Learning from the crisis: Lessons in flexible working

Working from home
(Image credit: Pexels.com)

The Covid-19 pandemic has fundamentally changed the way we work, forcing companies to rapidly relocate staff to home offices and switch to remote working solutions. Now that employees are slowly starting to return to their desks, it’s time for IT departments to examine how productivity fared during the period spent away from the office. With flexible working set to become the norm, now is the time to plan for infrastructural change.

Even before the crisis, the “workplace of the future” was a widely discussed topic, simmering away in the background in the minds of managers but often low on the list of priorities. However, the introduction of social distancing measures has meant that flexible workplace models have become a reality much faster than many companies could ever have thought possible. Whether or not employees perceived their experiences of working from home as a positive or a negative often boils down to one thing: the status of the cloud transformation in their company. By relocating applications and data to the cloud and switching to a cloud-capable infrastructure, companies were able to lay the foundations for agile working.

Now that things are slowly returning to a new kind of normal, we can identify three categories of companies based on their responses to the crisis and derive some useful lessons from their experiences.

Enterprises that had already implemented a sophisticated digital structure before the pandemic and were already making use of the flexibility of the cloud for remote working were able to respond quickly to the changing environment.

The second category used the crisis as an opportunity to prioritize its cloud projects, placing cloud technology at the top of the agenda to ensure employees were able to work with maximum convenience and productivity within the space of a few weeks.

The third category is comprised of companies that expanded their existing hardware-based infrastructure to meet their employees’ remote access needs. Across these categories, there are huge variations in the productivity, efficiency, and security of home-working solutions.

First lesson: Bandwidth

No IT department would ever have been able to predict a pandemic on this scale. However, companies that had already opted not only to host data and applications in multicloud environments, but also to adapt their security and remote access infrastructure to meet the needs of a modern mobile workforce had the least difficulty coming to grips with the new situation. For these companies, the volume of data they were processing did not change; all they had to do was ask employees to switch into their home-offices.

Companies operating in a more conventional way would, at best, probably have planned for no more than one-third of their staff to work from home on a temporary basis at any one time. Bottlenecks quickly developed as a result of a massive increase in data traffic, driven by the need to relocate the majority of staff to home offices. This flood of data pushed the traditional hardware or license-based infrastructure for remote access to data and applications to its limits. As these companies place their security technology at the perimeter of their system, all of the data traffic from the remote workers’ home offices had to be diverted through the data center before they could access applications, which didn’t create the best foundations for a positive home-working experience.

Companies that didn’t have sufficient bandwidth to cope with the rise in data traffic and to provide a high-performance remote environment responded with a variety of different strategies. One option was to procure new hardware to circumvent the bandwidth bottlenecks. But in most cases, this solution proved impossible to implement in the required timeframe due to hardware delivery times and the complexity of deployment.

To enable employees to access applications and data with the same speed and efficiency as in the office, some companies developed a rolling system of access. Employees were divided into groups, with only part of the workforce provided with access to remote working applications from home. The rest of the staff used applications and data as normal in the office. Other companies shared resources by providing set windows for different groups to access data from their home offices over the course of the day, which reduced staff efficiency.

Second lesson: Functionality vs. security

As VPN clients were installed on newly purchased or privately owned devices to provide employees with access to the entire company network, businesses were exposed to ever-higher levels of risk. To compound the situation, new weaknesses in VPN gateways meant that rapid patching was required to close any potential points of entry for cyber attackers. Throughout the crisis, it was also difficult for companies to maintain an overview of user identities across all of the devices being used for remote working. As each user identity is linked to specific access rights, there was an increased risk of the wrong people being granted access to sensitive data.

In the search to identify the factor holding companies back from high-performance remote working, blame often fell on the hardware. More specifically, it fell on the firewalls or remote access VPNs used as perimeter-based security infrastructures, or on the devices used by employees. In extreme cases, employees were even asked to take their entire desktop PC setup—including monitor and keyboard—home with them. Other companies got their employees to purchase tablet PCs or use their own devices.

Although these solutions served a purpose in that they kept productivity up, both scenarios generated their own security risks. Companies were faced with a difficult choice between ensuring normal levels of productivity or providing secure remote access—albeit with frequent drops in the connection and with hardware being switched off at the bottleneck. Due to the sheer number of different devices used in the workplace, it was not always possible for companies to insist on compliance with standardized security policies across all devices.

Third lesson: New approaches to working from anywhere

In the aftermath of the crisis, companies should take the opportunity to evaluate their existing infrastructure and convert their emergency workarounds into practical approaches for the future.

Many employees have come to value the greater flexibility of being able to choose where they work and are not willing—for the time being, at least—to bid farewell to the option of remote working. Even before the pandemic, companies had started moving their applications and data over to multicloud environments in an effort to adapt their work environments to meet the demands of the mobile workforce. In these kinds of settings, the established network limits become more fluid, and traditional perimeter protection solutions can no longer provide flawless security coverage. The new world of work requires an approach that combines connectivity, security, and performance.

Via their mobile devices, today’s flexible users have access to the internet from any location, whether that’s a home office or an airport or a train. What’s more, 5G technology is set to make mobile connectivity 10 times faster than before. But against the backdrop of these technological developments, the threat landscape has also changed, with cyberattacks shifting to target individual users as a gateway to damage companies. The Gartner secure access service edge framework, or SASE, responds to these challenges by turning the traditional concept of security on its head. The security function is moved from the network to the user. This shift enables the entire data path from the user to the application to be seamlessly secured via an all-encompassing, holistic service.

The SASE concept combines comprehensive WAN capabilities with a range of network security functions, such as secure web gateway (SWG), cloud access security broker (CASB), firewall as a service (FWaaS), and zero trust network access (ZTNA), to support the dynamic and secure access that businesses need.

SD-WAN, for example, has an important role to play in providing secure access to applications hosted in the cloud, allowing a direct path to the app without the need for a diversion via a hub-and-spoke network. In terms of security, zero trust—or, in other words, access authorization based on user identity—also plays a central role. With all of this in mind, it is important for companies to take a holistic view of security that reflects the modern business need for cloud technology and mobility as well as network and connectivity requirements.

Nathan Howe, Head of Transformation Strategy, EMEA, Zscaler

Nathan Howe, Director of Transformation Strategy at Zscaler, has 20+ years in security experience across a multitude of organisations including governments, enterprises and telco service providers.