Maksim Kabakou - Fotolia
Going back to office networks, only to dismantle them once and for all
With Covid-19 restrictions easing, offices are welcoming back remote workers this summer, bringing with them their notebooks and mobiles, and creating an endpoint management headache for CISOs. What do security teams need to account for to protect their returning office workers?
It feels almost unbelievable that after over a year of having to work from home, we have finally reached a stage when, thanks to the rising vaccination rates and other efforts by governments, life seems to be returning to almost normal. Alas, for many people this not only means an opportunity to visit a theatre or a pub after a long break, but also the looming prospect of returning to their offices.
Back in early 2020, when we first faced nationwide lockdowns, IT workers found themselves fighting for the survival of their businesses because very few companies were prepared to support a fully remote workforce. Fortunately, most were able to adapt within the first months of the pandemic. For some businesses, Covid was the decisive argument to finally embrace the cloud. For others, digital services have even become the new product. Those were truly “interesting times”.
Let’s face it: office work is no longer normal
Fast forward to June 2021 and it seems that many IT workers – especially those responsible for security – are looking forward to the impending end of lockdowns as some kind of return to normalcy, going back to the “good old times”. In reality, this might be the biggest mistake a CISO can make! Even once everyone is fully vaccinated and the remaining restrictions are lifted, the new “normal” will be nothing like pre-Covid times.
First, many people like working from home. Some are seriously planning to continue, and are even prepared to take a pay cut or move to a different company to do so. Many businesses have also appreciated the cost and time savings, to say nothing about the profound environmental impact of remote working.
Eventually, many companies will have to redesign their office spaces to put more emphasis on shared workplaces and hotdesking, as well as to cater to the sharp increase in teleconferencing and remote collaboration, even in offices.
For people in IT and cyber security, this means there is simply no going back to the old concept of perimeter security. Even the most conservative companies that were still clinging to their firewalls, VPNs and on-premise applications had to finally make a leap of faith and adopt modern, cloud-native alternatives to accommodate their remote workers and to ensure their safety and compliance outside of the traditional corporate perimeter.
Nowadays, the local area network (LAN) is the least safe part of the corporate network, and returning office workers will only make the situation worse. Masks and tests may help protect against Covid in the workplace, but what will help against ransomware and phishing attacks?
Zero trust: not a buzzword anymore, but a strategic goal
Does it mean, however, that we now need to invest in additional security tools to protect our offices from the sudden inflow of new external and internal threat actors? Well, yes and no.
The biggest enemy of security is complexity, and adding security controls specifically for office workers is a waste of money and time. A more sensible strategy is to ensure that the same security stack can protect any worker, inside and outside of the office, including employees working from home, mobile workers, contractors and other partners.
In practical terms, this means extending the definition of a remote worker to everyone within the organisation. Anyone should be able to experience the same level of productivity and protection from cyber threats inside or outside of the office, moving seamlessly between IT environments like mobile phones between cell towers. Needless to say, the most radical method of achieving this seamless behaviour is by getting rid of the very notion of a local network – the one and only holy grail of zero trust!
This buzzword has been a popular topic for discussion among IT experts for years, often leading to much confusion among people thinking they can purchase zero-trust networks as turnkey solutions. However, while this is definitely not the case, adopting a zero-trust security model is easier than many people believe, providing they have a proper long-term strategy.
In addition to deploying various technologies – which many companies might already have done precisely because of Covid – it might require companies to redesign some organisational principles or business processes as well. But the result will always lead to the overall simplification and unification of IT infrastructures, reduced costs and administration overheads, and, hopefully, increased employee productivity and satisfaction.
It’s time to retire the LAN
The first step in this strategic journey towards zero trust can be quite simple: just pretend that your office no longer has a local area network. Even if a worker is back at their old desk, treat their devices as though they were still working from home – for example, only let them connect to the guest Wi-Fi network.
Of course, if you have been relying on old-school VPN solutions for all these months, this might cause problems, but if you’re already using a cloud-based zero-trust network access (ZTNA) platform to provide secure connectivity to your corporate applications, it should work completely transparently – in or out of the office. As an added benefit, this approach will protect your legacy LAN from lateral movements of a potential malicious actor, external or internal.
The same applies to secure access service edge (SASE) solutions that deliver security capabilities directly from the cloud – even if they cannot yet fully replace your carefully configured stack of on-premise security appliances, they can probably provide 80% of protection for just 20% of the cost, in the office, at home or anywhere in between.
If there is any silver lining behind the whole Covid disaster, it is that all these cloud-based solutions have been thoroughly battle-tested and can accommodate the requirements of even the largest businesses.
The world has changed profoundly over the past 15 months, and there will be no return to pre-Covid times any time soon. Instead of lamenting the loss, however, we should embrace the new normal, continue adopting modern security technologies, and use this unique opportunity to get rid of the huge technical debt of our legacy IT infrastructures. If done strategically, it should be a win-win situation for everyone. Well, excluding hackers, perhaps.
Alexei Balaganski is lead analyst at KuppingerCole and a specialist in artificial intelligence and cyber security. At KuppingerCole, he covers a broad range of cyber topics including database, application and API security, security analytics, data protection, and AI-based security automation. He holds a master’s degree in applied mathematics and computer science, and also previously served as KuppingerCole’s chief technology officer.