Jan Lawford at VMware describes how organisations can better operationalise their cyber-security
Strictly office-based working for knowledge workers is now being rendered obsolete in favour of more flexible, fluid, distributed ‘anywhere’ models, where the location of work no longer matters. But the success of anywhere working hinges on getting applications and information into the hands of employees at speed, wherever they are, and – most importantly – securely.
With employees potentially working anywhere – in the car, at home, in the HQ, the regional office, collaborative hubs, coffee shops – the flow of data through the organisation has increased in complexity, with multiple points of risk between data centres, applications, the network, the cloud, laptops, mobile phones and edge devices, and exposure to far more hostile threats, both in number and in magnitude.
Corporate data is no longer protected by the traditional infrastructure perimeter of the corporate office. Keep in mind the exponential growth in security threats we’ve seen over the last 12-18 months and securing data across all these potential entry points rightly becomes a boardroom issue.
In VMware’s recent Global Security Insights Report of 3,500 CIOs, we revealed what are seen as the most vulnerable breach points on the data journey as organisations move their infrastructure to accommodate the anywhere workforce. Indeed, 80% of organizations surveyed experienced cyber-attacks due to more employees working from home, highlighting the vulnerabilities in legacy security technology and postures.
So, let’s go on this data journey, explore the main points of concern and the remedy, while also highlighting examples of organisations that are already taking action.
Securing applications and workloads: part of the DNA of any modern organisation
Giving employees access to mission-critical workloads and apps is a top priority and no less so with the sudden move to widespread remote working. But apps are also perceived by CIOs to be the most vulnerable points on the data journey, topping the leader board of what’s most at risk of a breach (apps, 34.7% and workloads, 19.5%).
Legacy apps, some which could be 15 years old or more, were never designed to be accessed remotely – they would have always been protected in the past by firewalls at the infrastructure perimeter.
But for the sake of essential business continuity, organisations were forced to roll the dice and drill holes through the walls around their network, taking the chance with insecure VPNs to give their employees access to the apps they need to do their job. The worry is, some of these band-aid solutions are still in place today, leaving a lot of data exposed.
The majority of CISOs (63%) agree they need better visibility of data and apps in order to pre-empt attacks. Apps need to be modernised for a world of cloud and anywhere working. There is now recognition that traditional anti-virus and patching processes are not optimal in an accelerating digital world, and the knowledge gap between security and infrastructure teams is growing.
Security teams don’t know how production workloads are expected to behave, and infrastructure teams cannot recognise attacker behavior. This is causing a blind spot. That’s why security has to – and now can be – baked into the apps and workloads from the start, with zero-trust by design, rather than a bolted-on afterthought.
Let’s take these two examples:
Air ambulance company Angel MedFlight, provides intensive care units (ICUs) in the sky – the epitome of anywhere working. Dealing with critically-ill patients, 40,000 feet in the air, where every second counts, leaves no room for error or downtime. Ensuring the security of infrastructure is crucial, so the company switched to identity-based control for its apps and data.
Adopting a zero trust model, Angel Medflight used a digital platform to allow it to transition quickly to all-remote working, as every employee was simply able to take home their Apple Mac mini and immediately keep working, with secure access to all the apps they needed to help transport patients.
Financial services organisations are tasked everyday with protecting client data and payment transactions whilst ensuring no applications are left exposed to threats, and DVB Bank is no different. A specialist in international transport finance, the bank selected an automated workload solution to validate any changes and synchronize them with the implemented security mechanisms.
The inherent security layer built in enabled a performance-based security, boosting not only a customer’s trust in the bank but also cultivating a keener awareness of IT security among the bank’s employees.
The Network to the Edge: when everything touches the network, security is a priority
The network is paramount, carrying data from the data centre to the app to the cloud to the device. Whilst securing traditional networking has largely been restricted to the perimeter of the corporate infrastructure – a secure bubble guarded by a firewall – it’s no longer clear in the modern world whether the new network even has a perimeter any longer, let alone how to secure it: there may potentially be 50,000+ connection points outside the traditional corporate firewall, wherever an ‘anywhere worker’ might happen to be.
For our CIOs, 19% cite the network as being their main breach point of concern. By vastly expanding the network’s reach through VPNs (or ‘Virtually Pointless Networks’, as they are ironically being labelled), IT leaders have ultimately lost the end-to-end visibility that they used to count on.
Security of the network must be amplified, with better visibility for planning physical and virtual networks. The Virtual Cloud Network, as a modernised model for business networking, delivers pervasive connectivity and intrinsic security as a built-in distributed service, for users to apps and businesses to data, regardless of location.
Underpinning this are new technologies such as Secure Access Service Edge (SASE), that reroutes networking requirements through the cloud. This virtual network overlay solves the issues around visibility and provides better context and seamless user experience. SASE effectively delivers simplicity, scalability, flexibility and pervasive security as a single integrated whole for the distributed enterprise, and Gartner predicts that by 2024, more than 60% of software-defined, wide-area network (SD-WAN) customers will have evolved this into a SASE architecture, compared with only about 35% in 2020.
The same concern around lack of visibility also applies to Edge IoT devices. Whilst less of a concern to our CIOs (4.5% cited it as their top concern), the same issues around lack of visibility still apply. For critical infrastructure suppliers such as energy providers, IoT devices are central to monitoring the status of their systems.
At the same time, their spread and lack of visibility open up security issues. For Ansaldo Energia, a critical task for its global operations is its monitoring and diagnostic system, which collects data from more than 200 power plants around the world. To protect all of these IoT devices based at the network edge, Ansaldo adopted a cloud-based solution that delivers a 30% drop in total cost of ownership while improving security and flexibility.
Endpoints and their users: laptops, smart phones, internet cafes, homes, cars and securing human nature
Alongside many other parts of the IT real estate, when it comes to endpoints, anywhere working has once again meant that IT teams have had to relinquish an element of control. Historically, organisations have had full ownership and control of corporate devices.
But tolerance has had to shift in the name of continuity with a myriad of employee-owned devices entering the corporate network. Misconfigured and older office devices that have been away from the corporate network for a significant period, with toolsets not designed for remote working, are posing a significant risk.
Anywhere working has also shifted security priorities to the endpoint. Legacy endpoint security tools are not superior enough to identify risk and prevent, detect, and respond to the latest threats and attack vectors. As endpoints now sit off the internal network, security teams need to ensure they have continuous visibility and connectivity to guarantee the devices have the most up to date security posture. These devices represent an ever-present threat, and are a major reason that 10.6% of CIOs cite endpoints as their most vulnerable security breach point.
Validating the identification of end users is another challenge. Whilst the office provided physical barriers such as door entry systems and digital ID badges to prevent infiltrators, these are no longer as relevant if most employees are working outside of corporate premises.
Swiss public transport provider Basler Verkehrs-Betriebe (BVB), were a pioneer of endpoint security even prior to widespread anywhere working, owing to the already distributed and mobile nature of its employees and continue to innovate in this area today. With multiple drivers transporting residents all over the city, iPads with built-in security provide them with constant and remote access to internal applications and documents such as timetables and duty rosters.
With so many devices on the move, the security risks were high and required a zero trust mindset to ensure all the information moving from device to network to app to cloud remained secure.
Adopting a zero trust approach to endpoint security will help organisations navigate these issues. An intelligent cloud-based hub, that manages everything anywhere in real time can act as a central source of ‘truth’ for all the endpoints.
With real time device monitoring, these platforms are able to alert security teams when it suspects a security issue. When attacks do occur, organisations will be more adept at identifying and assessing them, shutting them down quickly and taking the appropriate actions to repair any damage with minimal impact. Actions are based on facts, utilising automation and orchestration and not manually implementing guesswork.
Adopting zero-trust, and using comprehensive risk-based conditional access control models to authenticate users and then deploy built-in multi-factor authentication and single sign-on, helps to de-risk operations and reduce ‘alert fatigue’, all whilst making security user friendly. When aligned with intelligence and automation, it can act as an effective defence against potential intruders, freeing up time for IT and security teams so they can focus on higher value activities
Multiple touch points – one holistic solution
Whilst each of these endpoints has remedies to ensure their security, organisations need to rethink security as an inherent and distributed part of the modern enterprise—continuously incorporating all aspects of their technology environment to deliver more effective security through a zero trust approach. But they can equally run the risk of adding complexity and losing visibility by using multiple security solutions from multiple vendors.
By incorporating zero trust security principles into an organisation’s supply chain and opting for a holistic platform that has all of these elements baked in, they can achieve complete end to end protection. This creates a comprehensive ‘security operations centre’, which provides the context and visibility that IT teams need. Relevant security information is presented in context and combined in an intelligent fashion across teams, reducing silos and greatly improving teamwork and communication.
Anywhere working will help to make employees feel empowered, connected and productive, and taking this new stance will ensure teams are better equipped to solve the threats of today and tomorrow, with fewer blind spots and reduced time to detection and response.
Organisations can better operationalise security, making more effective use of people and resources, all whilst delivering the speed and security required of the modern enterprise.
Jan Lawford is Head of Security at VMware EMEA
Main image courtesy of iStockPhoto.com