Hybrid Working is Changing How We Think About Security
By Prakash Mana, CEO, Cloudbrink
Security will continue to head the list of priorities for CISOs in 2024, but how we secure our enterprises will need rethinking in the face of the workplace revolution.
No, this isn’t another article about AI, but about the hybrid workplace.
The pandemic didn’t create hybrid working, but it massively accelerated trends that were already in play turning what had been a steady movement into a revolution. The IT firefighting that started in 2020 to cope with the exodus of office users may have ceased as the Covid crisis becomes a fading memory, but the issues haven’t gone away. The first 100% digital workforce of GenZ’s and millennials continue to demand a certain level of workplace freedom.
Around half the white-collar workforce now works away from corporate offices for at least two days a week. This has profound implications for IT:
- Remote users are harder and more expensive to manage and support than office-based staff
- IT no longer controls where and how users connect to enterprise applications – making it harder than ever to impose a security perimeter
- While out-of-office work has increased exponentially, security and networking teams have expanded incrementally, if at all. Their workload has risen accordingly, as has mean time to resolution of issues
- The nature of security threats and the tactics needed to address them are changing.
Security is only half the picture. Exclusively focusing on security can obscure what IT is there to do, which is to improve the productivity of staff, the experience of users and customers, and the profitability of the enterprise.
Ensuring the security of your organization should not come at the cost of a subpar IT experience or hinder your users’ ability to perform as well as with their office-bound peers.
Cloudbrink believes that maintaining security and quality of experience in all corners of the hybrid workplace is one of the major challenges facing enterprises in 2024.
While most of the attention is on the security challenges, users connecting to the enterprise via Wi-Fi, 4G/5G and consumer grade broadband face numerous network reliability and performance issues that can severely compromise user experience and productivity. Unresolved connectivity problems can undermine morale, jeopardize employee retention, diminish customer service quality, and ultimately threaten security as users seek alternative solutions to bypass difficult IT systems.
Don’t take our word for it. Last year the analyst firm Enterprise Management Associates (EMA) polled 354 IT pros including CIOs, CISOs, and networking and security teams.
The research concluded that:
- Less than a third of enterprises (32%) believe they have fully succeeded in providing parity of experience to users in and out of the office.
- The siloed structure of IT organizations results in security and networking teams each following their own agenda. Security is usually the higher priority with security teams typically taking a lead role in shaping how remote users connect to the enterprise.
- Respondents typically saw security and performance as a trade-off: you can have one or the other, but not both. 46% admitted that they prioritize security over performance while only 34% try to optimize both.
- Most of the solutions deployed for secure application access, including VPN, ZTNA, SD-WAN and SASE incurred performance and other overheads. For instance, SD-WAN solutions for home users typically involve uprated network connections and – in nearly three-quarters of cases – hardware rollouts.
- VPN was the most used solution, deployed by 61% of enterprises, but considered optimal by only 46%.
One of our customers, a Fortune 100 entertainment and media company, illustrates the security/productivity dilemma. During lockdown and with most of its developers working remotely, the company was racing to meet a deadline for the launch of a consumer product.
Remote developers were only able to perform one or two code check-ins involving very large file transfers a day, compared with four or five for office-based staff. As the risk of missing the project deadline increased, the company even considered turning off security to improve connection speeds. We were able to solve the problem before the customer had to take such drastic action. No CISO would wish to face a similar choice.
Another big challenge for IT in the era of the hybrid workplace is that you don’t just need to secure two locations but all locations. Work from home is increasingly becoming a misnomer. Users will spend some time in the office, some at home, some on the road, some in a hotel, a coffee shop, a weekend retreat… A better term is work from anywhere (WFA), which means you need security (and performance) everywhere.
The revolution is being driven not just by once-in-a-generation events such as global pandemics, but by the expectations of a changing workforce. WFA will challenge existing security practices. It no longer makes sense, for example, to rely on flagging anomalous access patterns when the pattern is constantly changing.
It used to be that a typical user went home to the same location every day and logged in at about the same time for email or access to an internal service. If the same user logged in from Cambodia at 2am, you would block the connection.
Like users, enterprise services are also moving at unprecedented pace, moving out of traditional data centers to the cloud and to the edge. According to the EMA study, 83% of enterprises are moving applications edge-ward in the hope of resolving latency issues. Any performance benefits depend on how they add security into the mix. If traffic is still backhauled to the cloud or the enterprise data center for inspection, those gains will be lost.
This is another illustration of why the hybrid workplace demands an architectural rethink away from centralized networking and security architectures and towards cloud- and edge-native architecture. It will mean a shift from traditional gateway-based approaches to dark networks and automated moving target defense security (AMTD).
According to Gartner, AMTD is an evolution of MTD, which is based on the basic premise that ‘a moving target is harder to attack than a stationary one’. It involves the use of strategies for orchestrating movement or changes in various IT environment components and layers, across the attack surface, to increase uncertainty and complexity within a target system.”
In a world where the workforce is constantly on the move, AMTD is a more satisfying concept than the old-fashioned notion of a secure perimeter. While AMTD is an aspiration rather than a reality for most enterprises, elements of it are already available.
For example, the Cloudbrink service uses transient points of presence (PoPs) called FAST edges, which are spun up on demand and spun down at the end of a session. Unlike ZTNA services that rely on dedicated physical PoPs, this means there are no permanent IP addresses to attack.
Cloudbrink further shrinks the attack surface by sending traffic over multiple routes. Users of the service are connected to three FAST edges and the routes taken by traffic change each time they use that application. With no fixed route and no fixed network provider, potential attackers will struggle to find a target.
The third element in the defensive armory is short-life security certificates. Administering security certificates is an operational headache – one reason why many vendors leave them in place for anything from six months to 10 years. Cloudbrink implements mutual Transport Layer Security (TLS) 1.3 with certificates that are refreshed after only eight hours. In the unlikely event an attacker gains access to the user’s account or device, it means they only have a brief window of opportunity to make mischief.
Lastly, while everyone is focused on remote users, perhaps the most important (and most ignored) aspect of hybrid work is that the same users will be in the office two to three days a week.
If a user was on a compromised network when they were traveling, you now have that user/device on your network. Now multiply that problem by tens of thousands of users and devices.
Just because an employee carries a badge, it doesn’t mean you should give them unaudited access to your internal network.
So, hybrid work is going to require a change of mindset that not only affects the view of external networks but internal ones too. You might think of the in-office network as a giant coffee shop network which delivers the same levels of security control as if the user were accessing your systems from an external network.
What else needs to change?
We believe that as more users become hybrid workers, it will no longer be acceptable to offer a different in-office and work-from-anywhere experience. Security will always be a top priority, but CIOs will not accept it as a valid excuse for suboptimal user experience. They won’t settle for security at the expense of performance. They will demand both.
About the Author:
Prakash brings over 25 years of experience across the cloud, networking, security and infrastructure markets in building and delivering market-defining networking and security products. As co-founder and CEO of Cloudbrink, Prakash combines his business acumen and in-depth technical expertise to lead this powerful innovation to the market. Previously, Prakash was CPO and CTO at Pulse Secure. In that role, he was responsible for delivering the company’s vision, defining strategy and roadmap, and operationalizing different go-to-market motions. Prior to that, Prakash was responsible for Citrix’s NetScaler security gateway business. He holds a BE and MS in electrical engineering and an MBA from Carnegie Mellon.
Cloudbrink provides hybrid access as a service (HAaaS) for secure, high-performance access to SaaS, cloud and private cloud applications. The software-only zero-trust access solution includes firewall as-a-service, which takes granular security controls all the way to the user edge for comprehensive protection of users and endpoint devices. Cloudbrink uses AI/ML and a global network of virtual PoPs to overcome network reliability issues and provide ultra-low-latency connectivity. The company claims its service improves the performance of applications over unreliable internet connections by 30x or more even when fully secured.
Prakash can be reached online on his LinkedIn and via the company website at https://cloudbrink.com/
