All of us have seen or issued guidance that looks something
like this: “We are committed to doing our part to stem the spread of the
COVID-19 virus. Consistent with guidance from the World Health Organization,
the U.S. Centers for Disease Control and Prevention, and other national and
local health authorities regarding efforts to limit the spread of the virus, we
have taken steps to mitigate service disruption while protecting the health and
well-being of our associates. To advance these objectives, we have shifted some
of our service delivery and operations to function through work from home arrangements.”
The work from home (WFH) movement being enforced on and with
companies around the globe is helping to stop the spread of COVID-19. But it
also is opening up critical new risks to our economy that transcend the current
pandemic. Therefore, it’s critical that we evolve from simply implementing WFH
and find ways to ensure that citizens, companies, governments and the nation are
secure from home (SFH) as we work from home.
John Carlin, former assistant attorney general for the U.S.
Department of Justice’s National Security Division and current chair of
Morrison & Foerster’s global risk and crisis management team, recently co-authored
article that said “while this worldwide crisis has introduced new
complexities and challenges, it also has presented an opportunity for hackers
seeking to capitalize on the pandemic to maximize the impact of cyberattacks on
government and private sector infrastructure. We expect nation states’ and
criminal groups’ activity to increase as they target newly vulnerable remote
employees and IT teams distracted by the dramatic increase in usage.”
It is known adversarial tradecraft – now playing out in real
time – to cause or exploit a big risk at the front door, while more quietly doing
damage through the back. This problem is being further exacerbated by outdated
guidance to simply use a virtual private network (VPN).
VPNs were once the right answer, back in the days when fewer
than 20% of your workforce needed to work from home. This technology was the
right answer back when you had all of your secure systems in your own data
center instead of scattered across the clouds and containers.
This old method of connectivity was the right answer when
adversaries didn’t bother targeting your company. VPNs were the right answer
when you had limitless budgets and trained security personnel to work with (ok,
that was a rare reality).
But VPNs are not the right answer today for enterprises that
work in the cloud, that need their entire workforce to be fully productive from
home or are part of our critical infrastructure and the global economy. In
fact, advice to simply use a VPN is beginning to have the unintended
consequence of promoting less security in this mad dash to enable WFH.
Here are some realities that the Unisys security teams are
seeing in the field today:
- VPNs often are of questionable origin. These
include many of the ‘free’ or cheap VPN services that may or may not terminate
in some hostile place. Remember, if an internet service is free, it’s also likely
monetizing your data.
- VPNs may encrypt from home to some corporate
network access point, but not necessarily to the actual applications. Instead they
may be switching back to clear text as the packets float through your network,
making them easily accessible to thieves or ransomers.
- Some VPN concentrators are so overloaded that
they need massive injections of hardware, software licenses, rules managers and
time just to accommodate the increased demand.
- Industry is facing a 400% increase in attacks on
VPN infrastructure. That adds to the chaos, with some of what we thought to be
load issues turning out to be hostile acts – think ransomware.
- Worst of all, managers who have been given the
edict to facilitate WFH are sometimes opening the security doors and allowing
unsecured access because their VPNs can’t handle the job for everyone.
Clearly VPNs are Not Cutting It
If your company has implemented a WFH strategy and is
experiencing some or all of the above, it’s a great time to make the move to a Zero
This model supports the efficiency enabled by containers,
clouds and Kubernetes; understands the external and internal threats we all
face today; and enables the secure scalability that today’s operations demand.
Making WFH into Secure From Home
At Unisys, and with many
of our clients, we have one set of Zero Trust-directed security
policies that span on-premises, cloud, and
container deployments around the world. Using our Always
On Access methodology powered by Stealth®, which leverages
advanced and proven technologies including mobile, microsegmentation
and Kubernetes, we’re able to add as many home/remote users as
necessary, maintain security, identity, and encryption all the way to the
applications. In fact, within the first week of the COVID-related mandates,
Unisys went from approximately 15% remote workers to over 90%, and that change
was completely transparent to the global workforce. Increasing
employee productivity without sacrificing security, timeliness or budgets
is possible, and being realized right now.
Like firewalls before them, VPNs have had their day. But the
realities of the new digital enterprise, compounded by the newest reality of
the global pandemic, requires that enterprises rethink their security. It’s
time to immediately double or triple the number of employees that can be
securely productive, and to make Zero Trust work for you.
There’s a lot riding on this.
Tom Patterson is Chief Trust Officer, Unisys