The COVID-19 health emergency has forced many organizations to impose remote working practices on staff. The speed of change has highlighted the inherent weakness of a perimeter IT security model that differentiates remote and office workers into different access controls.
The temporary fix from stressed IT departments has been a rush to deploy more VPN capacity, but this approach ignores the more fundamental strategic need to move towards a zero trust and identity centric security.
Although not all jobs are suited to home working, many knowledge workers and service-based industries have attempted to shift staff into a home working schema supported by ICT. In the UK and replicated globally, there has been varying levels of success with some organizations finding that small scale remote working provision has been simply unable to cope with total home working.
Several high-profile brands within financial services, legal, media and communications have had to suspend entire service offerings and contact center functions simply because systems were never designed for home working at such scale.
This is not a finger pointing exercise, as even robust business continuity planning where organizations may expect to relocate to temporary offices in the event of a fire or flood are stretched when moving from mostly centralized to completely decentralized almost overnight. There are many areas where cracks have resulted in failure.
One of the most common is around secure access where most organizations have a perimeter approach with a firewall/VPN acting as a guardian between the untrusted public internet and the safe corporate network.
However, this ‘safe network’ proposition is unsound as at least 34% of all breaches happened as a result of insider threat actors - at least according to the 2019 Data Breach Investigations Report. The issue with this perimeter approach is that it assumes most workers are in the office, so there is no need to validate each connection flowing within the corporate LAN/WAN.
In the current remote working centric model, the flow is mostly inbound – and as such – there has been a dramatic rise in the need for VPN and traffic inspection. This has led to short term capacity issues – requiring more VPN – but also architecturally, many organizations need to re-engineer their network flows.
To give just one common issue. A company using a SaaS application with a perimeter approach is now expecting remote workers to connect from home via the public internet to a centralized VPN in the office, which in turn makes a secure tunnel, again across the public internet, to the SaaS. With the public internet slowing down across the board as homebound workers and millions of students try to connect – this inefficient workflow is having a dramatic impact on performance.
In normal times, organizations would also throw more bandwidth at the problem, but most ISPs have either suspended or dramatically reduced the number of new DSL / FTC installations due to the impact of COVID 19.
Instead, more progressive organizations are examining how they can shift to a zero trust approach that is succinctly summed up by O’Reilly Media’s Zero Trust Networks, as five underlying principles:
- The network is always assumed to be hostile.
- External and internal threats exist on the network at all times.
- Network locality is not sufficient for deciding trust in a network.
- Every device, user and network flow is authenticated and authorized.
- Policies must be dynamic and calculated from as many sources of data as possible.
At a technical level, the control and the data planes are separated. So, in the remote working scenario of accessing a SaaS, a remote user still must authenticate access but that does not require creating a tunnel through the enterprise VPN – but potentially directly connecting into the SaaS from home following identity checks.
Zero trust adoption is likely to grow rapidly post pandemic, but there will be other lessons learnt. For some organizations that have resisted home working in the past, the current situation may well deliver data that will validate its beneficial usage outside of a necessity.
There are a number of pre-pandemic studies including a massive study by a Stanford professor involving China’s largest travel agent that found significant and sustained cost and productivity benefits from 500 home workers versus a similar control group.
Enterprises may well find that home working becomes the new normal for large swathes of knowledge workers, and designing ICT to deliver a parity of services will become a board level consideration – and more than just a by-product of a better business continuity posture.
However, going from perimeter to zero trust or scalable remote working is not an instant option. Although the Identity Access Management (IAM) and secure access technology stack is relatively straightforward, the bigger challenge is the enterprise cultural shift.
This is further inhibited by training and, in some cases, overcoming legacy systems and processes such as document signing and authorization workflows that must evolve to digital equivalents. The focus on the short term must be on keeping people healthy and safe – the bigger picture for business is a future where technology is able to adapt to future global shocks.