Maksim Kabakou - Fotolia

Security Think Tank: Plan for hybrid working to become normal

After a year of unprecedented disruption thanks to Covid-19, it looks like remote working is set to remain with us for now, which means security strategies will change in 2021. What will this change look like, and what tools and services will be selling like hot cakes?

After 10 months of unprecedented disruption during the pandemic, there is some light on the horizon, promising a return to some normality in life. However, little will be as before. The change in work styles to work from home (WFH) will partially swing back, but not to where it was before the pandemic. The new normality for many workers will be hybrid work.

Organisations should therefore continue their investments in support of such work styles, shifting from tactical investments for enabling WFH from one day to the next, towards a strategic plan. That strategy, fortunately, aligns well with the two other major trends in IT – the shift to the cloud and zero-trust as the central paradigm for cyber security.

All these trends have a common denominator. WFH and the future of hybrid work, plus the older trend of mobile workforces, are about users working from somewhere, maybe with a corporate-owned device, maybe with their own device as part of a bring-your-own-device (BYOD) strategy.

Meanwhile, cloud strategies are about shifting workloads to the cloud, while others remain hybrid or, as in edge computing, move closer to the premises again.

And zero-trust is about accepting that there is no traditional perimeter around the internal network any more, but that security is built by many devices.

The lack of a perimeter and the shift away from traditional computing models is common to all of these concepts.

From a security perspective, this simplifies everything. Instead of thinking about how to emulate a traditional IT environment with WFH, for example by using virtual private networks (VPNs) back to the internal network, the logical approach is to start with mobile users who run their devices from anywhere, to access services that can run everywhere.

This is part of the new reality: users sitting in their home office, connecting via insecure Wi-Fi and private internet connections to services running in the cloud. If you can secure that, I believe you can secure everything. Just assume that devices are not secure and assume there is no secure network.

Then start investing into everything that helps to secure these environments, such as adaptive, context- and risk-based authentication supporting multiple factors.

Add technology to manage access to services, such as identity and access management (IAM) for access control and cloud access security brokers (CASBs) in front of these.

Consider running your own datacentres as a real private cloud, where every service acts the same way as a public cloud service; then all your services appear similar to the users.

And start protecting what you really want to protect – data and transactions. Focus on encryption, transaction fraud and, more generally, fraud reduction.

If you still consider network security important, look for cloud-based solutions for private and secure access.

Last but not least, understand what is happening by monitoring and responding to events. Security operations, automation, and response (SOAR) is also key here.

So, IAM in all its facets, CASBs, solutions for endpoint protection, detection, and response (EPDR) plus unified endpoint management (UEM) for the devices you are allowed to manage and control, data governance and data security solutions, and advanced security including SOAR and extended detection and response (XDR) are the cornerstones for dealing with the hybrid reality of work and the hybrid reality of IT. This is what your investments should focus on, not on traditional security solutions any more.

This may sound complex, but in the end it is rather straightforward: start where you have most control – users and authentication, services and data. And try to treat everything the same, by not thinking of WFH as the exception or cloud as a separate problem from your old-fashioned (or even modern) datacentre, but about users with their devices accessing services from everywhere to everywhere.

Read more on Business continuity planning