The global explosion of employees working remotely due to the COVID-19 pandemic has held up reasonably well from a security perspective. Yes, companies have endured some attack vectors, such as Zoombombing and hackers targeting critical healthcare infrastructure. But, overall, given the magnitude of change in network traffic, application usage and scale in such a short period of time and with little forewarning, things have held up reasonably well.
As many CISOs are hunkered down dealing with the current normal, some forward-looking CISOs are planning for the upcoming post-pandemic normal. Two areas these leaders are focusing on with alacrity are zero-trust security and productivity and risk prognosis.
These two trends deserve attention as enterprises inch forward from the lockdown to gradual loosening to ensure efficiency and risk lessons learned are capitalized on going forward.
Zero trust everywhere
While the term zero trust has been in existence for a decade now -- it was first introduced by Forrester Research in 2010 -- the now-dispersed workforce and the necessity to treat every employee as "zero trusted" have pushed the model to assume critical importance.
Geographically dispersed employees are using approved and unapproved devices, accessing application workloads in the cloud and the traditional corporate data center, and connecting to corporate networks through home networks cluttered with personal -- and potentially unsafe -- devices. To combat the threats of these situations, zero trust is no longer applicable in just one or two locations -- it must proliferate across the entire enterprise environment.
With the zero-trust security model, users are granted the appropriate level of access to the right applications and data at the right time. As such, they move from zero trust to trust for that singular transaction, and then they are back to zero trust.
What does this change mean for CISOs? Zero trust requires constant and consistent visibility, enforcement and control that can be delivered ubiquitously. It starts with assurance and permission for the end user, device or app that is trying to access something. For example, if Joe is accessing a database, it is critical to know what endpoint Joe is coming from, whether it is a known-secure endpoint and what its current security status is. Depending on the answers to these questions, there is a specified policy on what Joe can access.
The zero-trust philosophy is about giving requestors the least amount of access they need to accomplish a specific task. Technologies including multifactor authentication, identity and access management, orchestration, analytics, encryption, scoring and file system permissions are critical in a zero-trust security framework.
Productivity and risk prognosis
Many IT leaders are measuring their employees' productivity during this work-from-home phase and trying to extend insights garnered into efficiency planning going forward. These proactive leaders are measuring email, application and network usage during the pandemic and comparing metrics against pre-pandemic measurements to make predictions for the post-pandemic future. For example, if Slack use went up during the lockdown and a poll of employees suggested they were more connected and engaged during this time frame, it could lead to a discussion of whether employees need a physical location -- and the potential reduction of real estate and IT costs.
CISOs, meanwhile, are using a similar model to measure threats pre-pandemic, as compared to during the work-from-home period, to make decisions about risk management down the line. With many large enterprises having few to no employees in physical work locations, the target of attack -- as well as the always-distracted employee carelessness -- is now resident at home. Therefore, the focus has shifted toward this additional risk surface. For example, if an employee is discussing a pre-earning's call report in a room with a smart speaker, the conversation may accidentally be recorded. This has never been part of the traditional risk surface, but now it is.
Analysts and CISOs are projecting extended work-from-home environments could become the preferred way of doing business in the post-pandemic phase for two main reasons:
- Efficiency. Real estate savings resulting from fewer office locations needed mean less money spent on an office few people will work in. In addition, the extended lockdown period has caused most employees to adapt to this new work-from-home lifestyle. Returning to the office comes with many new mandates -- for example, employees being required to wear masks, removal of open-office settings and directives to stay six feet apart -- that could cause a decided drop in efficiency.
- Risk. The lockdown has provided tremendous data to model risk and put practices and training in place to mitigate threats continuously. Opening the floodgates with everyone returning to the workplace increases risk immediately as employees will have to adjust to the "new normal" and how different that world looks compared to what they have gotten accustomed to at home -- and even compared to IT and security practices pre-pandemic. For instance, VPNs were default when employees were working from home. Does that change now that they are inside the campus? Accessing private cloud storage where documents created at home may have been stored -- sometimes in violation of corporate policy -- may now be retrieved from inside the campus. This implies risk increases.
By working with their CIO counterparts, CISOs can model efficiency gains or declines alongside any increases or decreases in the risk surface as a result of employees working from home to make proper decisions about controls for the new working environment -- either in the office or at home.