The challenges of securing a remote-first world
Tweet
Share on LinkedIn
Share on Xing
Share

The challenges of securing a remote-first world

Sam Forsdick — November 2020

The rapid switch to remote working, triggered by the coronavirus pandemic, has enabled many organizations to keep their operations running despite the disruption. But to do so, some conventional IT security measures have had to be compromised. Gartner senior research director Rob Smith reflects on the challenges of the past six months and offers advice to companies looking to re-establish security as a top priority.

 

The Covid-19 crisis created a rapid shift in working patterns at many organizations, as countless staff transitioned activities from offices to homes. After several months of remote operations — and even with successful vaccine programs suggesting an end to the current pandemic is now in sight — many companies are looking to make their remote-working experiment permanent.

A recent survey of 317 CFOs, by technology industry consultant Gartner, revealed that 74% expected a significant part of their workforce would continue to work from home after the pandemic has ended. But the changes in working practices have raised serious issues for IT security executives as they have rushed to support new ‘remote-first’ policies. With that new norm established, there are now questions about the extent to which security corners were cut during the first months of the pandemic and how new working practices need to be safeguarded.

Rob Smith, senior research director at Gartner, has seen a three-stage process at most organizations. “Phase one came to a conclusion in May. It involved getting everybody [working remotely] online as fast as humanly possible and in any way possible – security be damned.”

““Rob”
Rob Smith, senior analyst at Gartner

For many companies, the choice was to either set up employees with office equipment or ask employees to use their own computers for work. “If you had asked me about ‘bring your own PC’ in January, I would have said almost nobody does it. Now, around two-thirds of Gartner’s clients are doing that to some extent,” he says. Perhaps surprisingly, this includes government departments, financial institutions, healthcare companies and even the military, according to Smith.

This switch to using personal devices has been one of necessity for most organizations. The shortage of kit in the early months of the pandemic meant that many organizations faced a stark choice between employees’ own devices or nothing at all, according to Smith. “It was really a question of get online or be out of business.” 

Securing your remote workforce

Phase two is when the security implications of that shift to remote working need to be considered — and it’s where many organizations now find themselves. For the most part, that has involved largescale extension of corporate VPNs, ensuring anti-virus software is installed and up-to-date on home devices and segmenting networks and directories to make sure that people are only accessing systems they are authorised to access.

For Smith, one crucial security feature has been multi-factor authentication (MFA). “If there’s one technology that really matters most for any organization to enable in a post-Covid world, it’s MFA,” he says. “If an employee is using a personal device, the only safe assumption to make is that it’s infected. This makes it very dangerous if they connect over a corporate VPN. But if you turn on MFA, that problem gets eliminated.”

Another frequently recurring issue facing clients over this period was what Smith calls “Patch Tuesday” — referencing the fact that many VPNs couldn’t cope with the hundreds of updates being sent over the network as staff logged on at the start of the business day. “The solution is to transition to a cloud-based patch delivery system,” he explains. “So you don’t have to send that update traffic over the VPN.”

‘Don’t think, just deploy’

The third stage is now is about refining the work-from-home setup or, as Smith says, “fixing everything and doing it right.” Determining the right security setup relies on properly defining the user’s profile and the scope of their activity, he says.

The user’s job function, the device they use, the apps and data they need access to and their location should all be taken into consideration when determining which security technologies to apply. For example, Smith says: “If the user is predominantly accessing a Salesforce.com app, you could use a cloud access security broker and contain the data there. Or, if they have their own personal device, you could deliver desktop as a service.”

However, the reality of a remote setup in the current climate is that the need for swift action often trumps traditional prudence. In many cases it has required a “Don’t think, just deploy” mentality.

“Today you can’t go through the traditional IT processes of piloting a new application for six months before buying it. That doesn’t work in the Covid-19 universe; you have to figure out where you want to be very quickly and try to get there.”

Smith references one global insurance company, which went from having 500 remote users to 50,000 in the space of a single day. He explains: “The first problem was their VPN only had licenses for 10,000 users. But even when they bought 40,000 extra licenses, they found they only had bandwidth to support 1,800. And then out of the 50,000, over 20,000 didn’t have their own computer at home.

“It was a classic example of everything that could go wrong, did go wrong. All they could do was immediately re-architecture the complete environment for remote working,” says Smith.

But, he reiterates, “There really was no wrong decision. Companies were simply doing what they could do with the resources they had available at that moment. That’s why stage three is so important. When you talk about redesigning the network and the whole architecture, make sure you know what you really want to achieve.”

Unfortunately, when it comes to stage three, there are no shortcuts. “Frankly — and this is a very tough thing to accept — you have to find money for this,” says Smith. “Security has become the new infrastructure because it determines how you access your work. Enabling, this is the most important thing you can do because all other work is dependent on it.”
Preparing for future security threats

As the current situation evolves, IT organizations need to be increasingly vigilant. If they have allowed employees to use their own computers in a work-from-home setting, this can then bring new challenges when they spend time in the office. “If you have people coming into the office, you can’t allow them to bring in their home laptop into the corporate network and potentially infect it with viruses,” says Smith.

Although the past few months have proven difficult for many IT organizations, most will find themselves in a better situation now than they were in earlier phases. For Smith, the important takeaway is “not to beat yourself up if you picked the wrong solution. You need to react as the situation develops and learn as you go.”

He adds: “The truth is there is no magic bullet. You have to look at a myriad of solutions and work out what is appropriate for your organization.”

First published November 2020
Tweet
Share on LinkedIn
Share on Xing
Share

    Your choice regarding cookies on this site

    Our website uses cookies for analytical purposes and to give you the best possible experience.

    Click on Accept to agree or Preferences to view and choose your cookie settings.

    This site uses cookies to store information on your computer.

    Some cookies are necessary in order to deliver the best user experience while others provide analytics or allow retargeting in order to display advertisements that are relevant to you.

    For a full list of our cookies and how we use them, please visit our Cookie Policy


    Essential Cookies

    These cookies enable the website to function to the best of its ability and provide the best user experience for you. They can still be disabled via your browser settings.


    Analytical Cookies

    We use analytical cookies such as those used by Google Analytics to give us information about the way our users interact with i-cio.com - this helps us to make improvements to the site to enhance your experience.

    For a full list of analytical cookies and how we use them, visit our Cookie Policy


    Social Media Cookies

    We use cookies that track visits from social media platforms such as Facebook and LinkedIn - these cookies allow us to re-target users with relevant advertisements from i-cio.com.

    For a full list of social media cookies and how we use them, visit our Cookie Policy