In an increasingly distributed world, cybersecurity remains critical. Yet the need to protect the enterprise is causing tension as workforces and the tools they need become increasingly decentralized. While few doubt the productivity and engagement benefits of empowering people to work as they choose, where they choose, with what they choose, business leaders are still struggling with the security implications.
Luigi Freguia is Senior Vice President for EMEA at VMware.
New VMware research spells this out: 75% of IT decision makers agree that the sensitivity of their organization's data has made it more cautious about decisions to embrace anywhere work long term, while 60% acknowledge that security risks have increased since employees started working remotely. Unsurprising, when one considers that 67% of employees have connected a personal device to their organization's network or used one to handle their organization’s data or files.
The natural reaction might be to lock everything down (indeed get people back inside the HQ), restrict as much as possible and protect corporate networks and data at all costs, irrespective of the impact on flexible working models. But as the enterprise has become more distributed, security can’t hold back the deployment of hybrid working.
Keeping attackers out and employees in isn’t an option any more
Forcing people back into the office full-time is directly linked to employee churn. As The Great Resignation rumbles on, employees are reacting when they aren’t being allowed to work in the way they want, how they want and with the tools they want. This isn’t just about retaining employees either; by empowering staff, you are more likely to engage them and support them to be more productive, ultimately driving greater results.
The reality is that in the modern world, attackers are going to surpass defenses at some point, especially now the idea of a network perimeter has disappeared. That’s not to say that security should be de-prioritized, rather organizations need to find a balance between the need for protecting mission-critical systems and data with enabling talent to do their work in a way that generates contentment, productivity and loyalty.
The new security question is: how do you defend against them and mitigate risk? The answer is, by adopting a philosophy of Zero Trust, in which every transaction between user, application, service and network must be verified. Security is built into every element that makes up a corporation’s systems, and so every transaction must prove that it is trustworthy. It doesn’t matter whether an employee is sat two doors down from the CEO at HQ, on a beach, or somewhere in between, their actions will always need to be validated. With a Zero Trust-based security, physical location is no longer a direct indicator of security – each transaction is verified, irrespective of where it originates from. The need for better cyber defense can, therefore, no longer be used as an excuse to not deploy a more decentralized working model.
The four levers to securing the remote workforce
These levers are:
1. Culture – Essentially, the education and understanding of what good security practice looks like in a business. Without cultural change, a Zero Trust posture will not work. The nature of a decentralized business is that the boundaries between functions are disappearing. IT must consider what’s in people’s contracts and how new staff are on-boarded, and legal want to understand the ramifications of users working from anywhere - and they all need to understand how security fits in to it all.
2. Automated management – When deployed, Zero Trust won’t even be noticeable to users as the validation happens within the apps and services conducting the data transactions. But to make sure it works properly, the organization must define the right policies. In a Zero Trust world, policies are increasingly applied on a case-by-case basis, while artificial intelligence helps constantly review and improve policies. This increases the granularity without compromising the speed of the transaction, and therefore contributing to a better user experience for validated remote workers as they fit the profile required for access.
3. Future-proofed connectivity –The continuing adoption of 5G networks, and future roll out of 6G, means networks will be carrying huge amounts of data with an growing number of transactions needing to be validated. The networks are becoming harder to secure, no longer bound by physical landlines. Into this comes Secure Access Service Edge (SASE), which protects users, devices and data using both legacy and cloud networks. This means that no matter where an employee is, and on what network they’re using, they can be authenticated and protected.
4. Mindset change – The reality of cyber security has transformed – it’s now a case of when breaches will happen, not if. This means having the capabilities to detect breaches in real time and then respond rapidly and decisively to mitigate any resulting impact. With an increasing number of stakeholders (whether regulator, investor, internal management, or customer) having limited tolerance for organizations with a lax security stance and the right response plans in place is absolutely core to the new model.
The good news: Zero Trust is already here
This isn’t about applying new types of security to these new approaches; the move towards Zero Trust would be happening whether work was becoming more decentralized or not. Hybrid working is just one aspect of life that is dispersing and the boundaries are blurring. It brings with it security challenges, but are these really that far removed from the challenges of securing multi-cloud environments, or dealing with increasingly sophisticated attacks? Businesses that want to exist in five years’ time need to embrace the decentralized organization, which means they need security that follows the same pattern.