With organizations around the globe in various stages of sending employees back to traditional office environments, it seems as though remote work will play a significant role in business through 2020 and beyond. Whether companies are still under restrictions and are unable to send people back to the office, or they have created more flexible remote work policies to better accommodate the needs of their employees, these businesses must ensure that their teleworker strategies can support and secure remote connectivity long-term.
To get a better understanding of what CISOs have learned from a security perspective as a result of the shift to remote work in early 2020, we discussed the topic digitally with Fortinet’s Alain Sanchez, Courtney Radke, and Peter Newton.
Q: What are the unexpected security strategy learnings you are hearing CISOs discuss in recent months?
Courtney – While it may have seemed daunting or overwhelming at first, at least from a technical standpoint, implementing a robust and secure remote worker program was not necessarily as difficult as many organizations believed it to be on the surface. Did it require the correct policies and openness to embrace change to pull off effectively and under a tight time-crunch? Yes. Were things made easier when businesses already had the correct infrastructure in place to facilitate both? Absolutely. However, with a bit of careful planning and the right technology partnerships, organizations were able to get over the hump and execute on or expand their teleworker strategy. This, in turn, made businesses realize that the reasons to retain (or possibly expand) their teleworker strategy quickly outnumbered the reasons against remote work becoming a staple of an organization’s business process going forward.
Alain – As a result of the COVID-19 crisis, CISOs were put under incredible pressure to maintain business continuity with almost 100% of the workforce working from home, in just a couple of days. Many successful approaches that we have seen are based on a careful analysis of existing capabilities, so that instead of rushing to add new technologies they leveraged the potential of the solutions already in place. The beauty of revisiting what you have in light of those business imperatives, is that you end up asking the right questions about what processes, data, and apps are truly crucial to maintain business. This healthy reaction created some fruitful eureka moments and consequently harmonized security practices across the branches, the core, and cloud-based infrastructures.
Q: How are CISOs changing their IT or OT security needs moving forward given what they have experienced in 2020 so far?
Courtney – Many organizations were simply not aware of some of the weak spots and bottlenecks in their infrastructures. To plug the holes and stem the tide, businesses made changes and additions to their environments in a manner and speed that made it impossible to understand the downstream effects. The costs now are only beginning to come to light in the form of interoperability challenges, data privacy concerns, performance degradation and increased complexity. By only using the “see a need fill a need” approach, many businesses inadvertently created another need. IT staff that were already taxed in managing the previous status quo, now had even more to contend with in tools and services that were not built with integration and automation in mind. While these problems can many times be rectified with additional cycles and customizations, CISOs and C-level IT executives alike are now keener to evaluating technologies that not only fit an immediate need but also help fix outstanding problems.
Alain – 2020 has already entered in history as the year of IT/OT convergence. The merger of the two disciplines accelerated as an automated response was seen as the way to transcend the diversity of OT devices in SOC environments that were managed remotely. You just can’t do that if you rely on manual response and work by exceptions. The practice of deporting the analysis of the threat to converged NOC-SOC dashboards and triggering the response as automatically as possible has significantly progressed in the last 3 months. We are also seeing the adoption of constantly updated playbooks as more systematic. However, these threats continue to increase in volume and sophistication, hence the necessity of a central repository and the enforcement of these response scenarios.
Peter – We’ve seen an increase in the use of our Teleworker Solutions for key individuals that have more security and performance requirements than your typical employee. Customers are deploying our small firewalls directly into the homes of their “Super Users” to create a secure enclave, protecting an organization’s critical data from the home network. This use of a firewall directly in the home office can provide users with the same kind of wired and wireless connectivity they would have in the office, with the full protection of a corporate enterprise firewall, all managed remotely so the IT team has complete visibility over numerous network edges. This enables Super Users to conduct business as usual from their home office while ensuring the highest levels of protection, explicitly because home networks are such a weak underbelly in this whole system. If you aren’t protecting your organization from that threat vector you are leaving yourself exposed, which is what CISOs are learning and it is why they are adopting these Teleworker Solutions.
Q: What areas of the digital infrastructure are top of mind right now for CISOs?
Peter – There is a major emphasis on the concept of Zero-Trust Network Access because companies are recognizing that, number one, they have all these VPN Tunnels that need to understand and confirm who the users are and two, they have users on all different types of devices that now have access to the corporate network. This is where the ability to understand and see everything on that network has become key and that is why our Teleworker Solutions has gotten a lot of attention and activity in the months since COVID-19 first hit. And now that we are a couple of months in, customers are finally able to take a step back now and evaluate whether they put every security measure in place that they needed to so that their teleworker solutions are effective long-term. As a result, many of them are shoring up their Zero-Trust capabilities so they know exactly who and what is on their network well into the future as employees continue to work remotely.
Courtney – The two areas that I have continuously heard mentioned, especially over the last several weeks, is the need for more tightly integrated network and security functions and how to properly secure dynamic multi-cloud environments. To expand further, network infrastructure needs to support and enable other aspects of the business, it must allow for dynamic change and new technology integrations and must have integrated (and automated) security functions to reduce complexity and increase efficiency. This needs to extend from branch, to edge, to the data center, and to cloud with a cohesive policy and centralized visibility and management throughout. As businesses are quickly viewing the cloud as data center extensions, it becomes more critical for network and security policies to seamlessly expand into these environments and maintain the same ease of deployment (and security maturity) as their more traditional physical counterparts.
Alain – The edge is becoming more and more important as increased processing power and speed are expected to be available when 5G generalizes. The distributed architecture of 5G also makes Zero-Trust one of the pillars of advanced cybersecurity. The right of connection cannot be granted by default to a user, a process, or a device. Authorization to access has to be the result of an analysis of what the entity is supposed to do from a profile and machine-learned behavior perspective as well as what that entity actually does. When a gap is detected or an abnormal exchange is about to happen, the device has to be isolated and its level of threat evaluated in a fraction of a second. This timely decision requires a fully integrated exchange between the networking side and the security side of the risk equation.
Discover how Fortinet Teleworker Solutions enable secure remote access at scale to support employees with a wide array of access requirements.