Like bankruptcy, falling asleep, or even falling in love, today’s infrastructure and security pain points develop first gradually, and then all at once.
The coronavirus pandemic accelerated trends that had slowly been changing businesses everywhere, transforming remote work from a perk to a necessity and sending even more of our data, applications, and day-to-day activities into the cloud. Those changes complicated emerging compliance frameworks regulating what information could be stored offsite, who could access it, and how any usage should be tracked.
Although these pain points were exacerbated by COVID-19, they weren’t caused by the pandemic – and they won’t vanish once we’re all vaccinated. These changes are getting baked into the future of work, so it’s incumbent on security and IT leaders to identify key challenges and find best practices to mitigate them.
Here I’ll share some thoughts about today’s critical pain points, how we can address them, and how our choices can help businesses prepare for a post-pandemic workplace.
The most obvious pain point that many organizations are working through is how to manage workforce transformation, specifically when it comes to authenticating and monitoring remote user identities.
This problem has been building for some time. Even before the pandemic, organizations were starting to offer some degree of regular remote work. The U.S. Bureau of Labor Statistics reported that between 2005 and 2015, the number of U.S. telecommuters increased by 115 percent. A 2018 poll found that 70 percent of people worked remotely at least once a week around the world.
Obviously, COVID-19 supercharged this change. I’ve noted that, in some cases, IT and security teams had to launch remote work over the weekend to comply with work-from-home orders.
While security and IT teams have now had more than a year to refine their remote work policies and infrastructure, they’re still dealing with the consequences of this sudden change. Today, we’re still grappling with house-bound employees who are logging in with personal devices on home networks and accessing systems and on-premises resources that weren’t intended for off-premises use. These employees are at home with their families, who are using a mix of professional and personal devices themselves. Many new employees have never set foot in the corporate office and may have had to complete setting up their laptops on their own. All of that can lead to major access challenges for IT teams.
Importantly, it’s not just an organization’s employees that IT and security teams have to manage – they also have to account for customers, vendors, supply chain partners, contractors, and their families who will be working in similar, blended environments. Businesses will need to authenticate these users and provide them with some degree of entitlements as well.
The pandemic didn’t create this challenge. It did, however, make it a new fixture of the workforce of the future. A PwC survey found that a permanent, post-pandemic remote workforce has broad executive support: fewer than 20 percent of executives want to return to the office as it was prior to the pandemic, and 87% of executives intend to change their real estate strategy over the next year. McKinsey expects that more than 20 percent of the workforce could continue to work remotely three to five days a week. If remote work took hold at that level, it would mean a three- to four-fold increase in the amount of people working from home as compared to before the pandemic.
The result is a major, cross-sector, and permanent shift in how businesses operate. Organizations will have to retrofit their infrastructures to permanently monitor remote and/or hybrid digital identities. That will be a major challenge for many organizations, whose prior access policies likely assumed that most employees would work in the office and on the corporate network most of the time.
Managing workforce transformation is already challenging enough for employees who need to access on-premises resources. It becomes even more difficult if these employees work in regulated sectors, as medical and financial organizations need to track their employees’ identities, access requests, and usage to an even greater degree.
Moreover, because there’s no one set of global standards, IT teams will need to account for many different compliance frameworks that vary based on where an employee is sitting, what information they’re accessing, and what sector they’re working in.
On top of that, as businesses build new infrastructures that can accommodate and monitor permanently remote workers, they must be mindful of how certain regulations affect what personally identifiable information they can record about their own employees. GDPR, CCPA, and other privacy laws predate the pandemic, but like workforce transformation, they’ve become even starker and more commonplace challenges now. Different jurisdictions will have different mandates, and your IT teams will need to account for them all.
Finally, we’re all learning new norms when it comes to remote work. Using compliance to train employees about how to manage sensitive information in the new normal is a good starting point. We also need to account for customers: if I call my physician, then I may not mind if I hear their dog barking, but I don’t want my doctor to read off my medical results if there’s a birthday party going on in the background.
SaaS and cloud
The growth of cloud and SaaS services represent another trend that’s being accelerated and complicated by the coronavirus pandemic, workforce transformation, and emerging compliance regulations.
Managing cloud and SaaS resources will introduce another pain point for IT and security teams. Customers and employees increasingly expect on-demand, frictionless access to cloud services and a wide spectrum of information. But some information is too sensitive to move to the cloud, so organizations must plan to keep certain resources and data on-premises while ensuring that it’s still accessible to off-premises employees for legitimate use.
In other cases, moving data, tools, and operations to the cloud is just more expensive than many IT teams can afford. General and administrative budgets are tight, and IT and Security must coordinate with Finance, HR, and Legal to budget for infrastructure. It can be difficult to make the case for cloud resources, particularly if an organization has already invested in on-premises solutions.
Given that workplace transformation, compliance, and cloud/SaaS services are all being baked into the future of work today, organizations can get a much bigger ROI – including greater efficiency, simplified vendor contracts, more flexibility, and greater customer and employee experience – by starting to adapt to these changes now.
Best practices and next steps
Calling these pain points doesn’t really do them justice – there is significant overlap between them, they exacerbate one another, and they affect multiple user groups. They’re systemic issues. As a result, the best practices for addressing them tend to be comprehensive and wide-ranging themselves.
One of the best ways to address these issues is to focus on the basics: multi-factor authentication, firewalls, and a sound monitoring infrastructure are table stakes when it comes to operating successfully in a permanent-hybrid environment. These represent a sound foundation to start from.
Likewise, most organizations should integrate user behavior analytics (UEBA) to track remote employees who are accessing sensitive information. UEBA can begin with endpoints, but over time it may also be worth tracking network, endpoint, and log data to develop a more comprehensive sense of who is doing what.
Another important next step is moving from pre-pandemic, conditional access policies (“if a user is logging on from the corporate campus, then approve this request”) to dynamic access policies enabled by real-time decision-making and risk-scoring. Making this leap can help organizations enable the empowering, convenient, and flexible authentication methods that employees will demand in a permanent-hybrid world.
Smart identity & access management (IAM) infrastructure can use machine learning to assess internal and external signals and understand every user’s unique access patterns. Internal signals can include an individual user’s location, schedule, and IP address. That information can inform patterns that may indicate something fishy is going on (e.g., an excessive number of failed login attempts or ground-speed violations). Finally, external threat intelligence can flesh out the picture: leaked passwords or IP addresses known to be connected to previous fraud attempts should refine dynamic IAM policies.
Ultimately, to prepare for a post-pandemic workplace, security and IT teams should start moving from a “trust but verify” stance to a “never trust, always verify” zero trust mindset. I say “mindset” because there’s a lot of hype around zero trust. No matter what a vendor tells you, zero trust isn’t a product, vendor, or service. In fact, it’s probably not even a possible or desirable end state.
Instead, zero trust is a useful aspiration that organizations can use to identify and minimize any default trust assigned to networks, users, hosts, or applications. Importantly, zero trust also trains IT teams not to rely on perimeters to maintain organizational security. In a world where many of us are already working outside of the perimeter, zero trust is an important way for IT and security teams to reconfigure and reassess pre-pandemic infrastructure and assumptions.
Preparing for a new era
It’s an interesting time for those of us in IT. We’re working through fundamental changes to the workforce, new compliance frameworks, and a rapidly expanding cloud and SaaS market. Working through any one of those changes would be challenging enough – together, they amount to major security and infrastructure priorities for us all. And they just happen to be taking place when we’re all trying to prepare for what our school, work, and play will look like once the pandemic is behind us.
The only way to navigate these challenges is to take a long-term view and account for the new era we’re headed towards.
For years, we’ve described our work as a balance between flying and rebuilding the airplane. Now we have to make our midair repairs without understanding where we’ll land. The only thing we do know is that, wherever we arrive, the landscape will be fundamentally different compared to where we started.