Cast your mind back to March 2020. What was going through your head? Was it a sense of panic and the realisation that the infrastructure you were working with was not up to the task? If so, rest assured that you were not the only one in that boat.
It’s easier now to look back on those times knowing that things worked out. For a full year, the majority of the workforce has managed to be productive from home offices, spare bedrooms and living rooms. Businesses are viable and profits are still being made in many industries - all through the hard work of IT teams.
Getting here, however, was not a smooth process. Businesses of all sizes and in all sectors have grappled with the technological infrastructure needed to keep their workers productive. And in truth, we’re not yet completely where we need to be to make this a future-proof means of working long-term.
Before we can assess how we move ahead into the next year and beyond, we have to look back at the circumstances that led us here. First and foremost, how the infrastructure investments made by businesses in 2019 made the switch to mass remote working as troublesome as it has been.
The path to connectivity in 2020
Investments made in previous years led to many difficulties in enabling remote work at scale. The majority of businesses had invested in on-premises, appliance-based remote access solutions, which had a finite capacity. These solutions were sized for a limited number of users who needed remote access prior to the lockdown. They would have had a decent amount of headroom for those ‘snow days’ where maybe 30% of staff might need remote access. However, they were insufficient for providing reliable access for 100% of staff.
These types of solutions rely on appliance-based technology from 20 years ago and can be difficult to upscale in a short space of time. The issue was compounded when companies did not just require users to connect via VPN to reach applications within the corporate datacentre. Working from home also required all internet access to go via VPN to the datacentre to ensure it was scanned by security appliances. This effectively magnified the burden on internet circuits and the associated networking equipment.
You may well have found yourself in the same position - stretching those appliances as far as you could. You also likely found yourself dealing with a solution vendor to accrue more licences or ordering more hardware to connect more users, only to discover that during the lockdown manufacturing, shipping and implementation proved difficult.
These difficulties were widespread and led to a scarcity of IT hardware. With the huge demand from companies upscaling their environments, vendors were quickly sold out of appliances. To add to that, lower numbers of workers in factories resulted in lower production. With limited transportation services, it took longer to deliver net equipment. The proverbial ‘perfect storm’.
Internal politics of remote work
Faced with the monumental challenge of keeping business productivity stable without the software or hardware to manage it, inevitably meant that internal politics came into play in organisations. It was no longer only the network and security pairing trying to cope with the situation alone. These departments were increasingly put under pressure by the application owners in the form of operational leaders or the head of digital transformation.
Those roles, which are in charge of providing access to all the business-critical SaaS-based applications, such as Microsoft 365 or Zoom, often proved to be the loudest voice in the room and had the ear of budget holders regarding infrastructure decisions. As these applications tend to perform best when going directly to the internet rather than through the main data centre and out to the internet via secure web gateways, organisations prioritised performance over security.
Many IT teams spun up remote desktop protocol (RDP) solutions, enabling workers to use their personal computers or home tablet to access the corporate network. By bypassing security controls, IT teams fixed the connectivity issues but created cracks in security. The results of these gaps could be seen in the back half of 2020.
In October, the U.S. National Security Agency released a list of the top 25 security vulnerabilities that Chinese hackers are exploiting to steal intellectual property, as well as economic, political and military information. Around half of these were RDP and VPN vulnerabilities. We also saw a surge in ransomware targeting multinational businesses. These attacks are the inevitable results of basic security principles, such as change control and patching management, being overlooked to enable that essential connectivity.
Where security and performance collide
These remote-access quick fixes have been a necessary evil for IT teams. Yet, organisations were obliged to rely on the infrastructure investments made pre-pandemic long enough to see a return on investment and satisfy the finance department. For some heavily regulated sectors, such as financial services, it’s unsurprising that they didn’t have the agility to make the needed architecture shift.
For those of you still working with legacy infrastructures, now is the time to invest in ensuring the last-minute COVID-19 driven emergency workarounds do not become the permanent solution for the future. Cloud-based solutions are the obvious answer here, but migrating applications to the cloud is only one piece of the puzzle.
If the underlying network and security infrastructure is not cloud-ready and business is taking place away from the trusted network and outside of the traditional perimeter, a new infrastructure is essential to staff performance. Organisations can no longer choose between network speed and security posture.
We recently researched how European businesses are accessing their applications and services and solutions are varied. Across Europe, one-third of remote employees access their corporate apps via RDP, while 30% use remote access VPN solutions. Identity and access management (IAM) and zero trust solutions are less popular, at 19% and 17%, respectively.
The most popular solution in the UK is RDP (45%), whilst zero trust-based solutions (35%) are favoured in Germany. Just over half (52%) of those in France access via remote access VPN, making that the most popular, whilst 51% of Swedes opt for IAM. Ultimately, what organisations need is a more unified remote access approach to close the gaps in security whilst still enabling application performance.
Solutions, such as zero trust network access (ZTNA), enable employees and users to be connected directly with their dedicated assets without the need to open up the entire network to provide access to an application. This new approach to security achieves the same corporate-level protections for organisations and supports a more agile, productive and cost-effective work culture.
Additionally, the secure access service edge (SASE) framework automatically applies identity- and destination-based policies independent of where users are in addition to the above connectivity to known assets and connections to the internet. Employees can connect directly to the internet in a safe manner even beyond the corporate perimeter.
Architecting for the future: performance and security are equally important
As we move further into 2021, IT teams must ensure that app performance is consistent regardless of location to maintain business continuity. However, since remote working appears here to stay, IT teams must begin architecting for the future by incorporating the necessary dynamics of a flexible work environment. Those requirements demand an infrastructure that can combine security and performance, no matter where applications or staff are residing.
So far, companies have been clinging to the technologies used to provide access to applications in the office while using different solutions for remote access - solutions that impede user experience and increase security risks. The shift to remote work imposed by the pandemic has proven that employees can work productively from any location. Moving forward, IT teams shouldn’t make a distinction between office-based and remote access. What matters is that employees can rely on seamless and secure connectivity regardless of their location.
Moving apps to the cloud was a good first step, but it isn’t enough. Network transformation must go hand-in-hand with app transformation and requires an adaptation of your security posture. Companies must tie performance and security together. Therefore, companies should start replacing remote access with a consistent, secure access policy that applies wherever the user works. Organisations must replace last year’s hot-fixes with investments in new, cloud-first infrastructures and approaches.
About the author
Danny Phillips is VP of Sales Engineering for Europe, Middle East, Africa at Zscaler. Ever since he received an Acorn Electron for his fifth birthday, Danny has known technology would be his life’s passion and profession. Beginning his career at Reuters in the mid-90s in front-line engineering, Danny enjoyed long stints at BT and Citrix, before joining Zscaler in 2017.
Today, Danny leads an amazing group of security professionals at the forefront of the industry, helping European customers in both the public and private sectors adapt their security posture for the cloud-first world and to navigate through their transformation challenges.
A regular at security tradeshows and conferences (now virtual, of course), Danny speaks on the latest developments around SASE (Secure Access Service Edge) and ZTNA (Zero Trust Network Access) and about best practices implementing new security architectures across different vertical industry sectors.