It’s a network, not a security blanket
Sep 22, 2022
Editor’s note: Cushman & Wakefield, a real estate services company, has over 52,000 employees working across 70 companies.
When I joined Cushman & Wakefield, I wanted to transform the way we thought about IT security. It was important to me that we transitioned from thinking about security as something driven by infrastructure, devices, and appliances like VPNs and firewalls, to thinking about security as just another service.
Because many of our employees – property managers, building engineers, and other technicians – spend most of their days in the field, a large percentage of our personnel rarely sets foot in the office. Even before the COVID-19 outbreak, only about 30% of our staff worked from a corporate office on a given day. So achieving a cohesive security experience, where policies follow users wherever they go, had been a priority for Cushman & Wakefield to align our security services and experience.
In a post-COVID world, we will still have reasons for prioritizing remote work enablement. As a CISO of a global company, with global responsibilities, it simply makes more sense for me to prioritize communicating with distant geos over commuting to an office most days. A hybrid model of work is simply better for both the productivity and well-being of Cushman & Wakefield employees and their families.
When I joined the company, however, our security model was still catching up to this new way of work. We were still using VPNs to connect to an internal network, which led to a poor user experience and exposed a large attack surface.
I decided that a transition to zero trust was the most sensible way to address these issues, and I wanted to focus on two core goals:
- Eliminating the corporate network – Ensuring that, once a connection to the internet was established from any machine, the experience would translate the same whether the user was at home, in the office, or on the road.
- Isolating assets to limit blast radius – Keeping employee devices off of any type of network where infections would be able to spread and compromise additional assets.
I wasn’t concerned with the occasional need to reimage an infected machine. Our approach was that computers were simply shells, means of accessing the productivity tools that enable our workforce to meet business objectives. We were aiming for a world where all important data could be accessed from any location or device through proper identity access management and according to principles of least privilege. That’s what I saw as the promise of the cloud-first model.
A far more significant hassle than the odd infected machine, in my mind, is the time sink of asset management. Provisioning devices for new employees, retrieving them from departing employees, and spending outsized amounts of time trying to tailor devices to each user’s job responsibilities seems to me to be costing my employees an unnecessary amount of time and energy.
While it will take us some time to get to the point of providing these capabilities through a VDI or similar means, transitioning to cloud-native applications makes it possible and far more cost-effective than shopping for a souped-up laptop for a programmer or security specialist who joins the organization.
Most importantly for Cushman & Wakefield, our focus on security as a service enabled a shift in priorities from securing in-office workers to all workers uniformly. Rather than only those behind our firewall and other appliances, we wanted to transition to creating a seamless security experience for users working all over the globe on all types of devices, whether corporate-owned or not.
By pursuing a zero-trust, cloud-first strategy we were able to deprioritize infrastructure and focus on implementing other controls. The Zscaler Zero Trust Exchange, in particular, gave us the ability to establish a centralized overview of where users are connecting, from which devices and their postures, and consolidating practices like blocking and monitoring.
Previously, major offices in New York, Chicago, London, and St. Louis were all running on different systems. Instead of trying to aggregate and parse that data on our own, we now rely on Zscaler to do it for us and present the data in a way that’s intelligible. That might mean associating a user or a device with a certain office like Chicago, or it could be used to provide additional context for ruling on an access request. This both increases organizational security and enhances the user experience.
CISOs gain invaluable operational efficiencies when previously disparate point security solutions – endpoint protection, VPNs, firewalls, native antimalware features – begin to be tied together via a common API into a cohesive security ecosystem. To achieve this prior to an integrated zero trust architecture, we would have had to throw all of our telemetry data into a SIEM and analyze it from there, a process I believe is overly complex and error-prone. Rather than rely on another point solution to aggregate data so my team can analyze and block threats, we’ve tied it into our overall security.
Such are the freedoms and efficiencies we gain by moving to the cloud. Still, for too many security professionals, the internal network is seen as a sort of teddy bear. It’s something they grew up with, something that brings them comfort – a fort inside which they feel safe from outside threats. But once we free ourselves from these notions, we can become more nimble, more secure, and more in tune with the way we expect to be able to work today.
What to read next