The Many Flavors of Back to Office and Why Companies Need Zero Trust Network Security (ZTNA)


By Tom Sego, CEO BlastWave

Returning to the office represents a long-awaited milestone, a positive sign that we can engage more fully with colleagues, return to in person events, and move forward with our lives.

There are many flavors of what a back-to-office plan looks like, and everyone has an opinion. After several delays, Google has given employees a new return-to-office date for April 4. That’s when the new “hybrid” work schedules begin, and most employees will be expected in physical offices at least three days a week. Twitter has announced employees can start returning to the office in March if they want to. Twitter CEO Parag Agrawal said that he wants Twitter employees to work wherever they “feel most productive and creative” and that the company is committed to “truly flexible work.” In the meantime, Apple has fixed an April 11 deadline for its corporate employees in the US to return to the office. The company plans a hybrid pilot in a phased manner to ensure a smooth return. Dropbox has aimed for “virtual first” which means that remote work is the default, and offices transition to co-working spaces where employees can choose to hold meetings instead of places to work individually.

Many feel that hybrid is the future of work. Popping into the office one to two days a week to catch up with colleagues in person, while also still being able to productively work at home. Hybrid could offer the best balance between face-to-face collaboration while preserving the flexibility and benefits of working from anywhere.

One of the other less talked about aspects of remote work was the ability for companies to recruit talent from a wider geographical footprint. The same remote working tools that enabled Apple and Google employees to work from home enabled many companies to hire employees from all over the globe. There are many co-workers who have been hired and never met their colleagues in person, yet. For example, we hired a solutions engineer from Ohio and a sales director from Florida. None of us have met face-to-face (but that will be changing soon).  Our PR team has members in Spain and California. Distributed work tools like Slack and Zoom have matured to the point that we operate at high degrees of interactivity and operate as a single entity. As the pandemic recedes into the rearview mirror,  the capability of remote work will be essential for these increasingly distributed teams to deliver results. As a side note, this reality puts an additional burden on leaders to inspire employees to bring their best efforts and achieve greater fulfillment, because finding a replacement job and boss are easier than ever.

Reimagining the Security Perimeter

What impact does hybrid work have on network security and how have CISOs and IT departments had to reimagine the security perimeter to accommodate hybrid models? More importantly, as IT budgets for 2022 remain in question, here’s what it could mean for CIO IT spending priorities.

How do I solve the security weakness of the VPN I secured two years ago? Get LAN security or remote performance for less?

The entire workforce has become more flexible, and flexible work arrangements need to be dynamic, secure, and scalable. We can no longer trust ourselves to avoid inadvertent threats like losing a password, or worse, putting ourselves at risk with intentional threats from bad actors that try to take over our identity. The enterprise must also review the security perimeter they put in place two years ago and ask themselves: Can I do the same for less? Is VPN where I should put my budget? How do I best protect against future threats and scale?

The truth is that VPN was a knee-jerk reaction, and the past two years have only underscored some of their flaws including creating more security headaches and a costly per license situation. With some individuals returning to the office full-time to work, you don’t want to be stuck paying for unused licenses. Enterprises need a solution that improves performance but for less cost than two years ago.

With the 2021 Verizon DBIR report conveying that 61% of all confirmed breaches were related to password issues, such as account takeovers from hijacked usernames and passwords, phishing, etc., organizations are also looking to completely remove passwords from their environment.

Here is a Rude Awakening: VPN is not Zero Trust

Unless you have had your head stuck in the mud, you will have heard of Zero Trust Network Security (ZTNA). Zero Trust is a security framework requiring all users, whether in or outside the organization’s network, to be authenticated, authorized, and continuously validated for secure access before being granted and maintained for permissions to applications and data. Zero Trust assumes that there is no traditional network edge; networks can be local, in the cloud, or a combination or hybrid, with resources anywhere as well as workers in any location.

Increasing regulatory requirements around zero trust security, make it imperative to move away from this model – because VPN is not a zero trust network and has been the cause of multiple breaches.

History has proven that VPNs are now a vulnerability in and of themselves and have become legacy for “secure” remote access. VPNs are discovered on the internet, making them easy to find and breach. Because of split tunneling, a compromised employee’s laptop working from home gives an attacker a free ticket right into your corporate network while enjoying the privacy of an encrypted tunnel that can’t be inspected until the traffic has extended past the VPN concentrator and is in clear text

Alissa Knight, cybersecurity influencer and reformed hacker

According to recent research from Knight Ink: “Organizations are moving away from flat networks that provide an adversary unlimited east-west reach for pivoting in the environment once they’ve established a beachhead. In November 2021, a massive zero-day hole was found in Palo Alto Networks VPN firewalls allowing for unauthenticated remote code execution (RCE) estimating that it had affected over 10,000 VPNs. Alternative solutions that enable remote access for this new work at home economy offer additional security controls beyond just remote access, such as software defined perimeter (SDP) solutions are replacing VPNs.”

According to cyber security influencer Alissa Knight, “Organizations are looking not only for multifactor authentication (MFA) solutions to require far more than just a password, but MFA solutions that can potentially eliminate the password altogether by relying on something you have and something you are (i.e. the user’s own mobile device with a biometric). CISOs are leveraging SDP solutions to implement microsegmentation in their environments that used to have to be done at the hardware level in switches, virtual local area network (VLAN) access control lists (ACLs) or firewalls to route traffic between VLANs, which still didn’t implement a true zero trust security model between users, devices, applications, and data that’s now enjoyed in SDP.”

And what about resignations? Those that have left the company create additional security loopholes, in many cases, this gets at a very important, but difficult part of security management which involves maintenance of Directory Services (LDAP, Active Directory, etc.).  Often those services feed into solutions that can determine who has access to what. Robustly off-boarding revokes permissions and access to sensitive information.

Now is the time to re-consider your hybrid remote security policy

Driven by events, from the increase in ransomware and phishing during the pandemic, the current war, geopolitical situation, and a return to hybrid office situations — cybersecurity is front and center of the agenda. The current administration is driving urgent efforts toward a new cybersecurity paradigm. President Biden’s Executive Order on Improving the Nation’s Cybersecurity (EO 14028) focuses on advancing security measures for the federal government that dramatically reduce the risk of successful cyberattacks, and requires federal civilian agencies to establish plans to drive the adoption of Zero Trust Architecture.

The good news is that CISO’s and CIO’s security budgets are increasing and gaining power in the organization, but they are also in “subtraction mode’. They are looking across the entire security stack to ask themselves what they can remove or take out. It’s a more strategic discussion rather than just buying a collection of point solutions. They are overwhelmed with incremental purchasing. Networking used to be a separate category, but now it, and many other things, are being subsumed by security – it’s the elephant in the room. Ultimately, SDP solutions offer organizations secure remote access into their environments while darkening and cloaking assets that aren’t allowed to talk to specific nodes, implementing the concept of true zero trust security.  No matter what happens with COVID and the hybrid working arrangements, SDP solutions enable broader access to remote talent, more flexibility, and a potentially more potent workforce that is safe from the barrage of cyber-attacks we are witnessing today. CISO’s and CIO’s can have their ice cream and eat it too.


Tom Sego is co-founder and CEO of BlastWave. A veteran business leader with over 20 years of experience across a variety of industries. Prior to BlastWave, Tom was co-founder and CEO of SunVault and a co-founder and CMO at DiVitas Networks. Additionally, he led global sales support at Apple.

.

.


Follow Brilliance Security Magazine on Twitter and LinkedIn to ensure you receive alerts for the most up-to-date security and cybersecurity news and information.