This is the second commentary in the series “Defining Zero Trust Security.”
The way of work has changed. Credit the response to the global pandemic, shifts in business priorities, new cyberthreats, the need for accelerated innovation, and technological revolution. Building an organization that can readily embrace change requires a culture of agility, and necessitates the enterprise adoption of zero trust practices, solutions, and architectures.
The elephant in the room? These tectonic shifts in the workplace have outpaced legacy IT’s ability to secure it. While work has changed, security has not; a frustrating paradox that has engendered the dramatic rise of a rationalized industry of cybercrime.
The newest new normal: Why the hybrid workplace is here to stay
The adjustments weren’t supposed to be permanent.
The pandemic hit, and overnight, remote work became not just the norm, but the mandate. Organizations scrambled to enable employees to work from anywhere. IT leaders quickly discovered the operational limitations of legacy systems -- With 100% of the workforce working remotely, VPNs hit capacity, and crashed. To retain productivity and alleviate pressure on constrained physical connectivity channels, some organizations resorted to staggering work hours with “follow-the-sun” policies. Many organizations with legacy infrastructure struggled to secure the work of their remote employees, each of whom now represented an additional (distant) endpoint node on a painfully extended hub-and-spoke corporate network.
Legacy environments strained and buckled under the pressure. Contrast that with the experience of organizations with cloud-based zero trust architectures in place. They were able to shift to remote work quickly, and (relatively) painlessly, preserving business continuity in the process. Yes, moving to a comprehensive Work-From-Anywhere (WFA) environment was an adjustment, but it was a smooth transition, thanks to a scalable, secure connectivity model.
In March of 2020, work became “new” again. Employees worked in a new location, and relied on technology that to many was novel. But today, we’ve acclimated ourselves to a remote-enabled workplace. It no longer seems different, and any novelty attached to collaboration technologies, techniques, and processes has worn off. Changes -- to the office, to the home office, to the actual way we perform work -- no longer seem so temporary. In March 2020, we assumed that when the health crisis eased, employees would return to in-office work.
But it’s not that simple. A funny thing happens when employees begin working remotely. They like it. Productivity goes up. So does job satisfaction. As a direct result, enterprises are reenvisioning the future of the workspace: It’s a hybrid model, with a mix of on-premise and off-premise work. And it’s here to stay.
Accelerating innovation...out of necessity
Few could have predicted the global pandemic would lead to systemic change to infrastructure, process, and to the literal way work gets done. If the pandemic has taught us anything, it’s that agility has become more than just a differentiating competitive advantage. Resilience is now table stakes, agility a required cost of doing business. And enterprises must be able to ensure efficient and secure operations, even with a now-permanent pivot to a WFA environment.
The shift to remote access accelerated innovation, forcing organizations to adopt new technologies faster than ever before. Research from both McKinsey and KPMG found that companies accelerated digital transformation initiatives by as much as several years. Even the normally-staid U.S. federal government learned to pivot.
The center of gravity shifts from the datacenter to the internet
Even before the pandemic, enterprises were seeing a dramatic shift in where work was being done. Enterprise workers sought an easier, more convenient, scalable way to get their work done, and the cloud delivered on that vision.
The cloud, in its many forms, represents an abstraction of hardware and software. Storage moves from physical to virtual, with capacity becoming (theoretically) infinitely scalable. Early use cases often focused on the disposable nature of machines. With the cloud, a QA engineer was suddenly able to spin up (and then spin down) thousands of virtual test environments without having to procure costly hardware. Meanwhile, users embraced -- or demanded to use -- SaaS services like Salesforce, ServiceNow, GitHub, Microsoft 365, and more.
Enterprise leaders -- often with end-user “tail” wagging leadership “dog” -- eventually caught up to their employees. The great cloud migration progresses as enterprises move custom applications and solutions from their own hosted datacenters to the cloud.
What drives cloud migration? A 2019 Deloitte survey of more than 500 IT professionals found the top three cited reasons were security and data protection, data modernization, and cost. And that was before the global pandemic, an event that has only accelerated enterprise migration to the cloud. A 2020 Bain & Co. report (as well as subsequent analysis from the University of Pennsylvania’s Wharton School of Business) noted the extent to which the cloud facilitates supply-chain visibility, risk mitigation, forecasting, and ultimately, business resilience.
IoT, 5G stretch corporate data communications management
New technologies are taxing corporate IT leaders’ ability to secure them, particularly as organizations adopt the cloud and the internet as a corporate networking backbone.
Internet of Things (IoT) and Operational Technology (OT) devices provide micro levels of detail in enterprise functions. On the shop floor, inside the engine, out in the orchard, IoT/OT sensors keep managers, analysts, and business decision-makers apprised of operations.
In its earliest iterations, IoT was a closed system: IT leaders managed the hardware, network, and communications infrastructure for (not so) remote sensor devices. But today’s IoT leverages the internet as a network backbone, and operates in the cloud. That complicates security: For enterprise IoT leaders, each individual sensor (of what can be among millions of individual sensors) represents an end node that now must be secured like any other corporate system. That requirement -- along with the vulnerability of IoT devices exposed to the internet -- changes the way IT security leaders must consider cybersecurity.
Then there’s 5G. A dramatic step forward in mobile device connection speed, 5G delivers “Netflix-fast” connectivity to phones, tablets, and anything able to receive a 5G signal. The challenge for IT leaders is that 5G is so fast it makes secure corporate networks seem slow by comparison. The temptation is for end-users to bypass legacy security protocols to achieve faster network performance. That understandable “rogue” behavior can actually make an employee more productive, but introduce unacceptable business risk. How can an organization both embrace 5G service and protect 5G data communications without compromising corporate security or end-user connectivity performance?
Coming next week: “Drivers for a Zero Trust Architecture, part the second: How old security fails in the face of new threats.” Stay tuned.
Defining Zero Trust Security #1: “The history, context, and co-opting of Zero Trust”