As they reopen physical spaces after more than a year of managing all-remote work environments, many businesses are shifting to hybrid scenarios. Will this mix of remote and onsite work require organizations to re-examine their security postures again, just as the sudden change to remote work did?
Yes, argues Fleming Shi, CTO of Barracuda Networks, a security solutions provider. In a conversation with BizTech, Shi says businesses must think holistically about application access for employees, wherever they’re logging in from.
BIZTECH: From a security perspective, what do businesses need to know as they shift to hybrid work environments?
Shi: The adoption of Software as a Service was happening quickly already, but the pandemic accelerated it. In the past, you could do things through an intranet, or a closed environment. Now you have to do everything through the internet, and that means utilizing new skills.
Security is definitely going to have to adjust to that. You have to support work from the office and from home, and you have to support work from remote places other than the home.
REGISTER: Learn more about how empowering hybrid work can help your organization gain a competitive edge with the weekly CDW Tech Talk series. Click the banner below to register.
BIZTECH: Many businesses have been fully remote for many months. What will change as they shift to hybrid?
Shi: The biggest challenge at many organizations is related to zero trust and endpoint management. When you go to a hybrid scenario, there will need to be more emphasis on mobile device management.
The use case for MDM is stronger in a hybrid environment because it’s about managing devices and checking the security posture of those devices before they can enter the network, regardless of whether they are on-premises or remote.
That’s what we have evolved to with zero trust. I wouldn’t even call it network access anymore; it’s really application access, because employees often don’t need access to the entire infrastructure to do their work. In today’s world, because of SaaS, you don’t necessarily want people to have a virtual private network. The adjustment in going from VPNs to a zero-trust access approach is where a lot of the gaps are.
BIZTECH: Is it fair to say that what businesses need to do to get ready for hybrid work environments are things they should have already done?
Shi: In the days after the pandemic began, there was a big scramble, and businesses did what they needed to do. But now we have a lot of access components that people are having to address.
After scrambling to get everyone productive, some businesses added some security. But if you look at what we have to do next, we really have to get organized and thorough when it comes to how we deliver access to our distributed workforces.
BIZTECH: Are businesses ready to do that?
Shi: Unfortunately, I don’t think most businesses are. Some of that is due to a lack of internal talent and resources to actually run a successful security operation. The small and midsized companies really have to rely on managed security service providers to get the job done.
Larger organizations probably have a security operations team in-house, and they just need to get organized and understand where the business is going in terms of the distribution of the workforce and the application infrastructure. Instead of paying millions of dollars in ransom every time you get hit, use that money to implement the right solution and put the guards in place.
BIZTECH: Budgets are an issue. How do businesses decide what’s truly necessary?
Shi: Start with risk assessment for your data. What kind of data do you hold for your customers? If you’re hit by a ransomware attack, can you say, “I’m not going to pay”? What do you have to do to be able to say that? Work backward. That means you have to get really good at not only backing up your data but also practicing recovery and encrypting your data so bad guys can’t get access to it and extort you.
As employees have more access to SaaS applications, part of the risk assessment is making sure you understand your data — where it lives and how it’s being transmitted between your employees and business partners.
It’s critical to understand what kind of data you have, how it’s being used and how it’s being handled. As companies move from remote work to hybrid work, there could be different angles to it that they aren’t aware of.
Then, once you know that your business really is vulnerable if you don’t take care of your data, examine what your workforce looks like. Most companies will have some hybrid work. Because of that, you have to understand your security posture.
Do you have the right security for a public cloud environment? Do you have the same thing for your endpoints in employees’ homes? Who has access to what? Can you get away with giving people minimal access to applications instead of to the full infrastructure through a VPN? In fact, if you can do away with the VPN without hurting employee productivity, that might be the outcome you want.
BIZTECH: What about employees themselves? Do companies need new policies for hybrid work, and if so, what kind?
Shi: If employees are in any way touching the infrastructure, you have to have a higher standard. The device you use for work has to be monitored, constantly, because if the device has a vulnerability that’s not patched, attackers will have a field day with it.
It’s really about setting priorities, understanding the risks and getting employees to provide data to monitor whatever they’re doing. For example, if you’re committing a piece of code into an application, and you use a third-party library, is that library secure?
BIZTECH: How does secure access service edge come into play in hybrid work environments?
Shi: Access is the main part of it. If you think about SASE, you have a software-defined WAN sitting on top of the internet, where you have a connection. On top the connection, you have application awareness. On top of the application awareness, you have security applied, and that reaches into the employee’s home, which is now part of the network.
That’s why the endpoint becomes important. You have to measure the security posture of each device. You could have a device that’s completely behind on security patches, and that device should not have access.
People think VPNs are secure. VPNs are not secure; they’re just a way to connect. If the VPN is allowing access to a device that’s sitting at home, that could be a risk. You may have a smart device that’s not very secure, and that could be opening the door for a bad guy to get in.
And from there, if your device has a VPN connection, if they get into your vulnerable operating system, from there they can “island hop” and move laterally into your work environment. There are just so many more variables in a hybrid environment.