By Sean Duca, Regional CSO, JAPAC\n\nIn the early spring of 2020, as the world shifted to work remotely, security models used by many organizations were put to the test.\n\nRemote work was not a new thing, but never before had it been needed at the same scale and urgency. While many organizations used to have some employees working remotely, few were ready for everyone to be remote. The big question facing all organizations was how to maintain business continuity.\n\nFalling back on using VPN to enable secure remote connectivity worked in some instances. Few were lucky and ordered additional licensing, but many were not, as compute infrastructure could not meet such an increased workload. For the many, it was too late to make any significant changes, so they had to ride the storm, work within the constraints of what they had, and plan for a refresh of technology at the first given moment of respite. With scalability being a significant challenge around VPNs, the bigger issue is that many applications used in organizations today reside in the public cloud or are SaaS applications. Perhaps due to these shortcomings, in recent months, an increasing number of organizations have started to examine different ways of enabling secure connectivity out to the edge and the cloud.\n\nYesterday\u2019s Security Model Isn\u2019t Right for Tomorrow\n\nIn the past, secure remote connectivity was fixed and finite. Organizations would typically allow only a certain number of people to connect to the VPN appliances, restricted by licenses. Those remote connections were also fixed, but the applications were set in terms of their location.\n\nThings move far too rapidly to have fixed resources in place in the modern world, and no one knows what tomorrow holds. As a result, flexibility will reign wherever people work, whether in the office, at home, or anywhere in between, for the foreseeable future.\n\nApplications are also on the move. Gone are the days when most of an enterprise\u2019s applications reside entirely within the four walls of its own data center. Instead, applications and data today reside everywhere: on-premises, in the cloud, and at the edge. As a result, a single enterprise perimeter no longer exists.\n\nSecuring the Pervasive Perimeter\n\nIf the enterprise uses 25 different SaaS-based applications, the enterprise needs to secure each of those tiny data islands out there. Every application and data source needs to be secured. The enterprise must have visibility into how every user is accessing resources, whether they are in the office or remote.\n\nFor me, the whole work-from-anywhere model in the hybrid workplace that we have now got comes down to two key things: the need to secure user access and to provide users with what they require to connect to whatever resources are necessary. The remote connectivity needs to be as secure as if the user was sitting in the corporate office. They need to consume everything the same way, at that same level of security.\n\nInside the four walls of the enterprise, there are typically various security solutions protecting users. That is part of the reason the notion of just having a VPN for providing connectivity to enable remote work falls short. Instead, enterprises must have a degree of inspection and a level of security rigor to minimize the risk that organizations face every day.\n\nGet Out of the Shadow (IT)\n\nTo be fair, all the controls that enterprise IT placed on users didn\u2019t always work either. For example, a common challenge with centrally secured IT resources is the issue of shadow IT, where users would go around their IT departments if they couldn\u2019t get the resources they needed.\n\nAs we\u2019re thinking about the security models of tomorrow, it\u2019s an opportunity to try and step out of the shadows. Now is the moment to work closely with our users to determine which applications they use and want\u2014ones that will make them more productive\u2014by leaning in, talking to users, and soliciting as much feedback as we can. Why? Because sometimes, we don\u2019t know all the answers until we ask.\n\nShadow IT was always about productivity. Embracing a security model that supports the way users want to work, with the applications they need, will let them do their jobs better.\n\nSurvive. Thrive. Optimize.\n\nThe first phase of enabling remote work in the face of the pandemic was just about survival and making sure work could continue. The second phase was all about making the best of the situation and attempting to thrive. Now it\u2019s time to optimize and build out the security model of tomorrow for work from anywhere to reality.\n\nProviding a secure model for hybrid work requires agility, and it demands scalability. Gone are the days when security and remote work was only enabled by boxes and fixed licenses that limited the ability of organizations to support hybrid work properly.\n\nWhat is needed is an always-on model that is cloud-delivered, available on-premises and at the edge. In addition, it is a model that should scale up in terms of resources and capabilities as needed\n\nThe secure access service edge (SASE) approach is a great model for enabling hybrid work with software-enabled paths. Layering in Zero Trust with SASE helps protect the pervasive perimeter and the various silos of applications and data that users access every day.\n\nIt is unknown what the world of tomorrow will be. Who knows what it will throw at us, but we know that there is a need to be nimble and agile. Security needs to be flexible and elastic to wrap around users\u2019 needs, wherever they are, and no matter how they access applications.\n\nLearn more about maintaining a secure hybrid workforce with a holistic cybersecurity platform.\n\n About Sean Duca:\n\nSean is vice president and regional chief security officer for Asia Pacific and Japan at Palo Alto Networks. In this role, Sean spearheads the development of thought leadership, threat intelligence and security best practices for the cybersecurity community and business executives. With more than 20 years of experience in the IT and security industry, he acts as a trusted advisor to organizations across the region and helping them improve their security postures and align security strategically with business initiatives.Prior to joining Palo Alto Networks, he spent 15 years in a variety of roles at Intel Security (McAfee), with his last position as the Chief Technology Officer for Asia Pacific. Before this, Sean was involved in software development, technical support and consulting services for a range of Internet security solutions.