Jeff Hussey, CEO at Tempered
The last few weeks have shown us that we are living in unprecedented times. We are radically changing how we interact with others and, more importantly, how we work. This means a massive shift in working patterns and a gigantic spike in the number of people working from home.
Most of us have worked intermittently from home at some stage in our lives, but a prolonged stint of home working for so many of us poses significant challenges to businesses. I’m sure plenty will be written in the weeks and months to come about the social and psychological challenges of home working. But today I want to talk about some of the first practical steps that organizations will have to take so that their employees can work safely and securely from their homes where possible.
IT infrastructure is one of the first challenges that organizations will face when it comes to scaling up their remote workforce. Most organizations will opt for VPNs. However, the majority of VPNs on the market today are unable to scale quickly enough and with sufficient security to meet the current demand.
This includes the challenge of maintaining IT security and authenticating network access in a distributed network environment. As VPNs scale at a rapid rate, traditional network boundaries start to blur, and it becomes harder to pinpoint the network’s perimeter. This makes IT security, identity verification and access privileges increasingly challenging to manage.
The tactics traditionally deployed from inside an IT network perimeter become increasingly precarious as it transitions to distributed clusters of users, systems, data sets and software. Most businesses rolling out a VPN will opt for a mix of VLANs, ACLs, routing rules and a selection of firewall policies in an attempt to address these challenges. But this patchwork approach leaves gaps, and it’s through those gaps that cybercriminals can gain unauthorized access.
Businesses cannot afford to let this happen. During this time of crisis, data breaches are at an increased risk, and companies are still required to maintain their GDPR, HIPPA and PCI compliance. Cyber criminals are more likely than ever to succeed when they see an opportunity they can exploit.
So, how do you protect yourself, your organization and the employees you serve as an IT Department?
Let’s take a step back for a moment and assess the changing IT landscape and the new security risks: When the majority of employees are based in an office and access the IT network from a single point, it’s easy to establish who has permission to log in and who does not. You can pull up a metaphorical drawbridge and keep the enemy out. This is often called a high-trust network. In a high-trust network, everyone inside is trusted by default, and the people outside have their access blocked.
But now, as employees spread out and access corporate networks from their homes and other remote locations, identifying who can and who cannot log on gets much more complicated. The problem with traditional VPNs is that, even when the network perimeter has become blurred, they still operate as though they are running in a high-trust scenario—but they are not. Trusted identity is not so easy to establish across traditional VPNs, and the chances of a security breach are much, much higher.
For this reason, as the number of remote workers continues to rocket, organizations must adopt a zero-trust approach. In a zero-trust scenario, no user, system, application or even a cloud provider is to be trusted—instead, they have to be whitelisted then authenticated, even if they have been granted previous access.
Rolling out a distributed, zero-trust network is how organizations need to scale at speed without compromising on security. Access policies—many of which can be automated—can be applied by job title, team membership or project. In addition, access can be limited so that users are required to login at regular intervals or permissions expire after a set amount of time.
This reflects the general shift towards zero trust that organizations are applying to their entire network infrastructures. We see this in the Industrial Internet of Things (IIoT), smart manufacturing, smart buildings and so many other applications. When every endpoint represents a potential doorway to the network, trust needs to be granted by the network admin or a sophisticated automated policy.
What organizations are finding, whether in the case of remote workers or connected devices, is the old world of VPNs and firewalls can no longer meet the challenges of today’s connected world. COVID-19 may well be the catalyst that pushes organizations to adopt true zero-trust methodologies and adapt to the cybersecurity challenges of the future.