All of us have seen or issued guidance that looks something like this: “We are committed to doing our part to stem the spread of the COVID-19 virus. Consistent with guidance from the World Health Organization, the U.S. Centers for Disease Control and Prevention, and other national and local health authorities regarding efforts to limit the spread of the virus, we have taken steps to mitigate service disruption while protecting the health and well-being of our associates. To advance these objectives, we have shifted some of our service delivery and operations to function through work from home arrangements.”
The work from home (WFH) movement being enforced on and with companies around the globe is helping to stop the spread of COVID-19. But it also is opening up critical new risks to our economy that transcend the current pandemic. Therefore, it’s critical that we evolve from simply implementing WFH and find ways to ensure that citizens, companies, governments and the nation are secure from home (SFH) as we work from home.
John Carlin, former assistant attorney general for the U.S. Department of Justice’s National Security Division and current chair of Morrison & Foerster’s global risk and crisis management team, recently co-authored an article that said “while this worldwide crisis has introduced new complexities and challenges, it also has presented an opportunity for hackers seeking to capitalize on the pandemic to maximize the impact of cyberattacks on government and private sector infrastructure. We expect nation states’ and criminal groups’ activity to increase as they target newly vulnerable remote employees and IT teams distracted by the dramatic increase in usage.”
It is known adversarial tradecraft – now playing out in real time – to cause or exploit a big risk at the front door, while more quietly doing damage through the back. This problem is being further exacerbated by outdated guidance to simply use a virtual private network (VPN).
VPNs were once the right answer, back in the days when fewer than 20% of your workforce needed to work from home. This technology was the right answer back when you had all of your secure systems in your own data center instead of scattered across the clouds and containers.
This old method of connectivity was the right answer when adversaries didn’t bother targeting your company. VPNs were the right answer when you had limitless budgets and trained security personnel to work with (ok, that was a rare reality).
But VPNs are not the right answer today for enterprises that work in the cloud, that need their entire workforce to be fully productive from home or are part of our critical infrastructure and the global economy. In fact, advice to simply use a VPN is beginning to have the unintended consequence of promoting less security in this mad dash to enable WFH.
Here are some realities that the Unisys security teams are seeing in the field today:
- VPNs often are of questionable origin. These include many of the ‘free’ or cheap VPN services that may or may not terminate in some hostile place. Remember, if an internet service is free, it’s also likely monetizing your data.
- VPNs may encrypt from home to some corporate network access point, but not necessarily to the actual applications. Instead they may be switching back to clear text as the packets float through your network, making them easily accessible to thieves or ransomers.
- Some VPN concentrators are so overloaded that they need massive injections of hardware, software licenses, rules managers and time just to accommodate the increased demand.
- Industry is facing a 400% increase in attacks on VPN infrastructure. That adds to the chaos, with some of what we thought to be load issues turning out to be hostile acts – think ransomware.
- Worst of all, managers who have been given the edict to facilitate WFH are sometimes opening the security doors and allowing unsecured access because their VPNs can’t handle the job for everyone.
Clearly VPNs are Not Cutting It
If your company has implemented a WFH strategy and is experiencing some or all of the above, it’s a great time to make the move to a Zero Trust model.
This model supports the efficiency enabled by containers, clouds and Kubernetes; understands the external and internal threats we all face today; and enables the secure scalability that today’s operations demand.
Making WFH into Secure From Home
At Unisys, and with many of our clients, we have one set of Zero Trust-directed security policies that span on-premises, cloud, and container deployments around the world. Using our Always On Access methodology powered by Stealth®, which leverages advanced and proven technologies including mobile, microsegmentation and Kubernetes, we’re able to add as many home/remote users as necessary, maintain security, identity, and encryption all the way to the applications. In fact, within the first week of the COVID-related mandates, Unisys went from approximately 15% remote workers to over 90%, and that change was completely transparent to the global workforce. Increasing employee productivity without sacrificing security, timeliness or budgets is possible, and being realized right now.
Like firewalls before them, VPNs have had their day. But the realities of the new digital enterprise, compounded by the newest reality of the global pandemic, requires that enterprises rethink their security. It’s time to immediately double or triple the number of employees that can be securely productive, and to make Zero Trust work for you.
There’s a lot riding on this.
Tom Patterson is Chief Trust Officer, Unisys