The war between remote work and data security: who wins?

Imagine its 2019.

You are asked to evaluate an offshore consultancy firm to handle your organization's sensitive applications. After verifying the online security infrastructure, you inspect the consultancy companys office. The consultancy firm has assigned your organization a secure Offshore Development Center (ODC). Only the employees that work on your account will have access to that ODC. There are security cameras everywhere. A security guard watches 24X7 who gets in and out. Scanning machines ensure that nobody can bring storage devices inside the ODC. No one can even carry a smartphone inside.

You are impressed. Based on your feedback, your organization selects the consultancy firm to handle several applications that run sensitive data. Everything goes fine for a few months.
But then, Covid-19 happens.

There is no playbook to handle data security in a pandemic. Suddenly, the priority was to get the job done rather than to protect data. Employees are asked to take their desktops to their homes. The onus of data security was left alone to trust and Non-Disclosure Agreements (NDAs).

And how did that pan out?

This report from IBM shows that remote work has raised the average data breach cost by $1,37,000. The same report also highlights the spike in cybersecurity incidents due to remote work.

Is hybrid work the solution?

Its 2022.

Now that humanity has learned to live amidst the pandemic, consultancy firms, like other organizations, are coaxing their employees to return to their offices. But the employees have discovered the benefits of remote work. The time saved in commuting, the employees' overall happiness level, and other benefits make them choose organizations that embrace remote work. As a result, consultancy companies face unprecedented attrition when they force their employees to return to their offices.

Many believe hybrid work is the magic wand that solves the remote work vs. data security conundrum. Three days at the office and two days at home sounds like a perfect compromise, doesnt it? Of course not! Any cybersecurity professional knows that data security is only as strong as the weakest link. So, if an employee works two days a week from home, its only narrowly more secure than working from home all the time.

So, is there a solution to this problem?

Technology to the rescue

The answer, my friend, like Bob Dylans song, was always blowin in the wind. Privacy-preserving computing technologies like Zero-knowledge Proofs, Homomorphic Encryption, and Trusted Execution Environments (TEEs) existed much before the pandemic. However, some of these technologies were too difficult to use, which restricted the wide industrial adoption of such technologies. The necessity created by the pandemic forced the tech community to improve the usability of some of these technologies.
Among these technologies, TEEs show the most promise.

Trusted Execution Environments

Trusted Execution Environments (TEEs) are secure areas of memory inside a CPU known as enclaves. Data in an enclave cannot be accessed even by the owner of that computer.

Chip manufacturers like Intel have developed specialized CPUs with in-built TEEs. Developers can code applications that handle confidential data inside these TEEs or enclaves. Such applications block rogue employees and malicious attackers from accessing or tampering with sensitive data and provide digital evidence that no one has modified confidential data.

Suppose you develop an enclave-based application that detects suspicious transactions on a bank account. Employees working from their homes using an insecure WiFi connection can execute the application without having access to any private data. Attackers also cant fish out customer data from such applications as the components of the computer on which the application runs, including the operating system, dont have access to confidential data. Such data-in-use encryption facilitates the right balance between data security and flexible remote work.

Challenges of using Trusted Execution Environments

Not all applications can be converted into enclave-based secure applications. Other technologies like Zero-knowledge Proofs and Homomorphic encryption need to be considered too.
Also, only developers with advanced knowledge in cryptography and trust technologies can directly develop applications that use TEEs like the Intel SGX.

However, there are easy-to-use Software Development Kits (SDKs) like R3s Conclave that you can use to create secure applications that run on Intel SGX-based processors. R3 also provides a cloud offering that you can use to develop secure functions.

So, who wins the data security vs. remote work battle?

Many organizations are taking the first step to improve the data security of their applications by implementing confidential computing. The Confidential Computing market is predicted to grow from $19.6 billion in 2020 to $51.6 billion by 2026. Consultancy companies should actively support their clients to gain the first-mover advantage in implementing Confidential Computing technologies. By doing so, both the consultancy companies and their clients can operate better and stay resilient in this age of remote work.

Privacy-enhancing technologies like TEEs are only one piece of the data security puzzle. Its evident that you cant convert all applications in the world to use privacy-enhancing technologies like TEEs. Along with implementing privacy-preserving technologies, organizations should continue to follow other best practices for securing remote work, like two-factor authentication and restricting access to applications on a need-to-know basis.
With careful prioritization and rapid implementation of privacy-preserving technologies, data security can indeed coexist with remote work.

In that case, everybody wins.