By Sean Duca, Regional CSO, JAPAC
In the early spring of 2020, as the world shifted to work remotely, security models used by many organizations were put to the test.
Remote work was not a new thing, but never before had it been needed at the same scale and urgency. While many organizations used to have some employees working remotely, few were ready for everyone to be remote. The big question facing all organizations was how to maintain business continuity.
Falling back on using VPN to enable secure remote connectivity worked in some instances. Few were lucky and ordered additional licensing, but many were not, as compute infrastructure could not meet such an increased workload. For the many, it was too late to make any significant changes, so they had to ride the storm, work within the constraints of what they had, and plan for a refresh of technology at the first given moment of respite. With scalability being a significant challenge around VPNs, the bigger issue is that many applications used in organizations today reside in the public cloud or are SaaS applications. Perhaps due to these shortcomings, in recent months, an increasing number of organizations have started to examine different ways of enabling secure connectivity out to the edge and the cloud.
Yesterday’s Security Model Isn’t Right for Tomorrow
In the past, secure remote connectivity was fixed and finite. Organizations would typically allow only a certain number of people to connect to the VPN appliances, restricted by licenses. Those remote connections were also fixed, but the applications were set in terms of their location.
Things move far too rapidly to have fixed resources in place in the modern world, and no one knows what tomorrow holds. As a result, flexibility will reign wherever people work, whether in the office, at home, or anywhere in between, for the foreseeable future.
Applications are also on the move. Gone are the days when most of an enterprise’s applications reside entirely within the four walls of its own data center. Instead, applications and data today reside everywhere: on-premises, in the cloud, and at the edge. As a result, a single enterprise perimeter no longer exists.
Securing the Pervasive Perimeter
If the enterprise uses 25 different SaaS-based applications, the enterprise needs to secure each of those tiny data islands out there. Every application and data source needs to be secured. The enterprise must have visibility into how every user is accessing resources, whether they are in the office or remote.
For me, the whole work-from-anywhere model in the hybrid workplace that we have now got comes down to two key things: the need to secure user access and to provide users with what they require to connect to whatever resources are necessary. The remote connectivity needs to be as secure as if the user was sitting in the corporate office. They need to consume everything the same way, at that same level of security.
Inside the four walls of the enterprise, there are typically various security solutions protecting users. That is part of the reason the notion of just having a VPN for providing connectivity to enable remote work falls short. Instead, enterprises must have a degree of inspection and a level of security rigor to minimize the risk that organizations face every day.
Get Out of the Shadow (IT)
To be fair, all the controls that enterprise IT placed on users didn’t always work either. For example, a common challenge with centrally secured IT resources is the issue of shadow IT, where users would go around their IT departments if they couldn’t get the resources they needed.
As we’re thinking about the security models of tomorrow, it’s an opportunity to try and step out of the shadows. Now is the moment to work closely with our users to determine which applications they use and want—ones that will make them more productive—by leaning in, talking to users, and soliciting as much feedback as we can. Why? Because sometimes, we don’t know all the answers until we ask.
Shadow IT was always about productivity. Embracing a security model that supports the way users want to work, with the applications they need, will let them do their jobs better.
Survive. Thrive. Optimize.
The first phase of enabling remote work in the face of the pandemic was just about survival and making sure work could continue. The second phase was all about making the best of the situation and attempting to thrive. Now it’s time to optimize and build out the security model of tomorrow for work from anywhere to reality.
Providing a secure model for hybrid work requires agility, and it demands scalability. Gone are the days when security and remote work was only enabled by boxes and fixed licenses that limited the ability of organizations to support hybrid work properly.
What is needed is an always-on model that is cloud-delivered, available on-premises and at the edge. In addition, it is a model that should scale up in terms of resources and capabilities as needed
The secure access service edge (SASE) approach is a great model for enabling hybrid work with software-enabled paths. Layering in Zero Trust with SASE helps protect the pervasive perimeter and the various silos of applications and data that users access every day.
It is unknown what the world of tomorrow will be. Who knows what it will throw at us, but we know that there is a need to be nimble and agile. Security needs to be flexible and elastic to wrap around users’ needs, wherever they are, and no matter how they access applications.
Learn more about maintaining a secure hybrid workforce with a holistic cybersecurity platform.
About Sean Duca:
Sean is vice president and regional chief security officer for Asia Pacific and Japan at Palo Alto Networks. In this role, Sean spearheads the development of thought leadership, threat intelligence and security best practices for the cybersecurity community and business executives. With more than 20 years of experience in the IT and security industry, he acts as a trusted advisor to organizations across the region and helping them improve their security postures and align security strategically with business initiatives.
Prior to joining Palo Alto Networks, he spent 15 years in a variety of roles at Intel Security (McAfee), with his last position as the Chief Technology Officer for Asia Pacific. Before this, Sean was involved in software development, technical support and consulting services for a range of Internet security solutions.