olezzo - stock.adobe.com
Business leaders seeking advice on how to best handle a hybrid workforce model from a security perspective are often left with more questions than answers. I talked to VMware's Abe Ankumah, senior director of product marketing and partnerships, about how enterprises may want to redesign their infrastructures to best secure and support the hybrid workforce of the future.
Hybrid workforce access to become permanent
As pandemic restrictions continue to loosen and businesses plot their strategies in a post-COVID-19 world, it's looking increasingly likely that one major enterprise shift that occurred over the past 18 months will remain: flexible work environments.
Surprising some, many businesses experienced productivity gains throughout 2020 and are attributing it to employees working from home or in a hybrid work model. Additionally, businesses are beginning to realize the benefits in terms of lower building electricity and maintenance costs, as well as the ability to gain access to new pools of employee talent that may be unwilling to travel to the office five days a week.
If a hybrid workforce model is to become a permanent fixture, it's important to evaluate current remote workforce technologies to ensure employees can operate efficiently and with uniform security and performance, regardless of where they are physically located. Remote access VPN, for example, is one technology that many businesses relied on during the pandemic. Yet, the VPN may not be the ideal remote workforce connectivity strategy from a long-term perspective.
"Because of COVID-19, IT departments had to scramble to support a massive proportion of employees in a work-from-home setting," Ankumah said. "Scaling existing remote access VPN technologies was the most convenient stopgap option at the time. VPNs were never intended to operate at this scale, however, which ultimately created some unintended security consequences."
In many situations, once a user successfully authenticates and an encrypted tunnel is established between the end user and corporate network, the user gains full, unfettered access to the entire corporate network. This creates a major target for bad actors and nation-states to attack various vulnerabilities in legacy VPN appliances, Ankumah added, which easily spreads malware using unrestricted VPN sessions as a conduit. That is why so many companies are looking at alternative remote access methods, such as zero-trust network access (ZTNA), that alleviate many VPN scalability, performance and security problems.
Hybrid workforce goals require new security architecture strategies
If businesses anticipate the need to support hybrid workforce models in the future, traditional access and security tool deployments will likely need to change.
"At VMware, we think about the approach to security and function placement in very simple terms," Ankumah said. "A business's goal should be to centralize security and processes when they can and distribute them when they must."
Abe AnkumahSenior director of product marketing and partnerships, VMware
That philosophy is driven by how VMware sees businesses and employees consuming applications, in addition to where users are geographically located, he said. In a rapidly developing business world where users are distributed and applications no longer reside completely within the confines of the corporate data center, traditional perimeter-based security architectures are rarely the best option. Instead, security deployment should shift to where it's closest to the end user, Ankumah added.
Secure Access Service Edge (SASE) is one architecture option that accomplishes this goal. By decoupling security tools and processes from hardware located within the corporate network and distributing those services throughout multiple points of presence using modern edge computing technologies, administrators are given full control to scale and shift security functions with unprecedented flexibility. As a result, end users can access applications, data and digital resources with the same performance and unified security policy, regardless of their location. Additionally, control over security tools and policy remains centralized within the SASE deployment model, while only the security functions themselves are distributed.
According to Ankumah, businesses are also going through a significant paradigm shift as it relates to how IT supports remote employees moving forward, both from a performance/resiliency and data security perspective.
"While network and security administrators have long supported and secured traditional branch offices, a single employee working from home should now be viewed as a 'branch office of one,'" Ankumah said.
This means that the same capabilities found in traditional branch offices can and should trickle down to the home office. In some cases, this can include dual ISP connections for network redundancy, software-defined WAN (SD-WAN) processes for improved application performance, and the use of AI-driven security visibility tools in the form of endpoint detection and response (EDR) platforms, he added.
Putting the hybrid workforce puzzle together
There's a reason why network and security technologies, including SASE, ZTNA, SD-WAN and EDR, are so popular these days. IT decision-makers are concluding that the hybrid workforce is here to stay, and they're looking at ways to better support and secure these employees as efficiently and effectively as possible. It's important to realize no single technology or tool that will solve every problem.
A holistic approach must be taken to address redundancy, quality of service, authentication, access and data security for "branch offices of one," Ankumah said.
"Early in the pandemic, enterprises simply were not prepared for this type of scenario. But, now that the dust has settled, it's looking increasingly likely that hybrid workforces are here to stay," he said.
Ankumah added that this is the time to put a technology roadmap together using all the necessary models and methodologies that will improve end-user performance, security and manageability of remote users now and into the future.