Table of Contents
Share this entry
The gig economy is growing larger with each passing year, as companies embrace flexibility and more and more workers start to strike out on their own. In fact, it’s expected that the percentage of U.S. workers involved with the gig economy will climb to 43% in 2020. What’s more, 90% of U.S. workers indicate that they would consider freelancing or pursuing independent contract work.
From a business perspective, this is an exciting development. After all, independent contractors present many benefits from a cost and management perspective — especially during the pandemic economy where many businesses are facing budget cuts and hiring freezes.
Yet from a security perspective, embracing the gig economy can be very risky without the right safeguards in place. Expanding beyond core team members means sharing access to backend systems and applications and sensitive corporate data, increasing the business’ vulnerability.
Like it or not, the gig economy is here to stay, and it’s only going to grow in the coming months and years. As such, it pays to have a strong handle on identity access management and security to keep your systems secure and avoid running into potential issues.
How to Enforce Security in the Gig Economy
Here are some tips to help scale your freelancers safely and effectively.
1. Implement Tight Access Controls
One of the most important things that you can do to protect your systems is to have strong access controls in place for all of your cloud environments.
Don’t leave anything to chance. If you want to prevent data breaches from occurring, you have to enforce tight access policies for all accounts. The last thing you want is unauthorized users moving in and out of accounts holding sensitive data.
You should also prevent freelancers from “owning” data. Use secure file sharing systems that govern how employees are able to share information. Many businesses allow freelancers to store information in private drives and folders, essentially enabling shadow systems that exist beyond the scope of IT.
2. Have Freelancers Sign NDAs
One of the best ways to discourage independent contractors from abusing privileges is to make them sign non-disclosure agreements (NDAs).
This is a very common practice that businesses use to protect trade secrets and proprietary information. Most independent contractors will sign NDAs without putting up a fight. And if they argue, it’s an indicator that they may be untrustworthy to begin with and a different option might make more sense
3. Eliminate Cloud Sprawl
Cloud sprawl occurs when a company’s cloud instances proliferate without any visibility or control.
This is very dangerous for an organization because it often results in instances remaining unprotected. It’s a good idea to centralize cloud management and conduct a thorough audit before opening your doors to new team members. That way, you can get a better idea of all of your cloud properties and know where everything lives.
4. Use and Integrate SIEM to Monitor Databases
Recent advancements in security information and event management (SIEM) make it possible to monitor databases and pick up on suspicious logins and actions.
SIEM systems, like IBM QRadar, are often used by global organizations, with end users and resources in multiple locations.
As an example, a SIEM system could have time and location tracking to detect suspicious activity. If a team member tries to log into a certain database from a different IP address or a different country, the system could temporarily block access or revoke privileges — locking a potential intruder out until an investigation can be conducted.
5. Require Freelancers to Use a VPN, But You Need More
In a sense, working with a freelancer is like letting them into your house. It’s perfectly acceptable to ask them to play by your rules — especially when it comes to matters of security.
Part of the risk of working with freelancers is that you typically have less knowledge about who they are and from where they are logging in. For example, some freelancers are digital nomads and may routinely access insecure networks during their travels in hotel rooms, coffee shops, and airports.
As such, a growing number of companies are asking freelancers to log in using a virtual private network (VPN), which is a private network that runs over a public network. VPNs are encrypted and secure, protecting your data and systems.
VPN is useful, but identity and data access should be strictly enforced with least privilege access. You need only one identity – human or non-human – with too many privileges to create a toxic combination leaving your data at risk.
6. Provision and Deprovision Quickly
Speed is the name of the game in the gig economy. If you want to land the top talent, you shouldn’t make them wait for account access.
Generally speaking, you want to provision access quickly and avoid making freelancers wait or jump through hoops to access materials. When they are no longer working with your company, you want to act just as fast by deprovisioning them the moment they stop working. However, you need to manage this process closely through proper identity security and controls to prevent over privilege access.
Remember: Provision and deprovision quickly and often. Avoid getting into a habit where a gig worker can access accounts and data when they are not actively working with your company.
Keeping Environments Secure in the Gig Economy
By using these strategies, your business can gain all of the benefits of the gig economy while mitigating potential risks.
There is no need to fear working with freelancers but you should be cautious at every step of the turn — even when working with trusted associates.
Sonrai recommends taking a least privilege access to security, where all users have the bare minimum access to the information they need.
Want to check out Sonrai to learn about the easiest way to keep your systems secure in the gig economy? Try a demo today.
THE ARCHITECT
The Newsletter for Cloud Security Leaders. 1x a month.
Get a Comprehensive Cloud Identity Audit
Request Your AuditSonrai cloud security platform, products and services are covered by U.S. Patent Nos. 10,728,307 and 11,134,085, together with other domestic and international patents pending. All rights reserved.