Shaping a secure future for the Distributed Enterprise

What have we learned over the last 2 years?

In early 2020, organisations across the world were suddenly forced into the bold experiment of operating their businesses fully remotely.?Companies large and small sent workforces home from their well-established offices to work-from-home – no matter how that looked.??

For many larger organisations the infrastructure already existed, but it was rarely configured or scaled to support all staff.?Internal applications suddenly became inaccessible without VPNs.?Multi-factor authentication, previously limited to certain scenarios,?was now?a must-have for everyone, requiring implementation, training and support.?And ‘Zoom’ became a verb!

It’s not likely to change, either.?A survey by?Bendelta?earlier this year found that 70% of staff want to work in the office no more than 2 days a week – however it also found that 60% are doing more than 40 hours a week.?Productivity in the?distributed enterprise?continues, as most organisations can attest to.

An additional problem was sourcing laptops and peripherals for staff to use at home.?While a lot of organisations had already started going down the path of laptops-for-everyone, not all had, and supply-chain constraints meant that it was difficult to get all the devices required.

Another cause for concern was Health and Safety, with many team members not having home offices fit for long-term working.?We all saw images of people working from desks jammed into bedrooms, Zoom calls with the laptop on the ironing board, and of course the challenge of households with perhaps 2 or 3 people working plus school age children to home-school.?

But what of security?

Security departments have been considering and preparing for a distributed enterprise for many years.?The concept of the dissolving perimeter has been a constant topic of discussion in cyber circles, as information moves out of the data centers and into the cloud, onto laptops, and of course the ubiquitous mobile phones.?However a fully distributed organisation, executed in a, well, panic, is a different matter.

Part of the problem is that for many staff, connecting to the office via a VPN might not be necessary.?The migration of many companies – large and small – to online services such as Microsoft 365 or Google Workplace has meant that email, file sharing, collaboration and other ‘office’ functions are now available directly on the internet.?No need to VPN!?Add to that expense management, HRIS, and even recruitment are all now predominantly online and directly addressable.

This is a challenge, because most support for remote work has always assumed that people would be in the office a few days a week, and so for many organisations critical security tasks like software updates, security patches etc were performed onsite.?A staff member who was working from home or on the road for a few days would plug in and their laptop would download all the required updates.?The problem is, when staff are not coming in for months on end, their devices can end up seriously vulnerable unless they connect via VPN.

What’s more, if they are connecting directly to the Internet, they don’t have the benefit of all those protections that IT departments have crafted and tuned over the years to prevent compromises of internal systems:?firewalls, web filters, inline anti-virus detection?-?chances are there are none of these on the home wifi!?Let’s take the example of a ride-sharing company who suffered the fate of an executive’s home network being compromised, a?valuable?but?very?painful learning experience. Are we comfortable with the information stored?on?the laptops of the home user being secure in a long term home working scenario?

KnowBe4, the security training company, looked at shadow IT, which is probably now easier to access and execute?than?it was when everyone was in the office (and perhaps more useful?).?They found that in Australia 32% of staff used at least one non-corporate product to do their work, and in most cases these were file apps such as Dropbox, Box.com etc.

For those that do need to VPN – either in order to access an internal application or to support an internal system – authentication becomes critical.?Most people know that multi-factor authentication should be a baseline requirement for any internet accessible system.?But what if you have several hundred staff who’ve never installed an Authenticator App, let alone set up their profile via a QR code???At least one?organisation decided that, to ‘keep people working’, they’d disable the MFA temporarily and were promptly compromised, using the simple?username/password?that was now all that was required. More hard lessons learned.

Knowing what we know now, what are we to do?

It’s time for a paradigm shift in the way that we consider security, so that we can meet the requirements of the?distributed enterprise.?Cybersecurity professionals have a really important role to play now – we can enable and support the cultural shift that’s taking place, and in doing so ensure that both staff and management can operate the organisation in a way that’s both secure and flexible.?

To do this we need to consider carefully what’s important.??We do information security, so let’s start at the beginning – the information.?Do we know where?it is??Do we know who has access to it??Do we know what devices can connect to it??Starting to sound familiar??I hope so.

This might be the time when the much-lauded Zero Trust concepts really come into their own.?Let’s start thinking about how we protect information by moving security somewhere everyone can get to it and be protected by it:?the cloud.?Let’s figure out ways to authenticate users with strong multi-factor tools (hardware keys, anyone?).?Let’s make device posture mean something, by testing its state, configuration and connection before we let it connect - and when we do let it connect, let’s make sure that it’s using a path that we approve of.?And if we can’t meet one of these requirements, let’s figure out a way to allow people to still do their jobs, but with access constrained so we are protecting our information.

It's a lot to ask, but to be fair I didn’t say it would be easy!?Solutions do exist, but if we’re in this for the long haul we need to spend the time working out what works for us and our organisations.?We need products built on solid foundations, that will be around to support our teams and enable us to manage, monitor, and tune the way that we protect our data.?If we can do this, then we might even end up in a far stronger position that we were pre-pandemic, and that wouldn’t be a bad outcome at all!

What's your organisation doing to prepare for, and support, the Distributed Enterprise? Are you as a security professional ahead of this curve? Let me know in the comments, I'd love to hear about your experiences!