This year we’ve seen a massive shift in distributed workforce. Call it work-from-home, call it distributed, call it work-from-anywhere, call it whatever you want… but the reality is that your employees who used to be in your office, using your computer equipment attached to your network, are now somewhere else.
And that somewhere else a lot of times is at their home. They’re at their home, they’re at their apartment, they’ve roommates, whatever else is going on in their actual situation, they’re no longer in your office. They are no longer under your control.
Common security practices from enterprises for decades now has been this concept around this perimeter, this idea of: “Oh, we have this firewall, we have locks on our doors -by the way physical security is important- we have access passes on our doors, we can see people badging in, people can’t just randomly come in here and randomly plug into our network and do whatever they want…”
Well now, guess what? That doesn’t exist anymore!
This is now people’s homes, that’s connected to Internet devices, like a light bulb that now was talking to the Internet that can be compromised and that can be used to then get onto your network. Not hypothetical, actually documented, this has happened.
So what do you do about it?
Well now we get into the acronym soup. There’s two big acronyms that we talk about:
- First off, VPN is dead. We will talk about this in a different video, but Gartner is now classified VPN as SASE. We have a Gartner category called SASE now and SASE is defining a security industry.
SASE: Secure Access Service Edge
- There’s another thing that we’ve had for a long time. It’s called Zero Trust. Zero Trust is this idea that changes from having a policy of “Hey, I can access resources because I’m physically in the office…” Regardless of where the device actually is the device by default isn’t trusted -Zero Trust- and it has to pass an authentication in order to gain access to a resource. So there’s some really cool things you can do with Zero Trust, for instance, you can say, “Hey, in order for my accounting team to access my ERP system they have to be in this city, they have to physically be in the city… “ Or maybe you want to say that they have to be in this country. So if my CFO travels to China now, there should be no connections from China connecting back to our ERP. Additionally, with Zero Trust you can do device facts: Is the device patched? Do you have an antivirus? Or an MDM solution running? What else do you need to actually build a policy that says: “Okay, now, because you meet all these policy requirements, NOW you can gain access to this resource.” Not just dependent on whether you’re at the office or you’re remote.
Zero Trust: security architecture where only traffic from authenticated users, devices, and applications is granted access to other users, devices, and applications within an organization.
You might think: “Can’t we just take and put this on a VPN? That’s what we’ve just done! All of our remote workers are just on a VPN, we’re secure!”
ABSOLUTELY NOT, you’re not. I don’t care if you put a software to VPN or if you put a hardware VPN in for that worker, you’ve now exposed -by nature of this VPN- you have now extended your perimeter and you have given your remote workers access into your corporate environment and whatever your corporate resources are.
So if you got a light bulb sitting at that house that’s been exploited because it hasn’t been patched in forever (because guess what, it wasn’t), and now you’ve got a threat vector that you have to deal with in your corporate environment.
This gets multiplied by the number of employees you are. Maybe you’re thinking, “okay, we’ve only got 100 employees.” Great- so now you’ve only got 100 additional locations you need to worry about. Or “I’ve got 10,000 employees!” Great-:Do you have 10,000 additional locations you have to work with?
How do you deal with that from security policy? SASE and Zero Trust is a big way of getting there.
Work-from-anywhere exposes a lot of things: there’s been a lot of conversation coming up related to corporate culture and communications and these ad hoc conversations and water cooler chats and all these different things.
From an IT department work-from-anywhere can become a logistical nightmare and it doesn’t need to be!
It doesn’t need to be a logistical nightmare. You can manage your work-from-anywhere and your work-from-home. Notice I say work-from-anywhere, not work-from-home. your work-from-anywhere should become a construct, and this should apply in how you manage your corporate IT and how you manage your security for your business; because it really shouldn’t matter to you if they are in an office, at a Starbucks, at their house or in the park across the street from them. Wherever that device is, it needs to be secured and protected.
If you want to learn more about this and you want to understand how to apply this your business give us a call at ITBroker.com, we will help you understand what’s unique about your business, how your employees are actually working, how your system should be layered, what options are actually appropriate for you based on your size and your scale, and we’ll narrow that down to the right tech and the best vendor for you so your business wins and you can do this in a sane and stable way.