Security Experts:

Work-from-Anywhere Requires "Work-from-Anywhere Security"

Security policies and solutions need to follow users and data from anywhere to anywhere

Securing today's expanding networks often includes adding additional technologies to an already overburdened security environment. With organizations already struggling to manage an average of 45 security tools, with each incident requiring coordination across 19 different devices, adding new technologies to the mix may be the straw that breaks the camel's back. 

The most recent example of the rapid expansion of the network's attack surface has been remote work. The COVID-19 pandemic accelerated the need for a work-from-anywhere (WFA) strategy. And now, as workers begin to return to the office, a hybrid approach to work has become the new status quo. According to Accenture, 83% of workers prefer a hybrid work model that allows them to work remotely between 25% and 75% of the time. And businesses are listening. 63% of high-revenue growth companies have already enabled productivity anywhere workforce models. 

One of the biggest security challenges of a hybrid workforce is that employees need to move seamlessly between the corporate office, their home network, and other remote locations. Applications, whether deployed in the data center, SaaS, or cloud, not only need to be available from anywhere, but user experience—and security—needs to be consistent from any location as well. Security policies and solutions need to follow users and data from anywhere to anywhere. It can be difficult to achieve that interoperability at any level, let alone seamlessly hand off policies, correlate threat information, and provide consistent enforcement end to end.  

Work-from-Anywhere creates new security challenges

When the pandemic struck, workers suddenly needed to access critical corporate resources from their often undersecured home networks. While VPN was commonly used, access controls were often inadequate, allowing any user, device, or application to traverse that VPN tunnel to access corporate resources. And because endpoint devices and home networks were vulnerable, there has been an unprecedented increase in cyber events, such as the nearly 1100% increase in ransomware between June 2020 and July 2021. 

And because those workers will now be moving back and forth between work environments, maintaining consistent security is even more challenging because solutions from different vendors don't always work well together. One provides endpoint or EDR protection, another provides SD-WAN, a third does identity, maybe a fourth provides ZTNA. Another vendor offers SASE. There may even be different firewall vendors deployed across the data center, the branch, and on each of the cloud platforms in use. And worse, most of these tools were never designed for this level of interoperability. 

Securing the Work-from-Anywhere environment

Organizations need a "work-from-anywhere" approach to security, where solutions can follow and protect users, data, and applications from end to end. That means that the security on the endpoint needs to work seamlessly with access controls on the network and in the cloud. Secure SD-WAN and SASE solutions need to work with edge security and networking solutions, so security doesn't stop at the edge of the campus, branch, data center, or cloud. Access policy engines need to consistently support and enforce zero-trust policies everywhere. And policy and threat intelligence need to span the entire network, providing consistent protection and enforcement even as the network dynamically adapts to changing workloads and business requirements. 

However, creating such a cohesive and reliable solution with clear visibility and consistent control is nearly impossible. When tools aren't designed to natively work together, IT teams are forced to bolt them together using complex workarounds. But maintaining and troubleshooting such workarounds ends up consuming a significant amount of IT overhead. In such an environment, even trivial product updates can become a logistical nightmare. 

A unified cybersecurity mesh platform can address the three primary WFA use cases

The first step is to identify a cybersecurity mesh platform and set a roadmap to consolidate as many of your independent security solutions as possible with a unified set of zero trust, endpoint, connectivity, cloud, and network security solutions. These tools should be designed to work as an integrated system, whether deployed directly on a security mesh platform or interoperating with that platform using purpose-built clients and APIs. This unified platform approach simplifies policy creation and enforcement, ensures uniform configurations, centralizes management, and enables the monitoring and control of users, devices, data, applications, and workflows end to end. 

Fully integrated security, services, and threat intelligence platforms—that can be deployed anywhere, in any form factor—allow enterprise-grade protections to follow users and devices in the office, at home, or on the road to ensure productivity and security across the extended network. 

Such a unified platform strategy can be applied to virtually any use case, including today's three most common WFA scenarios—the corporate office, the home office, and the mobile worker:

• Corporate Office: Today's organizations rely on applications to conduct business regardless of where a worker is. As a result, strong endpoint security is essential even when working from a traditional office. An integrated solution should include advanced EDR technologies for devices, ZTNA and identity services for secure access, and a robust portfolio of converged networking and security solutions, such as Secure SD-WAN, that offer advanced networking tools designed to operate from a unified security platform.

• Home Office: Home networks are notoriously undersecured, containing vulnerable IoT devices, entertainment systems, and other devices. They also include non-employees who consume bandwidth with their own work, e-learning, video streaming, or online gaming. Securing such environments requires strong endpoint security, such as EDR, ZTNA for secure access to cloud- and data center-hosted applications, identity and access management tools, and a fast and isolated home office solution to extend corporate firewall protections to the entire home network. This home office solution should also segment the home network to provide corporate IT visibility of corporate traffic, while ensuring employee privacy for the non-work network, as well as optimize bandwidth for business applications. 

• Mobile Workers: Mobile users often rely on untrusted and unsecured networks to access critical business resources. Cybercriminals exploit these vulnerable networks to intercept communications or launch attacks against inadequately protected devices. As with the other use cases, securing mobile workers requires strong endpoint security (EDR) and ZTNA to ensure secure access to critical resources. A mobile network solution should include multifactor authentication, a cloud-based secure web gateway, CASB, and an effective SASE solution to ensure seamless interoperability with solutions deployed across the network.

Licensing needs to be as flexible as the network

Technology is only part of the solution. One new challenge many organizations face is that their licensing structure does not support a hybrid workforce, where users may be on or off the network at any given moment. Vendors need to provide unified consumption and licensing models that follow users and devices across any environment without the need to manually adjust licensing schemes.

A unified platform strategy ensures simple, seamless protection across the entire network.

If anything has become clear, it's that today's complex approach to security has about reached its limits in terms of scaling and adapting to today's highly dynamic and rapidly expanding digital environments. In fact, Gartner just recently named the process of integrating security tools into a cybersecurity mesh architecture (CSMA) as a trend for 2022.

Security must be as agile as today's workforce, ensuring consistent protection and optimal user experience regardless of where a user or device operates. Disparate technologies with separate management and configuration consoles bolted together with workarounds will always lead to security gaps and blind spots that cybercriminals will exploit. Competing securely in today's digital marketplace requires an integrated cybersecurity mesh platform where every element not only works together but can be deeply integrated into the network to ensure that every change and adaptation is automatically recognized and protected.

view counter
John Maddison is EVP of Products and CMO at Fortinet. He has more than 20 years of experience in the telecommunications, IT Infrastructure, and security industries. Previously he held positions as general manager data center division and senior vice president core technology at Trend Micro. Before that John was senior director of product management at Lucent Technologies. He has lived and worked in Europe, Asia, and the United States. John graduated with a bachelor of telecommunications engineering degree from Plymouth University, United Kingdom.