The Hybrid Office is Here to Stay
The business world changed – perhaps forever – in 2020. The COVID-19 pandemic resulted in a rapid transition to a Work From Anywhere (WFA) environment. According to the 2019 National Compensation Survey (NCS) from the federal Bureau of Labor Statistics, only 7% of civilian workers in the United States had access to a “flexible workplace” benefit, or telework. Post-pandemic, a survey by PWC found that 89% of the respondents believed “Many” or “Most” office employees will be work remotely at least one day a week.
The shift is welcomed by many employees. The average commute time in the US in 2019 was almost 30 minutes each way and could exceed an hour or more in many urban areas. Eliminating the cost and time of commuting allows a better work-life balance. From a security standpoint, many believe that happy workers are more productive, less likely to leak data intentionally, and keep the company interests in mind. Businesses also see benefits in allowing WFA. Fewer on-site employees allow organizations to reduce expensive office space.
10,000 Unmanaged New Remote Offices
There is risk associated with the WFA movement, however. Where before COVID an organization with 10,000+ employees and 30 locations had a manageable number of locations to monitor and protect, it now has 10,000 remote offices, as more people work remotely. This number also includes the multiple locations each employee may use, including public WIFI locations. Each WFA employee represents multiple locations that must be protected from insider and outsider threats, whether that is one day per week or five. For many remote workers, information security controls are not top of mind within the corporate network, and some may feel free to do as they wish outside the office environment. While there is the malicious actor element, often it is unintentional acts where an employee is simply trying to get their job done that can lead to data loss.
“From a security perspective, [Remote work is now just work] requires a total reboot of policies and tools and approved machines to better mitigate the risks.”
- Gartner Top Security and Risk Trends for 2021
WFA workers are not operating within a managed IT infrastructure. Open, unpatched, or poorly protected home routers make an attacker’s job simpler. Web-based chat applications like Slack and Teams open avenues for sharing sensitive data with co-workers but can also serve as egress channels for an organization’s intellectual property (IP) and data subject to compliance oversight like Protected Health Information (PHI) and Personally Identifiable Information (PII). Likewise, unscrupulous employees may bypass corporate VPNs, upload sensitive data to personal cloud storage services like Google Drive and Dropbox, or use home printers to make copies of product plans, customer lists, and financial records to bring with them to new employers. USB drives are also potential channels for data loss or theft.
“Nearly 40% of home routers had not received a security update in over a year; nearly 20% were over 2 years without an update.”
Fraunhofer Home Security Report 2020
Changing Environments Require New Strategies
Organizations that have built security strategies around a perimeter defense – all employees operating within a controlled environment – must adopt new approaches. As organizations contend with a remote workforce, Gartner, a leading research and advisory firm, found that “cybersecurity control failures” were the most critical respondent concern in the first quarter of 2021, topping “new working models”, “remote talent management”, and “organizational cultural degradation”. They cited this as a “High-Impact, High-Velocity Risk”, particularly for organizations that “prioritized on-premises security over secure remote work access”.
The real challenge in cybersecurity is preventing breaches on the endpoint. Breaching the endpoint is the goal of almost all cyber-attacks because that’s where the sensitive data actually sits.
George Kurtz, CEO, Crowdstrike
Focus on the Endpoints
In the WFA environment on-premises defenses are a poor match. Organizations working to control the loss of intellectual property, trade secrets, and other sensitive data need visibility and control over data wherever it resides, while also enabling an increasingly distributed and agile workforce. That means protecting data on the endpoints, where egress typically originates and can be a blind spot to network based security tools focused on the office based worker.
The 2021 Digital Guardian Data Trends Report found a large increase in data egress in the months following the World Health Organization’s pandemic declaration. This included:
SASE Gaps
Many organizations have turned to cloud-based Secure Access Service Edge (SASE) solutions to address security in a distributed workforce. SASE combines network security functions like Secure Web Gateways (SWG), Cloud Access Security Brokers (CASB), and Zero Trust Network Access (ZTNA) with Software-defined Networking (SD-WAN) capabilities to provide organizations with better control and visibility to users and data on an organization’s network. Briefly, SASE pushes security monitoring to the “service edge” where users and systems interact with data. Rather than maintaining security functionality on each device, endpoints redirect traffic to the service edge for authentication, authorization, monitoring, and control.
Strategic Roadmap Overview for SASE Convergence
Future State
- Consistent policy enforcement
- Simplified policy management
- Sensitive-data visibility and threat awareness
- Consistent coverage for all types of access
- SASE strategy includes branch offices and edge networking
- Modular architecture, single-pass encrypted inspection at scale
- Contractually enforced SLAs
- Zero trust security posture
- Transparent end-user experience
- Unified IT responsibility
Current State
- Inconsistent policy enforcement
- Complex and disparate management consoles
- Immature sensitive-data visibility and threat awareness
- Inconsistent coverage across access types
- Siloed security strategy separate from SD-WAN and edge strategies
- Monolithic architectures that don’t perform at scale
- Basic SLAs
- Basic or no zero trust capabilities
- Fragmented and frustrating end-user experience
- Separate and siloed security and networking teams
Gap
- Organizational silos and existing investments
- Architecture and POPs
- Sesitive-data visibility and control
- SASE security services maturity
- Limited number of comprehensive SASE offerings
Migration Plan
- Strategy - Develop the enterprise strategy and timeline for SASE convergence and adoption.
- People- Longer term, unify the teams into one organization.
- Technology - Inventory network security and network technology contracts, platforms and capabilities for SASE convergence. Identify requirements for local POPs.
- Measurements - Enforce SLAs. Set explicit goals and timeframes to replace excessive implicit trust with a SASE-delivered zero trust security posture
However, the current state of SASE leaves organizations with several security gaps, particularly around Data Loss Prevention.
Visibility to Sensitive Data
Inconsistent Policy Enforcement
Poorly Secured WFA Environment
Local Device Egress
Closing the SASE Gap
While SASE are useful for ensuring authorized access to systems and data for employees operating within the corporate network, they are poorly suited for protecting sensitive data in a WFA environment. InfoSec leaders need to take steps to address this challenge and address the new work environment expected to last for the foreseeable future.
Fortra™’s Digital Guardian® complements SASE adoption to extend visibility and control to endpoints inside and outside the corporate network. Digital Guardian provides information on where your data is, how it is used, and how it flows throughout organization, and when it is at risk
Visibility to data wherever it resides
Visibility to Risky Activity
Flexible classification and granular, contextual control
Control desktop applications for Cloud services
Block and protect removeable media
Controlled printing
SASE and DLP Together
Secure Access Service Edge solutions can simplify network security by combining multiple solutions. The missing piece – Data Loss Prevention – is particularly acute in a Work From Anywhere environment where employees have access to poorly secured networks and devices. Digital Guardian works on the broadest collection of endpoints to provide visibility and control to all sensitive data, educating users of unsafe behavior, blocking malicious actions, and providing the detailed reporting security leaders need.