- Rich Mogull, Securosis
Thanks to a prior life as a paramedic, I've spent decades as a part-time disaster responder, jumping into chaotic environments on the heels of natural catastrophes like Hurricane Katrina. I've learned that survivors who are able to adapt and rebuild often share two key traits: They react quickly, and they accept their new reality.
This is the challenge facing CISOs today. How can we rapidly shift our operations to a primarily work-from-home model -- and ensure strong cybersecurity for remote workers -- even while in the midst of a generation-defining disaster that will have repercussions for years to come? While some organizations already supported remote work before the COVID-19 freight train hit, very few supported it at the scale the pandemic required. I've heard the same story from multiple IT leaders: "COVID-19 forced us to implement our three- to five-year digital transformation plans in three to five weeks."
Digital transformation is a bit of a fluffy phrase; in concrete terms, it has three major components:
- migrating back-office applications to SaaS or cloud-hosted application deployments;
- migrating data center applications to IaaS; and
- enabling a secure mobile workforce with diverse endpoint devices.
Many CISOs I've worked with were already well down the path of implementing digital transformation projects in early 2020. But COVID-19 forced a dramatic acceleration of these initiatives, often faster than security could keep up. In my CISO role at my own organization, DisruptOps, I decided to approach these challenges like a paramedic deployed to a disaster zone: take stock, respond and rebuild.
When COVID-19 hit, we moved fast. Now we must assess where we landed and how to adapt to our new circumstances. Imagine the disaster survivors who packed up and ran to safety; once out of immediate danger, they had to stop, reorient and take stock of what the heck they actually packed -- and where to go from there.
In the immediate onset of the COVID-19 pandemic, CISOs and IT teams rushed to support home systems, stand up new VPN servers (on premises or in the cloud) and dramatically expand MFA. Like a family fleeing the fire, the first weeks and months were all about moving as quickly as possible and doing our best, knowing we couldn't prevent every risk.
DisruptOps had the advantage of being small and cloud-centric; our employees already had the option to work at home, and all our infrastructure was hosted in the cloud. But we happened to close a funding round right as COVID-19 hit, so as we moved to grow the company and implement new initiatives, we also needed to expand our work-from-home program at an unanticipated speed and scale.
My most immediate task was ensuring we kept a handle on the biggest potential security gaps -- increasing isolation of our production environments and hardening the walls between development and production. Since we were already using mostly SaaS to run operations, and our application is built on IaaS, I partnered with our CTO -- a well-versed security veteran -- to manage our identity perimeter and remotely onboard new employees via stock laptops we shipped to them.
In this first phase it was all about closing the biggest gaps, and those gaps aligned with rapid growth of remote access and remote collaboration. For most of the other CISOs I've talked with, this translated to increasing VPN and SaaS capacity, adding MFA and trying to consolidate onto a vetted set of collaboration tools. Some organizations also increased their migration to IaaS to reduce the staffing requirements at data centers. This initial response came at the expense of some endpoint controls and risk management of certain SaaS platforms.
I think we are all still very much in this response phase. The focus is on identifying and managing the biggest risks so we can move forward and start building longer-term foundations. These will look a bit different for everyone. In particular, larger companies must struggle with scaling issues related to adding in MFA -- critical in any efforts related to cybersecurity for remote workers -- and remotely managed endpoint security.
You've likely already moved most of your workforce to a work-at-home model. Given the state of the world, it's safe to assume two things: First, we have no idea when we can return to pre-COVID-19 normal. Until there's a vaccine and we understand more about the course of this disease, we can't possibly predict when things will settle down. Second, even in areas that manage to reduce infection rates and return to some level of normalcy, there will still be flare-ups. The most optimistic predictions suggest that we will be dealing with outbreak episodes, vaccine efficacy and other complications for another 12 to 18 months. We have to accept that our current plans are not stopgap measures but our new core operating model for the foreseeable future.
My team has just recently started working on long-term security initiatives for the post-COVID-19 environment. Ours are a bit different from what my colleagues in other organizations face, since DisruptOps only supports one customer-facing application. We're focused on improving security testing and the CI/CD pipeline; we already operate in a zero-trust environment and rely completely on SaaS services. We still need to improve our identity and access management (IAM) to support new SaaS services, but that's due to increasing head count more than anything pandemic-related.
Most organizations were already in early adoption or evaluation phases for SaaS, and thanks to COVID-19 it just makes sense to speed up these plans. For security, this is an opportunity to improve IAM and single sign-on (pushing both to the cloud), reduce reliance on VPNs to backhaul all traffic, and take a look at cloud access security broker tools. I don't personally love them, but aside from the big ones, large numbers of SaaS platforms do a poor job with security and don't provide the security hooks needed.
For IaaS, the biggest change is not assuming everything will go through one big dedicated network connection and the need to better plan for distributed remote access. In IaaS, IAM is the new perimeter; it can be pretty challenging to manage with current technologies, but controlling where your API calls come from and how you handle remote access for logging into services is something you want to start planning and working on now.
None of these are surprises. All of them are tied into digital transformation. The only change is we are all starting on these changes now instead of getting to plan for a couple years and move more methodically.
The biggest change for many CISOs grappling with cybersecurity for remote workers and other challenges is the massive, sudden change in focus from traditional infrastructure security concerns to the wide adoption of cloud-first and remote access. Like survivors of major natural disasters, we moved fast and now we have to accept our new reality. There's no going back.
- Network-Powered BYOD - A Case Study in Simplicity –SearchSecurity.com
- Software Defined Networking Goes Well Beyond the Data Center –SearchSecurity.com
- E-Guide: Wireless LAN access control: Managing users and their devices –SearchSecurity.com
- ISM Essentials Guide on Cloud and Virtualization Security –SearchSecurity.com