It's hard to believe in many ways, but it's now been a year since many in the workforce have transitioned from the office to working from the home. To discuss this in more detail, VMblog connected with Tarun Desikan, COO & Co-Founder of Banyan Security, as he provides us with a unique perspective on lessons learned about working from anywhere this past year, a forecast of what a post-COVID workplace and culture looks like, and offers a technical perspective on what technologies worked and didn't in an effort to support the remote work environment.
VMblog: A year after workers were forced to leave the corporate
office to quarantine and work from home, we're starting to see hopeful signs
beginning with the rollout of the coronavirus vaccine. As work from anywhere
becomes the new requirement, what work modes or patterns do you see prospects
and customers looking to support?
Tarun Desikan: "Work from home" is different than "work
from anywhere." As people begin to be mobile, working from home, the
coffee shop, hotels, and the corporate offices, access will need to be a
transparent experience for end users, and provide IT ease of administration and
management. Of course, this will all need to be done while living up to modern
Zero Trust security standards including the use of device trust, continuous authorization,
and least-privilege access.
Emerging from COVID, organizations will need to decide
which worker modes they will support. On-site employer location? A personal
location like home? Both employer and personal location? Exclusively virtual?
And of course combinations of all the above. Once this is decided, IT and
Security will need to figure out what the infrastructure and security
requirements look like. Odds are high that the legacy VPN is likely not the
best choice.
VMblog: As organizations begin to transition to a post-COVID
workplace, will working from home and remote work still be a big issue? How
will this impact corporate culture? What organizational or employee challenges
do you anticipate being needed to support that?
Desikan: Absolutely. Even before people were ordered to work from
home, access to business applications has been moving outside physical offices
for years. The growing interest in zero trust suddenly turned urgent when the
COVID-19 shelter-in-place order drove 90% plus of the corporate workforce to
become remote workers. VPNs, VDI, remote desktops and other traditional
network-based remote access solutions that had been an occasional inconvenience
suddenly turned into a daily headache and impediment to productivity. Hackers
exploited existing vulnerabilities and the increased exposure due to record
usage volumes. Admins are recognizing that secure remote access is a growing
problem that needs to be solved. As work from home shifts toward an honest to
goodness "work from anywhere" mindset, interest in migrating to zero-trust
solutions will only increase.
The post-COVID workplace will be a major shift especially
in tech hubs like Silicon Valley, which previously relied on creating office
workspaces and culture to lure employees into staying on campus as much as
possible with fancy offices, free food, gyms on site, etc.
From a security perspective, every company will have to
reassess how employees securely access corporate resources and data without
breaching the limits of yesterday's remote access technology. Make no mistake,
secure remote access is a major issue, and it is important to continuously
asses the security posture of the user, their devices, and the sensitivity of
the applications and data that is being accessed. Personal devices are
accessing sensitive company information, leading to more successful phishing
and ransomware attacks. Google's Threat Analysis group has detected over 18
million phishing and malware Gmail messages per day since COVID-19 started.
State-backed hackers are exploiting VPN vulnerabilities, and social engineering
attacks are on the rise.
VMblog: In terms of technology, what technologies really came
into play and were successful from a user and an IT perspective in the last
year?
Desikan: VPN technology was developed more than 20 years ago to
expand trusted networks by connecting corporate offices into a unified network.
Eventually, the technology has been expanded to support a relatively small
percentage of users with specific remote access needs. Today, corporate data
and applications are moving to the Cloud, entirely separate from the trusted
network. Employees and contractors are now mobile, spending more time outside
the corporate walls with a variety of corporate managed, BYOD, and unmanaged
devices. VPNs are being used heavily to support the growing demand for remote
and third-party workers, and continue to be one of the primary mechanisms for
granting trust to remote workers, but they were never designed to be the
primary access path, securely supporting the majority of corporate users.
We've spoken to dozens of IT teams during the COVID-19
pandemic. By now, most IT teams have learned how to enable a remote workforce -
purchasing new technologies and operationalizing new processes. We have been
consistently impressed by how resourceful and resilient IT departments have
been. However, one step IT departments did not have time to get right is the
corporate security posture. From mission-critical applications left exposed to
the internet to users connecting compromised personal devices to privileged
networks, security risks have only increased in this new remote-first world. IT
teams need to recognize the changing nature of security threats, re-evaluate
architectures, and develop the right long-term solutions to protect their
organization.
IT departments need to reassess the state of VPN
technology, as it was designed for a very different world. VPNs follow a
similar paradigm to their predecessor, the Modem Pool, that allows you to
"dial in" to your office network. As enterprises run more
applications in the cloud, and workers are predominately remote, this type of
overly-permissive connectivity and access is simply inappropriate. In the end,
VPNs were not meant for such environments and hackers are exploiting VPN flaws
daily.
Enterprises are moving away from the traditional VPN to
modern alternatives based on Zero Trust Network Access (ZTNA). The core
principle of Zero Trust is to reduce the reliance on network security by
enforcing a strong user, device, and application posture. In a few years, most
employees will not need a VPN to get onto a corporate network to do their jobs.
Using ZTNA, they will be able to work from anywhere, and on any device.
VMblog: In terms of security, what concessions did organizations
make to support working from home? How do you see this changing going forward
as organizations support work from anywhere and broaden their use of
temporary/contract workers?
Desikan: One item that stands out is the strengthened view on
productivity and remote work. While we're confident that some percentage of
workers will want to come back into the office, we know a significant
percentage will want to continue to work remotely at least part of the time.
In order to maintain maximum financial flexibility,
companies are making more use of temporary workers, which directly affects HR,
IT, and Security workload. Efficient on boarding and off boarding, while
maintaining security is of paramount importance. Ensuring that workers are
productive as fast as possible without being a drain on others is also key.
VMblog: How did the maturity of an organization's digital
transformation impact their pandemic readiness? How do you see any lessons
being applied going forward?
Desikan: One of the interesting things we have seen over the past
year is that organizations who were further along in their digital
transformation tended to be better prepared to support their workers working
remotely. Said another way, the whole of the workforce must be productive to
ensure successful digital transformation, and seamless, secure access to
resources is required for that productivity.
VMblog: How does Zero Trust technology work?
Desikan: Fundamentally, zero trust is a very simple idea - we make
no assumptions about trust. When a worker needs access to a resource to get
their job done, we shouldn't make trust assumptions about a trusted network
when authorizing that transaction. Eliminating enduring trust in the network
from security models means that each and every access request should be
validated, initially and continuously, based on the contextual combination of
the user and their device. While quite a few products have now adopted the
basic principle of zero-trust by validating each access request, most of them
don't take the concept seriously enough to continue to validate trust beyond
the initial request, leaving sensitive resources at risk for the vast majority
of the time.
The zero-trust approach to security has the advantage
that it can be implemented in such a way that it is completely transparent to
the user. Users often resist new security solutions because they can have a
negative impact on productivity, so a solution that silently assesses and
monitors the trustworthiness of the requester and the appropriateness of the
request can deliver end-to-end secure access while supporting maximum
productivity and usability, without forcing them to log into a separate cloud
service first.
VMblog: How does Zero Trust technology help support organizations
shift to a hybrid work environment?
Desikan: Zero Trust solutions can be a great way to manage an
organization's digital transformation, as the leading solutions provide a
secure "umbrella" across the heterogeneous infrastructure types that naturally
result. In other words, you can fundamentally improve your security and
usability today, without having to wait for your on-premise to cloud migration
to complete. For many companies, infrastructures will be shifting for years to
come, so look for solutions that are able to support heterogeneous
infrastructures (private/hybrid/multi-cloud and on-premise), devices (managed
and unmanaged/BYOD), users (employees, developers, contractors, consultants,
partners, etc.), and resources (web apps, SaaS apps, servers, services, even
APIs).
##