For most organizations, COVID-19 has been a literal transformative agent. Our organizations have almost overnight gone from environments where teleworking was an exception, to where it’s the norm.
We’ve gone from selective, partial externalization of key services, to near-total externalization. We’ve shifted from BYOD being accepted — though perhaps grudgingly — to where it’s a key part of keeping the business operational. In short, remote work is the new normal.
As any student of human nature will tell you, people tend to view “the new” with reservation. There’s a temptation when things are new to assume the worst about them. For security pros, this means we often view new things as riskier than things we’re familiar with.
For those who have been in the industry for a few years, recall the concerns many security pros had when cloud technologies were first gaining traction. Or, before that, when OS virtualization was first making inroads into datacenters.
Cyber Risks and Rewards
This is not to say that there aren’t risks — just that when something is new, we tend to expand the risks in our minds. Over time, while recognizing new risks, we realize that changes can lead to improvements.
For example, in the early days of virtualization, risk areas seemed quite pronounced: we worried about virtual machine escape, segmentation attacks, mobility of workloads, etc. Over time, we learned that while these risks are real, so too are opportunities for beneficial impacts. For instance, using snapshots to aid patching efforts, using orchestration to help automate policy enforcement, and leveraging clones for security testing, i.e. letting us test more thoroughly without disrupting production.
The point is, it’s the rare event or technology that is entirely downside or upside from a security point of view. All of this may seem obvious, but I’m bringing it up because there has been significant attention paid in the trade press about ways remote access negatively impacts security. This view is not necessarily false. There absolutely can be ways an externalized workforce can exacerbate unwanted security outcomes. That said, there are potential upsides too — ways to harness the remote work to, over the long term, improve security posture.
Let’s consider first traditional VPN, e.g. IPsec VPN. In the early days of COVID, many organizations realized that there was a key difference between a few “road warriors” accessing internal resources via traditional VPN and the entirety of a large workforce doing so simultaneously.
For many organizations, VPN solutions collapsed under the usage scale. In response, organizations have needed either to rearchitect how these solutions are deployed or constrain usage such that only a subset of the workforce can access them.
In some cases, even when resources like messaging, email, and collaboration tools could be accessed by end users directly via the cloud, namely via the public Internet, organizations still required users to connect to them via a traditional VPN. In many situations, this was for security reasons; such as to allow accesses to be logged and to minimize opportunities for data leakage outside the perimeter.
As a practical reality though, these approaches have proven infeasible given the sheer volume of traffic any sizable workforce will generate. This has caused those organizations to open new access paths to allow users to consume those cloud services directly.
These outcomes can be beneficial from a security point of view. In situations where a legacy VPN was being used as a security mechanism for cloud access, organizations have needed to instead rely more heavily on cloud-based solutions to achieve the same ends.
For example, by moving logging and policy enforcement points from inside the network to the cloud service. This can be advantageous from a security perspective since it helps the organization centralize log information and employ tools that are more integrated into the cloud service.
In situations where VPN access was “gating” access to security-relevant functionality, such as patch deployment or AV updates, organizations have had to move to a model where those patches can be deployed to end users without VPN access, thereby potentially increasing the alacrity with which they can be installed for remote users.
BYOD has brought about a situation where containment of data is a must. After all, many in our workforce do not have access to firm-provisioned laptops or mobile devices. This means that to keep the organization functioning we’ve had to allow BYOD access in situations where we would not have done so in the past. This has created a situation where we have to focus not on gating access to data from devices that we might not trust to the same degree as internally-provisioned endpoints, but instead to make sure that we do two things:
- Authenticate user access to the data, instead of focusing solely on the device.
- Limit opportunities for the data to migrate to, and live on, the untrusted device in the first place.
Over the long term, this attention to how to constrain data — where it can be used, where and how it can be stored, etc. — ultimately can work to improve posture overall.
BYOD users won’t be going away after COVID is gone. By taking a “data-centric” view now, we can use our time to build better strategies for normative access once our offices open back up. This might encourage us to adopt a more “zero trust” approach where we focus on making sure access to data is appropriate — and containing where and how that data can flow.
This final observation is probably as obvious as it can get, but for many organizations we’re living in what is essentially a months-long, extended business continuity test. Meaning, we’ve had to figure out how to conduct business without ongoing access for many employees to our primary locations and facilities.
Almost without exception, there will be things you’ve learned about your own preparedness that can make their way back into your business continuity and/or disaster recovery planning. Don’t underestimate the utility of integrating these lessons into your documented plans while they’re still fresh in your mind.