The COVID-19 pandemic has been one of the most disruptive workforce events of the century. The disruption began when organizations were forced to deal with a remote workforce, discovering that it was not only possible, but productive as well.
The last eighteen months have dramatically changed the attitude of organizations towards remote working, but not to the point of fully embracing such a model in the future. Yes, there are organizations that are operating and plan to continue operating in fully remote mode. But a more likely model is a hybrid model in which some employees work from home, others work in the office, and still others in a combination of the two.
Debates rage over who should decide where employees work on any given day, as well as how many days they should be in the office, but in general the notion of a fully hybrid workforce has been accepted. in industries that can support it.
Personally, I watch these discussions with detached interest because, well, I’ve never been in the office and trust me, I won’t be. I94 in Seattle is really, really long road.
To be fair, the details of implementing a hybrid working model aren’t as important as the outcome – there will be employees working from home and office every day of the week. Hybrid job is the new default.
This will have a profound impact on the future of access strategies.
You see, traditional IP technologies rely heavily on a fixed set of network ranges and addresses. Policies deny or allow access to network and application resources based on IP.
This is the purpose of a VPN; to efficiently assign you a “local” IP address that is part of the range of IP addresses allowed to spread freely on the corporate network.
We could continue to do that. But we won’t, at least not for most of the workforce. There will always be operators and engineers who need the kind of network access a VPN provides, but let’s be honest; I don’t need a VPN to browse Confluence or SharePoint or bug architects on Slack. If my productivity and communication needs are fully met by the apps, then I really don’t need to access the network.
And let’s face it, restricting network access is probably the best security policy change we can make right now given the increasing incidents of malware, ransomware, and other malware. The less these destructive constructs can access resources, the better.
This is a real threat because the reality is that a hybrid workforce – largely transient – is likely to pick up malware and one day connect to the VPN and then BAM! You have problems. This is part of the reason why a good VPN solution includes health scans and checks before anything else. But not all VPN solutions are good solutions, and some organizations do not require scans even though the VPN solution can provide it.
It also doesn’t mean sun and unicorns for app access solutions. Because a lot of them are IP based and in a business there are a lot of IP addresses to manage.
The number of network devices that a single NetOps must manage is significant in itself – more than half manage between 251 and 5,000 devices. (NetDevOps annual survey).
Add to that my personal and private IP address and the personal and private IP addresses of anyone who might be working from home today. Oh, and let’s not forget the growing number of machine-to-machine communications that need to be secure. Cisco’s annual Internet report predicts that “by 2023 there will be more than three times as many networked devices on Earth as there are humans. About half of the global connections will be machine-to-machine connections. “
The result is an untenable model that overwhelms operators, security teams, and ultimately the departments and systems that must enforce policies.
Identity is the way
The security challenges associated with hybrid work add to those arising from the rapid pace of digitization. Together, these challenges will steer security models towards an identity-centric approach. This approach takes into account not only human users, but also machine users in the form of workloads, devices and scripts. After all, workloads are increasingly as transient as people. And finally, workload A is always workload A, regardless of the IP address it uses. Just like I am always me, whether I’m in my home office or at the Minneapolis airport, or the Seattle office.
While IP can certainly be part of an identity-centric security policy, it is not the primary or determining factor in allowing access to a resource. Rather, it becomes an attribute that helps determine the level of identity verification that should be required.
If I am on the VPN / corporate network, maybe my credentials are sufficient. But if I’m not then maybe my credentials and a second factor should be required. And if I’m trying to access from an unpublished IP address, maybe there is a third factor.
Regardless of how an IP address is used, it should no longer be used on its own. Not even for workloads. After all, malware can be found on the corporate network, but it should never be allowed to access applications and resources.
Additionally, we need to extend our understanding of identity beyond people to the workloads, applications and devices we increasingly rely on.
I’m sure I didn’t have to mention the SolarWinds debacle. But are you aware of threats like Siloscape, described as “malware [that] opens known vulnerabilities in web servers and databases to compromise Kubernetes nodes and backdoor clusters ”and the threat of misconfigured management consoles. Many management consoles are primarily secured by IP-based controls which end up being disabled as they interfere with remote access, a must with today’s hybrid working model. A more robust, identity-based set of access controls would provide protection against hacking and unauthorized use, regardless of the original location. Additionally, robust identity-centric security would provide protection against compromised systems that attempt to infect, hijack, or exploit other corporate network security resources.
We have been moving slowly towards identity-based security for a long time. But the explosive growth of automation and digitization, along with the trend towards hybrid work models, will accelerate this movement until we finally abandon IP addresses as the primary method of access control.
Identity-centric security is the solution.