms.

Another CISO noted that with over 2,500 employees, the trail of business apps they use is very long. But when asked about the most important business applications they’re looking to secure API integrations with their IAM platform, the respondents frequently named these top applications:

• Salesforce 
• ServiceNow
• Workday
• Office 365
• Netsuite 
• Jira

Others include Google (GCP), OracleERP, EPIC, PACS software, Azure DevOps, ProofPoint/ObserveIT, Tenable, RSAM software and PeopleSoft, among others.

Integration challenges mentioned run the gamut, from pre- to post-integration issues and everything in between. Within pre-integration, one CISO from a TV and Internet enterprise said the most common challenge is getting adoption and licensing to line up. They described it as “a bit of a chicken and egg scenario. People aren’t likely to commit to adopting it if the licensing isn’t already available. Meanwhile, we are inclined to avoid the trouble and cost of getting the licensing without firm commitments.”

Another executive mentioned that increasing the maturity of the information security practice is a significant corporate challenge. They brought up difficulties in having the right governance in place to know where to look, because integrations are being built that they don’t have immediate awareness of. They are looking for a standardized way to manage the governance of these integrations.

When it comes to out-of-the-box integrations, a CISO from a consulting background said that was very important, as they believe in ecosystems and in seamless integration:

“It reduces the cost to maintain security and increases the speed at which we can become more secure. Other important out-of-the-box components include the vendor selection process. What is in the vendor’s out-of-the-box connectors? There will be requirements to get in the door. The deal breaker will be if I have to spend time and resources on building an integration.”

Another exec mentioned they’d like to see more of the ability for app owners to self-service:

“Utilizing pre-built integrations to apps would enable employees to manage much of the configuration themselves, reducing the workload of the CISO team in coordinating with the vendors for metadata files, etc. In regards to standards-based integration, if there was a way that app owners could do 90% of the configuration through pre-built integrations, we [the CISO office] could function as more of a support provider than a service provider.”

We saw above that business applications are expected to play a large role in the 2021 roadmap, as evidenced by the importance the executives placed on integrating them with their IAM platform. Several CISOs elaborated to say they planned to use cloud productivity suites as a replacement for desktop applications—including mail, calendar, chat, video conferencing, file sharing, Intranet sites, presentations, docs and spreadsheets—as well as expanding their use of cloud CRM.

One executive went on to discuss the importance of single sign-on in the coming months:

“We actually finished a large initiative integrating our enterprise applications and migrating them onto SSO this year. The main use case was achieving an easier level of compliance. From a SOC’s perspective, the more we can do to automate the deactivation process, the more it sets us up for success. Now that most enterprise applications are integrated, we are extending out to the longtail of our applications. For example, we are now focusing on customer and niche applications that have a smaller audience, but are still critical in various functions of our business.”

As you consider how to secure work from home for your organization, we invite you to check out Ping’s Integration Directory of over 1,500 applications.