By Randy Becker, VP & Principal Security Architect
The pandemic has brought new and interesting challenges for all of us to deal with and certainly the balance of supporting users working remotely while ensuring security has not been easy. Initially we all had to scramble to figure out ways to allow employees to work from home. Some crazy things happened, including people bringing their desktop PCs home, connecting home PCs (with unsupported operating systems) to corporate VPNs, etc. Now we are seeing discussions about returning to work. What does that look like and what is it called?
The “Hybrid Work Model” is here to stay
Well there are studies, data, and predictions but what we can say is get ready for a permanent “Hybrid Work Model.” The basic definition of hybrid working means that some of your employees work from offices and others work from home or at another location. Add to that some people will be switching locations every week depending on their schedule. How is security going to adapt and provide support in this new model?
Microsoft’s latest productivity study
This is probably not a shock to anyone, but Microsoft has some data to share about employees over the past year. They studied 30,000 people in 31 countries and did an analysis of trillions of productivity and labor signals across Microsoft 365 and LinkedIn. You can read more on Microsoft’s study here. Here is an important takeaway for business leaders: “With over 40 percent of the global workforce considering leaving their employer this year, a thoughtful approach to hybrid work will be critical for attracting and retaining diverse talent.”
How did Microsoft collect this data?
I am sure LinkedIn collects a plethora of usage information and of course anybody that uses Microsoft 365 and has Insights turned on probably gets those creepy MyAnalytics emails on Monday morning telling you how many meetings you joined on time, and how often you read your boss’s emails or if you multitask during meetings.
Aside from how Microsoft collected the data, a couple of points will come as no surprise:
1) Flexible work is here to stay (Hybrid Work)
2) Talent is everywhere in a hybrid world (Hybrid Work)
3) Shrinking networks are endangering innovation (The need for better collaboration)
How is security going to adopt in this new hybrid work model?
I have some thoughts on this and what is needed to ensure successful organizational security. We need to start with requirements. Security leaders must be engaged with the business and IT leaders from the beginning to ensure that security is embedded in every solution developed. Solutions must provide the level of functionality the users need with the right balance of security. Because a Hybrid Work Model will be necessary, collaboration and sharing will be key to the success of our employees’ work style. To attract talented employees, we will have to provide a great hybrid work environment; this means better ways to engage and a sustainable work-life balance.
Areas to start with when developing a new security strategy:
• Identity Access Management (IAM) with cloud applications will be even more important and your identity solution must be federated. More and more we are seeing Azure Active Directory being used with SaaS applications. This means SAML, SSO, MFA, and the use of conditional access. This is a great example of providing a more secure and user-friendly method of access.
• The Zero Trust model takes a different approach to security by assuming that people and devices are inherently insecure and that users are connecting from untrusted devices and networks both inside and outside the network. This model requires a change of mind and new way of thinking: never trust, always verify, and assume a breach has occurred. Read more on Zero Trust in a blog I posted here.
• Look at developing a data protection strategy. This is not an easy one to take on and of course collaborating with external entities further complicates this. Data Loss Prevention (DLP) solutions are going to become more and more relevant. Use what you already own today—your EDR and cloud solutions may already provide some level of capabilities.
• Provide your users with secure endpoints. There are lots of solutions but you should evaluate what you are using because chances are the solution you have today has options to provide a better level of visibility and protection to protect your users, your data, and your valuable assets. EDR and Secure Access Service Edge (SASE).
• Of course, we must look at ways to collaborate with colleagues and our customers better and more securely. Microsoft Teams and Zoom usage has skyrocketed.
• Cloud Security solutions are not options in 2021 and beyond. All the cloud vendors provide additional security controls and features you can enable, of course most will cost a premium, but they are necessary in today’s threat landscape.
If you would like strategic direction to strengthen your security stance, reach out to your GreenPages Account Executive who can connect you with a Security Engineer or reach out to us!
Randy is responsible for GreenPages’ overall cyber security strategy, including developing comprehensive policies and procedures to protect critical applications while ensuring business agility and velocity. With more than 30 years in the IT industry, Randy has strong expertise in cyber security and risk management; security operations and optimization; infrastructure modernization; and hybrid cloud architecture, design, and implementation. Randy is also a HITRUST Certified CSF Practitioner (CCSFP) which ensures clients have access to the highest level of expertise related to privacy, security, compliance, and risk management.