Remote Risk - the three axis of exposure

We talk a great deal about security these days, and for good reason. Never before have our lives, our work, and our devices been more digital, and the threats to them so great. These devices are now plugged in and turned on across the four corners of the globe as new mobile, remote, and hybrid work styles continue to gain momentum. 

Like the brakes on a car - we can trust that the security and risk mitigation measures put in place for us by our company and diligent IT Pros are working, up to date, and on guard - capable of stopping when needed.  No matter how resilient the measures and defenses we have, or take are, we still have an obligation to operate "safely", within the "limits" of acceptable use.  We can trust and rely on the brakes, but not assume they can bail us out of all our errors. If we drive too quickly, erratically, or on the wrong roads - no brakes will help, and we should not be surprised if accidents and damage result.  

With that reality we have at the very least a responsibility to be aware of the locations, devices, and behavior we engage in that may put us, or the companies we work for, at risk.  This is no easy task. In fact, if we were to make a list of the attributes of each of the domains of focus - they are both lengthy, and complex. Not only are they difficult to list while we focus on the primary tasks of delivering on the requirements of our jobs - but they are also ever changing. 

The dynamic nature of the modern workplace, coupled with the enhanced risk landscape, compels us to explore solutions beyond the wonderful point solutions we have today for VPN, Anti-Virus, Anti-Malware, Encryption, etc..  If we could collect, organize, and analyze any and all of the data available across those solutions - the three axis to focus on, that really count, would be Location (set & setting), Device (type & configuration), then Behavior (intent & accidental).

Let's start with location. Today, more than any time before, the workforce is mobile, remote, and hybrid.  Work is an activity, a deliverable, a product - not a place. However, the notion of being unconnected is simply not a reality. We not only demand fast, consistent connectivity - we require it. The good news is there are networks and connectivity options everywhere. Many, however, are outside of your control, management, or concern, and vice versa. Security risks abound and change based on where you are.

This is the case not only from a networking standpoint - but there are also clearly hot and cold spots of dangerous locations based on density, presence of bad actors, availability of public services like airports or city buildings. If we think about how many different places, networks, and settings we work from in the course of a week, a month, or a year - we can see that as our locations and workflows change - so do the risks.  Some locations make us out of reach for large downloads or high fidelity Zoom meetings. Other locations are public, exposing a ton about our digital identities. Let's keep track of those risks. Let's monitor, organize, measure, and calculate what these locations mean to our companies. Do they increase or decrease the risk our users face, and or pose a challenge to productivity?  What can we accept, what can we ignore, what can we control?

Next, we need to consider ALL of our devices. While the primary market share dominance in the enterprise goes to Microsoft Windows, there are an almost innumerable number of configurations, versions, and models deployed across our 600 million + users. We buy, install, upgrade, secure, and patch applications to help our users do the jobs we pay them to do. There are so many ways to deliver these applications - each with its own security implications. From VDI to DaaS to Browser and SaaS delivered workspaces and applications - we have a wide array of tools in our toolbox.

If we begin to look at the variety, volume, and velocity of applications present on these devices we very quickly see an extremely difficult landscape to keep track of, let alone manage and secure. We have antivirus, anti-malware, patch, update, and security settings and policies we deploy to begin to tame the chaos. Have we gotten to SCALE to work for us yet, or are we still chasing the sprawl?

Rules are meant to be broken as they say - and no place is this more apparent than with today's "rogue IT" - the practice of end users finding "solutions" with Google and Reddit and self-installing software. While we want to encourage tools that enhance productivity, we simply cannot allow this if it puts the user, or the company at risk.  Perhaps instead of static rules that we "hope" end users follow - we use near real time risk measurements of the devices, configurations, settings, resources, applications, versions, patches, etc. as they change day to day - and pivot our rules to do the same. 

Logically it would follow that given the changing locations and a myriad of complex device choices and configurations, a final and perhaps most mysterious axis is that of user behavior. While end users create and consume content to produce the goods and services to our organizations, how they do so varies wildly. Not only do we have different users, with different use cases, on different days, in different seasons - we also have variability in each user. The days of consistent 9 to 5 cubicle based production are less frequent these days. 

Users have a wide range of understanding when it comes to the risk and security aspects of computing as well. Many "drive the car too fast" or ignore icy road conditions. Some will attend trainings, score high on applied practice tests, while others may not.  With our team members under greater and greater threat from bad actors and with more sophisticated exploits and risks every day - there is no ideal to fully manage behavior or count on our users as being our front-line security defense.  Perhaps it is better to anticipate gaps with systems that can react, versus static rules.

An unfortunate aspect of user behavior is also around the potential for accidental or even malicious activity. While we never want to stifle productivity by being too invasive or intrusive, we can monitor, measure, and therefore manage risk as we see it present. 

With stream of live information from each and every user, device, and location - we are well armed to begin to calculate our current risk posture.  Every user, in every company, in every location, every day will encounter different risks. While some will be self-inflicted, many will not. It is a rough world out there.  And let's face it - some risk is acceptable, in certain contexts, sometimes, while other risk simply is not. We want our systems to excel in this reality of change vs. an assumption of static threats.

Remotely is doing just this. We are building a platform to collect, organize, and analyze all of this data using advanced mathematics (algorithms) to present you with a Security Risk Index (SRI™). Every user has one. Every group has an aggregate SRI, as does every location, company, etc.  A Security Risk Index is just like a credit score. As your locations, behavior, devices, applications, and usage change - so too does your score.   Now companies have a way to see the live risk landscape they face - so the task of prioritizing, hardening, and defending your users is manageable. 

We envision a future where real time risks and realities are met with aware systems - up to date minute by minute on the changes in your users' locations, devices, and behavior. We want to make SRI™ available to trigger other systems you have made investments in. The ability to orchestrate actions based on observed risk is a pretty big deal, and we are truly excited to be bringing it to you.

Stay tuned as we begin to work with early partners and customers, we are going to have a number of services available to the market at no charge.

Until then, stay safe & keep your shields up.

J.Tyler "T.Rex" Rohrer

May 2023