The emails and statements started coming in from HHS, CDC, and FEMA: A contagious virus threatened to upend the functions of the federal government. My staff and I would be expected to work remotely for an indeterminate amount of time. Our services wouldn’t be impacted that much, I thought, since many of us had laptops, and we all had mobile phones. We supported hundreds of remote sites around the country. Surely we could operate as a distributed team during this time of crisis. And besides, we serve a technologically-advanced, first-world country. How bad could an Ebola outbreak be?
Turns out, bad. And no, we couldn’t operate well as a distributed team during that time of crisis. It was 2014, and this was only a drill. The Ebola scenario was a coordinated exercise of civilian and government readiness for operational continuity during a hypothetical viral outbreak. It was a test that we failed. Turns out, not everyone in our department had laptops, let alone “fast-enough” access to the internet from home. Cell phones, though prevalent, weren’t suitable analogs for on-premise work desktop computers. Worse, though half the department was able to log on remotely, traffic overloaded the bottle-necked VPN, causing lag, delaying (or blocking) connectivity, and impacting productivity. (This was especially an issue with outlying hospitals trying to practice telemedicine.) We rationed equipment, shuffled work hours, and prioritized access. And our VPN still couldn’t handle the overload.
This is not a drill.
It’s six years later. The human toll of the coronavirus outbreak cannot be measured, and right now, enterprises must focus on protecting the health of employees and community members. Priority #1 for all organizations must be to mitigate risks associated with the spread of COVID-19. With that in mind, organizations now must now do what they can to preserve enterprise productivity in a “new normal” of work away from the office.
Business continuity planning, or BCP, should be (and ideally, should have been) a key component of your corporate strategy. But even if that’s not the case in your organization, you can still do something about it.
The operational challenge: enabling remote work for everyone
Right now, BCP is (by necessity) about telework. Seems straightforward: Can’t work in the office? Work from home. Many IT organizations plan corporate network capacity to accommodate remote access for 20-30% of the workforce. But what happens when that grows to 100%? Overnight? IT leaders around the globe are learning that getting everyone online from home isn’t a trivial exercise:
- More employees — many more employees — will use VPN to access corporate resources. Will your infrastructure be able to handle it? (Spoiler alert: no.)
- For an entire workforce to get online, you’ll need an entire workforce with devices to get online. You know this already, but not everyone gets a work laptop, and not everyone has a suitable home machine that will work as a substitute. How many functional outdated laptops does your team have collecting dust in the old server room?
- You’ve no doubt got collaboration tools for conferencing and instant messaging. But do you have enough licenses when everyone needs them?
The dark side of remote access: new threat exposure, employees “going rogue” for speed
There’s another issue more serious than remote-connectivity limitations: If your organization relies on VPN to access internal resources and/or internet egress, extending that access to a broader percentage (say, 100%) of your workforce dramatically increases your organization’s potential attack surface. The further distance corporate data has to travel, the more opportunities for compromise.
Compounding that, end users accustomed to Netflix-like download speeds at home will be frustrated when they encounter latency introduced by VPN constraints and MPLS backhauling. The risk is that they “go rogue,” and bypass security controls in the “interest of getting the job done” faster, further exposing internal systems to outside attack.
Keys to enabling remote work: prioritization, triage, and local internet breakouts
It’s time to change the way you think about security. This event is accelerating changes in how we access applications and data securely. Remote work must be enabled without compromise to security: This doesn’t mean less security, it means different security.
As a CISO, what can you do to facilitate remote work in the face of such connectivity and security challenges? In this newest “new normal,” you will have to make triage decisions:
- Prioritize work. What tasks are most important? What resources will be needed? What assignments can be postponed (or even cut)?
- Prioritize access. How can you align access with work priorities? What work requires always-on connectivity? What work requires occasional connectivity? You may have to provide “tiered” connectivity for employees based on their work priorities.
- Prioritize devices. Similarly, who gets the laptop? Linda in accounting? Fred in sales? Who has a greater need for that last portable machine?
- Ration collaboration apps. You’re going to need more licenses. In the short term, work with finance to reallocate “on-hold” spending (say, business travel or events marketing) to enable remote work operations.
- Stagger work hours. If it comes to it, you may have to switch mission-critical work to graveyard-shift hours to overcome connectivity limitations.
- Deploy local internet breakouts. The cloud (and specifically, secure access service edge computing) offers hope: With employees connecting directly (and securely via inline security proxy) to resources, you reduce attack surface and alleviate VPN bottleneck contention.
We are going to get through this. But we have to learn. (Back in my government days, we said “never let a crisis go to waste.”) Right now, nothing is more important than ensuring the health of your colleagues and community. And the best thing you can do as a CISO is to facilitate remote work.
Forgive the dispassionate cynicism, but enterprises that weather this storm will have a competitive advantage when it passes. And when your organization comes out the other side, don’t stop planning for business continuity. You’ll be better prepared if — God forbid — there’s a next time.
Stan Lowe, Global Chief Information Security Officer at Zscaler
The original article can be found here.