For Most Companies, Securing Remote Work is Unfinished Business

This post was initially published by our Senior Advisor, Robert Clyde, in InfoSecurity Magazine

There has been relief around the corporate world this year as many executives have been pleasantly surprised how well their organizations have been able to quickly transition to predominantly remote workforces.

For those enterprises whose employees primarily worked in the office before, pulling off the pandemic-driven shift to remote work was a major feat, a transition enabled by swift and conscientious work on the part of many IT security professionals. Yet, the work is not done, particularly as it pertains to the ongoing acceleration of migrating technology resources to the cloud to better facilitate remote work.

As we head toward 2021, companies remain concerned with securing their remote work infrastructure, especially when employees are using their own equipment at home. To secure their companies’ ability to work remotely, many IT teams are expediting their move to the cloud and SaaS applications, with less reliance on on-premise infrastructure.

In my conversations with CIOs and CISOs, I’m consistently hearing about pressure to accelerate that movement, and I expect that trend to only intensify in the new year (think compressing two-year plans into one-year plans, or instead of 25 percent movement to the cloud in 2021, the target bumps up to 50 or 60 percent).

Companies are in a hurry to accomplish this because it’s easier to manage remote workers with SaaS applications and cloud platforms that were designed for remote access. Conversely, in many cases, cyber-criminals are able to tunnel into corporate networks by hijacking users’ VPN connections. Once an attacker compromises a user’s endpoint, they have access to the user’s VPN connection, so they’re in your network.

With the use of cloud and SaaS, VPNs into the internal network are not needed, thereby lessening the attack surface. This is another reason why security leaders are so determined to transition to the cloud quickly.

While rapid cloud migration makes sense in this era, any major transition – and especially one done in an aggressive timeframe – comes with business risks that need to be addressed.

There are especially big risks if organizations take the approach that they’re just going to throw more people at a problem while continuing to use the same, old methodologies. As organizations rapidly invest in cloud migrations, it is especially important to adopt DevSecOps development methodology, where security “shifts left” into the process.

I don’t see a way to safely accelerate the move to cloud without DevSecOps as part of the equation to maintain quality and incorporate security into the transition, potentially utilizing the expertise and software of DevSecOps providers such as JupiterOne or Anitian to assist.

Transitioning to cloud platforms also opens organizations up to new compliance hurdles: enterprises can work around those compliance and data protection challenges through microsharding across multiple cloud locations and strengthening their encryption practices. As is always the case in this era of continuous learning for technology professionals, developing further expertise on topics such as cloud auditing will position their organizations for the challenges of an expanded cloud footprint.

Underlying all this is the concept of zero-trust. In today’s era of cyber threats, you see a lot of companies shifting from a perimeter mentality to one in which there are applications and microservices that are assuming zero trust in their architecture. This is much better for facilitating remote work.

Additionally, as we move forward, expect an even greater shift to more robust multi-factor authentication practices, another solid security layer to help secure remote work. Organizations also can incorporate more machine learning to enhance their end-point protection software, and benefit from running enterprise-trusted app listing software so only known good code is run. Trust lists can be automatically populated from resources such as White Cloud Security and Carbon Black, and the result tends to be effective against ransomware and other growing threats because malware will not be executed, as it is not known, good code.

While 2020 has reinforced that life always comes with a degree of uncertainty, it is a good bet that doubling down on cloud infrastructure will be high on many IT departments’ to-do lists for 2021. Even if the distribution of COVID-19 vaccines expedites the pandemic’s end as we all hope, the nature of office life will never be the same.

Companies are increasingly open to remote work and will re-imagine their work environments even for those who still commute in, likely with more hoteling-style seating arrangements that will phase out security protocols based on where people sit.

Heavy reliance on the cloud is becoming table stakes for most organizations, and many of them still have a lot of ground to cover – quickly – in making that a reality. By incorporating good practices such as DevSecOps, microsharding and committing to ongoing learning on cloud security best practices, organizations can build on the progress they’ve made in supporting remote work and make the practice secure and sustainable for 2021 and beyond.