The meteoric shift in the need for tools that can support remote work has had a significant impact on the way enterprises prioritize and strategize. While data protection has always been a non-negotiable, it has experienced a resurgence as the reality of remote work settles in and digital transformation initiatives appear to be accelerating by months or even years. Now, enterprise leaders and system admins alike are faced with a challenge: is our data security strategy keeping pace with an increasingly remote workforce?
Data protection in a post-pandemic world
One of the primary concerns to emerge once remote work became an overnight standard was the challenges that enterprises would face with data governance, or safeguarding personally identifiable information (PII) for customers and teams as systems and processes were thrust into unchartered waters.
There was suddenly the need for novel data processing activities at global scale and corresponding measures that needed to be put in place to ensure that applications adhered to a certain standard of security. The biggest challenge came in how quickly this all unfurled; privacy impact assessments and data protection impact assessments needed to be carried out under significant time pressure. On top of all this, organizations lacked guidance and clarification on how to interpret existing legislation in the crisis environment, and the Schrems II ruling made the waters even murkier. All of a sudden, it became very difficult to comply with GDPR if any data at all was being transferred outside of confines of the EU. And unprecedented levels of remote work made the Schrems II implications all that more complex. What was clear is that the pandemic sparked foundational changes to the way enterprises approach their data protection strategy and processes.
The most notable area of impact pertaining to enterprise software and Atlassian products is device management – due to many newly minted remote employees would be working from their personal devices, as well as a renewed focus on mobile device/mobile app security.
What to know about Schrems II
The Schrems II ruling was decided on by the Court of Justice of the European Union (CJEU) in which they declared that the EU-US personal data transfer framework, Privacy Shield, was no longer lawful. The ruling had an obvious impact on EU-US personal data transfers, and organizations who previously leveraged this mechanism now have to find alternative data transfer measures.
Combatting cyber attacks with enterprise user provisioning
Even pre-pandemic, cyber attacks evolved just as quickly as the measures designed to prevent them, and the surge of remote employees created even more opportunities to take advantage of new vulnerabilities. Inherently, mobility became a need for a globally dispersed workplace and caused the network perimeter held by enterprise organizations to expand significantly. Roughly 80% of organizations across the world experienced phishing attacks against their remote workforce in 2020. One method to consistently combat this at enterprise scale is thorough attention to validating the devices being used to access the network— user provisioning.
User provisioning not only reduces the manual work involved with granting employees application access when they join the company or move to a new team, but automated deprovisioning reduces the risk of information breaches by removing access for those that leave the company (or a given team). And since user accounts are automatically removed when people leave the company or a group, costs are more tightly controlled.
How user provisioning works
When a new employee joins the company, perhaps the engineering team, the IT admin typically needs to give this new employee access to at least 10 different apps that engineers typically use to do their jobs. With user provisioning set up, the admin just needs to add the employee to the engineering group once, and all the apps they need will be automatically provisioned for that user. If the engineer leaves the company, the admin just needs to make one change in their user directory, and access is revoked.
If an employee switches teams – say, from engineering to product – they might need access to a slightly different toolset. All the admin needs to do is make one change in their user directory group settings, and access is revoked to the tools they no longer need and granted to the new ones.
This ultimately allows admins to have maximum visibility across all endpoints that are being used to interact with sensitive data, and makes it much easier at enterprise scale to ensure that data is being protected.
Upping the ante on mobile device management
As mentioned before, mobile device and mobile app security have been equal beneficiaries of enterprise focus when it comes to data security and protection. We see this in three areas:
- Increased risk of data leaks: The pandemic has led to a significant rise in flexible work-from-home arrangements and use of bring-your-own-device (BYOD), which has led to an increase in access points for end-users and subsequently higher risk of data leaks or unauthorized access.
- Corporate compliance: With enterprises increasingly moving to SaaS applications, there are typically predefined corporate policies for securely delivering these apps to employees over mobile devices. Support for mobile device management (MDM) and mobile app management (MAM) are often key requirements for meeting these corporate policies.
- Organizational control: Enterprise admins often have to manage thousands of mobile devices and need efficient ways to enforce security controls across them.
Enterprise organizations need their software to provide MDM and MAM capabilities to enable admins to push predefined security configuration to mobile apps on company managed devices through the given MDM device application. Security controls should include things such as data export restriction, screenshot disabling, clipboard management, device encryption, and compromised device detection (to name a few). In the post-pandemic world where remote work remains a viable option for most enterprise organizations, mobile device controls like these are table stakes.
What does this mean for enterprise software solutions?
Just like the policies designed to protect data, the security capabilities your enterprise software provides should be evolving to accommodate for these needs. Data protection is an area that Atlassian has invested heavily in — both in our cloud and self-managed offerings — to ensure the trust and peace of mind that our customers have come to expect from us. Click below to learn more about what we’re doing specifically to address these challenges.