Virtualization Technology News and Information
VMblog Expert Interview: Banyan Security Talks Work From Anywhere, a Post-COVID Workplace, Digital Transformation and Zero Trust Technology

interview banyan desikan 

It's hard to believe in many ways, but it's now been a year since many in the workforce have transitioned from the office to working from the home.  To discuss this in more detail, VMblog connected with Tarun Desikan, COO & Co-Founder of Banyan Security, as he provides us with a unique perspective on lessons learned about working from anywhere this past year, a forecast of what a post-COVID workplace and culture looks like, and offers a technical perspective on what technologies worked and didn't in an effort to support the remote work environment.

VMblog:  A year after workers were forced to leave the corporate office to quarantine and work from home, we're starting to see hopeful signs beginning with the rollout of the coronavirus vaccine. As work from anywhere becomes the new requirement, what work modes or patterns do you see prospects and customers looking to support?

Tarun Desikan:  "Work from home" is different than "work from anywhere." As people begin to be mobile, working from home, the coffee shop, hotels, and the corporate offices, access will need to be a transparent experience for end users, and provide IT ease of administration and management. Of course, this will all need to be done while living up to modern Zero Trust security standards including the use of device trust, continuous authorization, and least-privilege access.

Emerging from COVID, organizations will need to decide which worker modes they will support. On-site employer location? A personal location like home? Both employer and personal location? Exclusively virtual? And of course combinations of all the above. Once this is decided, IT and Security will need to figure out what the infrastructure and security requirements look like. Odds are high that the legacy VPN is likely not the best choice.

VMblog:  As organizations begin to transition to a post-COVID workplace, will working from home and remote work still be a big issue? How will this impact corporate culture? What organizational or employee challenges do you anticipate being needed to support that?

Desikan:  Absolutely. Even before people were ordered to work from home, access to business applications has been moving outside physical offices for years. The growing interest in zero trust suddenly turned urgent when the COVID-19 shelter-in-place order drove 90% plus of the corporate workforce to become remote workers. VPNs, VDI, remote desktops and other traditional network-based remote access solutions that had been an occasional inconvenience suddenly turned into a daily headache and impediment to productivity. Hackers exploited existing vulnerabilities and the increased exposure due to record usage volumes. Admins are recognizing that secure remote access is a growing problem that needs to be solved. As work from home shifts toward an honest to goodness "work from anywhere" mindset, interest in migrating to zero-trust solutions will only increase.

The post-COVID workplace will be a major shift especially in tech hubs like Silicon Valley, which previously relied on creating office workspaces and culture to lure employees into staying on campus as much as possible with fancy offices, free food, gyms on site, etc.

From a security perspective, every company will have to reassess how employees securely access corporate resources and data without breaching the limits of yesterday's remote access technology. Make no mistake, secure remote access is a major issue, and it is important to continuously asses the security posture of the user, their devices, and the sensitivity of the applications and data that is being accessed. Personal devices are accessing sensitive company information, leading to more successful phishing and ransomware attacks. Google's Threat Analysis group has detected over 18 million phishing and malware Gmail messages per day since COVID-19 started. State-backed hackers are exploiting VPN vulnerabilities, and social engineering attacks are on the rise.

VMblog:  In terms of technology, what technologies really came into play and were successful from a user and an IT perspective in the last year?

Desikan:  VPN technology was developed more than 20 years ago to expand trusted networks by connecting corporate offices into a unified network. Eventually, the technology has been expanded to support a relatively small percentage of users with specific remote access needs. Today, corporate data and applications are moving to the Cloud, entirely separate from the trusted network. Employees and contractors are now mobile, spending more time outside the corporate walls with a variety of corporate managed, BYOD, and unmanaged devices. VPNs are being used heavily to support the growing demand for remote and third-party workers, and continue to be one of the primary mechanisms for granting trust to remote workers, but they were never designed to be the primary access path, securely supporting the majority of corporate users.

We've spoken to dozens of IT teams during the COVID-19 pandemic. By now, most IT teams have learned how to enable a remote workforce - purchasing new technologies and operationalizing new processes. We have been consistently impressed by how resourceful and resilient IT departments have been. However, one step IT departments did not have time to get right is the corporate security posture. From mission-critical applications left exposed to the internet to users connecting compromised personal devices to privileged networks, security risks have only increased in this new remote-first world. IT teams need to recognize the changing nature of security threats, re-evaluate architectures, and develop the right long-term solutions to protect their organization.

IT departments need to reassess the state of VPN technology, as it was designed for a very different world. VPNs follow a similar paradigm to their predecessor, the Modem Pool, that allows you to "dial in" to your office network. As enterprises run more applications in the cloud, and workers are predominately remote, this type of overly-permissive connectivity and access is simply inappropriate. In the end, VPNs were not meant for such environments and hackers are exploiting VPN flaws daily.

Enterprises are moving away from the traditional VPN to modern alternatives based on Zero Trust Network Access (ZTNA). The core principle of Zero Trust is to reduce the reliance on network security by enforcing a strong user, device, and application posture. In a few years, most employees will not need a VPN to get onto a corporate network to do their jobs. Using ZTNA, they will be able to work from anywhere, and on any device.

VMblog:  In terms of security, what concessions did organizations make to support working from home? How do you see this changing going forward as organizations support work from anywhere and broaden their use of temporary/contract workers?

Desikan:  One item that stands out is the strengthened view on productivity and remote work. While we're confident that some percentage of workers will want to come back into the office, we know a significant percentage will want to continue to work remotely at least part of the time.

In order to maintain maximum financial flexibility, companies are making more use of temporary workers, which directly affects HR, IT, and Security workload. Efficient on boarding and off boarding, while maintaining security is of paramount importance. Ensuring that workers are productive as fast as possible without being a drain on others is also key.

VMblog:  How did the maturity of an organization's digital transformation impact their pandemic readiness? How do you see any lessons being applied going forward?

Desikan:  One of the interesting things we have seen over the past year is that organizations who were further along in their digital transformation tended to be better prepared to support their workers working remotely. Said another way, the whole of the workforce must be productive to ensure successful digital transformation, and seamless, secure access to resources is required for that productivity.

VMblog:  How does Zero Trust technology work?

Desikan:  Fundamentally, zero trust is a very simple idea - we make no assumptions about trust. When a worker needs access to a resource to get their job done, we shouldn't make trust assumptions about a trusted network when authorizing that transaction. Eliminating enduring trust in the network from security models means that each and every access request should be validated, initially and continuously, based on the contextual combination of the user and their device. While quite a few products have now adopted the basic principle of zero-trust by validating each access request, most of them don't take the concept seriously enough to continue to validate trust beyond the initial request, leaving sensitive resources at risk for the vast majority of the time.

The zero-trust approach to security has the advantage that it can be implemented in such a way that it is completely transparent to the user. Users often resist new security solutions because they can have a negative impact on productivity, so a solution that silently assesses and monitors the trustworthiness of the requester and the appropriateness of the request can deliver end-to-end secure access while supporting maximum productivity and usability, without forcing them to log into a separate cloud service first.

VMblog:  How does Zero Trust technology help support organizations shift to a hybrid work environment?

Desikan:  Zero Trust solutions can be a great way to manage an organization's digital transformation, as the leading solutions provide a secure "umbrella" across the heterogeneous infrastructure types that naturally result. In other words, you can fundamentally improve your security and usability today, without having to wait for your on-premise to cloud migration to complete. For many companies, infrastructures will be shifting for years to come, so look for solutions that are able to support heterogeneous infrastructures (private/hybrid/multi-cloud and on-premise), devices (managed and unmanaged/BYOD), users (employees, developers, contractors, consultants, partners, etc.), and resources (web apps, SaaS apps, servers, services, even APIs).


Published Tuesday, March 09, 2021 7:40 AM by David Marshall
Filed under: ,
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<March 2021>