Redefining “Normal”: Building a Resilient Cybersecurity Architecture in the Remote Worker Era
“Shelter in place” orders brought on a new set of challenges and lessons learned for IT teams. As we move forward, let’s make sure we’re not taking shortcuts and are making informed decisions to be better equipped for business continuity, should the need arise again.
“Out of adversity comes opportunity.” - Benjamin Franklin
COVID-19 has been a force to be reckoned with. That’s not just because of the number of people infected, the lack of treatment available or the cost to the global economy, but also because COVID-19 has compelled us to challenge “normal."
For many enterprises, business continuity planning mostly entailed simulations of a few sites, WAN links or a couple of data centers going down, that is, until recently. Unfortunately, most enterprises were not ready to deal with something on the scale of COVID-19. We’d be kidding ourselves if we believe that there won’t be another situation where we’re pushed outside of our comfort zone.
Today, we have the opportunity to reassess our priorities, processes and investments to create a "new normal," one that allows us to be more agile and resilient than ever before. Below is my list of three challenges that IT needs to solve as we evolve.
The need for speed
Agility is an urgent imperative, not a nice-to-have. Situations such as this prove so. Unfortunately, this is not how we designed our infrastructure and networks. We made big investments in iron stacks that sat in our data centers for half a dozen years.
It was expected that any increments to that deployment would take months. Today, your infrastructure needs to be elastic — responding to changes in demand in days, ideally minutes. Traditional appliance-based networking and security technologies were simply not designed for this elasticity
User experience is crucial
Working from home has its efficiencies. Enterprises were already opening up to teleworkers anyway, and the situation we’re in will likely catalyze that change. In addition to working from home, enterprises need to ensure that globe-trotting employees remain productive no matter where they are.
Your employees need the same level of unencumbered access to applications and security at home, at a cafe or at the airport as they have in the office. Here’s the challenge: While traditional VPN is still often required to access internal apps, users will turn off VPN when they experience any issues — sluggish performance or dropped VPN connections — and access the internet and SaaS applications without proper security controls in place. As a result, your users compromise security for user experience.
Danger never sleeps
Cybercriminals are well aware that there are many users working from home who are usually at a branch office behind a corporate security perimeter. You need a security infrastructure that keeps all your users protected against the latest threats, no matter where your users are. All traffic, including encrypted apps, must be inspected. All users, including third-party contractors, must be given just the level of access needed for them to be productive, without opening them up as attack vectors to the rest of the network.
All roads lead to cloud
There’s no doubting the economic and social impact of the COVID-19 outbreak. But it’s important to step back, look at what worked and what didn’t and then repeat the successes. In talking to customers that got through this, I’ve noticed one commonality. Those that were most closely aligned with cloud-native architectures were the quickest to cope and faced minimum disruption.
Alex Phillips, CIO at National Oilwell Varco, mentioned that his organization noticed a 4.5x increase in user connections over a 16-day period, and it fared just fine. It was on the Zscaler cloud-native platform (if you’ve not heard of Zscaler, it offers the world’s largest cloud security platform as a service). This isn’t an isolated incident.
I’ve witnessed many similar stories wherein organizations replaced traditional VPN technologies with Zscaler Private Access to improve application load times and eliminate the need for hardware patching and maintenance.
With apps having moved to the cloud and users wanting to access those apps via the shortest path available — the Internet — there’s no reason that your security infrastructure should be based in the data center. IT has been going through the (necessary) motions — evaluating vendors, running pilot projects, and creating business cases.
Now, however, is the time to drive those projects to completion. Here are five points that I recommend you keep in mind as you rethink your security architecture:
- Every user must be protected by the full security stack no matter where they’re physically located. That said, the experience must be frictionless. For this, each user must be connected to the cloud apps via the shortest path possible.
- Not every user needs access to every application. Give them just the access they need, nothing more. This way, you’re minimizing the opportunity for lateral movement in case a device does get infected. Gartner’s zero trust network access model helps achieve this. In addition, Gartner also says, “the secure access service edge (SASE) is an emerging offering combining comprehensive WAN capabilities with comprehensive network security functions (such as SWG, CASB, FWaaS, and ZTNA) to support the dynamic secure access needs of digital enterprises.”
- Threats are increasingly hidden within TSL-encrypted traffic. Hence, all TSL traffic must be inspected. But if your security appliances will bottleneck performance as encrypted traffic continues to increase, you’ll have a lot of unhappy users.
- Shipping, configuring, deploying and troubleshooting appliances are a thing of the past. If it takes anything more than lightweight software installation to get your remote users securely connected, you’re looking in the wrong direction.
- No one vendor does it all. But they should all work together seamlessly. For instance, your SD-WAN vendor must be able to automate tunnels into your cloud security provider, who must allow conditional access to devices depending on whether the endpoints are secured. You get the point — for you to be truly agile, your infrastructure must be elastic but everything must also work together so your life remains easy.
The impacts of COVID-19 aren't entirely in our control. However, what we learn as a result of it is fully in our control. As you rethink your security architecture, the WWT team and our trusted partners, such as Zscaler, are here to help.
WWT is a Zscaler partner that uses a proven and innovative approach to help our customers discover, evaluate, architect and implement a secure cloud transformation with SASE. We take a holistic approach to security rather than focusing on point solutions and adding another tool. This helps us align business goals and objectives to technical solutions, providing more effective outcomes and solutions that further the development of an enterprise architecture.
Learn more about how we can integrate and deploy Zscaler solutions to help you reduce vulnerabilities, which can set the stage for future innovation. Request a workshop to start the conversation today.