What is the Perimeter Anymore?

No surprise anymore that working from home has been thrust into the mainstream by the COVID-19 pandemic as well as the resulting lockdowns and restrictions on traveling to work. But the pandemic only reinforced and accelerated a trend that was already becoming obvious. And that trend towards remote and flexible working is changing the security threats facing all organizations.

Changing Threats

Flexible and remote working and by extension, working from home – demands a different IT architecture to the conventional workplace. Employees using mobile devices, potentially including privately-owned hardware, presents a whole different risk to corporate desktops that are deployed and managed by the IT department.

Working outside the corporate firewall and across networks – domestic broadband, public WiFi, and 4G and 5G cellular – presents a different attack surface too. The perimeter is far more dynamic, and one can ask the question - what is the perimeter? Devices and applications are less easy to update or patch. And physical security also called converged security now comes into play. Devices can be lost, stolen, or potentially tampered with.

But the “back office” has changed, too. Flexible working is only possible if employees have reliable, consistent, and secure access to business applications and data.

Previously, organizations relied on virtual private networks to connect remote workers to enterprise applications. VPNs became vulnerable to attack during the emerging pandemic, and they quickly became a bottleneck.

With larger numbers working away from the office, relying on VPNs is no longer viable option. Instead, the emphasis is now on software-as-a-service and web applications. These need a security plan too.

Security in a Flexible World

These changes in the way businesses operate are forcing a change in the way enterprises approach security. The changes are unlikely to be rolled back. Even once the global pandemic dissipates, organizations will want the resilience that comes with operating remotely. And the drivers that led to growth in flexible working before the pandemic, including greater business agility, and employee satisfaction have not changed.

This is leading IT security teams to re-examine how they ensure security. Some elements are tried and tested. These include mobile device management and end-point security as well as robust policies around personal (BYOD) equipment.

Others, such as improving security around cloud workloads are still a work in progress. But they require CISOs’ attention nonetheless.

We've seen that cloud and web applications are not always developed in a way that puts security first. If flexible working is business as usual, that must change. Software development more generally needs to put more emphasis on security and on building in security earlier in the process.

But if those are the immediate priorities, CISOs also need to look forward. Today’s percentage of remote workers, averaging perhaps 20-30%, might only be a fraction of the numbers who will work that way in the near future. Already some organizations, and not just in Silicon Valley, have said that all employees can work from home at least some of the time.

Entirely different approaches to cybersecurity might then be needed. We've seen newer trends emerge and one of those are zero trust which could prompt whole-scale changes to the way we implement security.

By working in the background, Zero Trust should be less intrusive to the user than many conventionally perimeter- or identity-based security measures. But it has the flexibility to adapt to changing situations and to new risks. And it enables IT security teams to ensure consistent security locally, remotely, and in the cloud.

Beyond the Boundary

The closed network and the perimeter are gone. Instead, we are in a world of mobile workers and an agile workforce, new approaches to application rollout and hyperscale.

The business now demands flexibility, and this has increased the attack surface. There is no escaping this. CISOs have to adapt to new risks. The technology is there to help and will continue to develop leading to new best practices.