‘Location is no longer an arbiter of trust’ – what the future of work means for security

Written by PublicTechnology staff on 15 July 2021 in Features

Features

PublicTechnology catches up with Richard Meeus from Akamai to discuss how the events of the past year have changed not only how organisations work, but how they protect their workforce

if(typeof _gaq!='undefined')_gaq.push(['_trackEvent','Image','Impression','Technical vector Illustration explaining how cloud computing enhancing our ability to learn and work anywhere.',1,true]);

Credit: Adobe Stock

Until about 15 months ago, the idea of ‘the future of work’ – and a world in which we all did our jobs and collaborated with colleagues seamlessly, from any location – probably seemed, aptly enough, like a rather remote concept for many of us.

And then, for many of us, the future become the present overnight.

Even if the reality was not quite so seamless as the premise, it was just that: a reality. One in which we all had to live and work as best we could.

While the transition to working remotely was a huge challenge for most organisations, it was also an opportunity for many to explore and expedite plans that were, before the pandemic, stuck in the early stages of progress. It also offered employees the chance to fully experience a new way of doing things – a way that, for large numbers, offered an improved work-life balance and more time with their families.

As organisations and their employees begin, tentatively, to move into the post-Covid phase of their lives, it remains unclear the extent to which the adaptations and amendments of the past year will remain in place.

Before Covid, the number of people connecting via VPN might only have been 10% of an organisation. But, now, the whole company is using the VPN – and, as users are very bad at passwords and we frequently reuse them, there is a very real risk of breached credentials being used against your VPN.

For most, a wholesale return to 9-to-5 office life seems highly unlikely. But it is equally unlikely that the country’s office blocks will stand silent and empty for months on end.

One of the key considerations of how we enable the future of work are the process, policies and tools needed to secure staff, devices and – most important of all – data.

We caught up with Richard Meeus, director of security technology and strategy at Akamai, our partner for PublicTechnology Cyber Week, to discuss the issue of how to secure the future workplace.

PublicTechnology: What do we mean by ‘the future of work’?

Richard Meeus: Future of work is the way employees will access data and collaborate in a post pandemic world. The genie is out of the bottle on the fact of whether remote work can happen, it is just managing the logistics.

What does this mean for security tools and policies?

You cannot have different security policies depending on where someone is working; two years ago, you could just about get away with that. But the pandemic has forced us to look into this in a little more detail, and it has allowed us to make that step.

A lot of companies had already taken a number of steps prior to Covid to enable their organisation to work remotely to a certain degree. A classic example was VPN gateways – commonly used for a small proportion of the userbase, but which have now expanded and become the lynchpin of the entire organisation with everyone working remotely.

One of the things we are able to do is provide services in the cloud that connect users and applications together. When we think about users now [and how they are dispersed], naturally a cloud-based service sits in the middle of all that. This means [those connections] do not have to go through a central security stack at HQ, as in the classic hub and spoke design that VPN networks create, and users can have the access to cloud based application they need without additional latency.

Did the wide-scale switch to remote working inherently increase the threat?

I think the risk profile does change when your users are not sitting in an office – where you tend to have a great deal of control over them. Now, realistically, organisations need to view all of the networks [staff are connecting via] as hostile, because they are going to be compromised to a certain degree; location is no longer an arbiter of trust.

In truth we need to stop thinking about connecting machines to networks and start thinking about connecting users to applications. This can then be easily controlled with effective authentication and authorisation.

How does the move to the cloud impact on security?

As part of any digital transformation, you need to be aware of the data that you are moving into the cloud. And you still have to be aware of how and where it is being secured. You need the same level of security in front of data, wherever it is. If you do not have the same rules in place, criminals will work it out and will target where you are weakest. You need a holistic security platform that sits in front of all your assets.

What are currently the main threats or types of attack facing organisations?

There are a lot of phishing attacks; as there always are when there is a big news story – which is sometimes ‘a famous person has done something stupid, and here is a video of it’. But Covid was the number-one story all over the world, and consequently there was a massive increase in phishing attacks.

There has also been a lot of ransomware attacks, and a lot of them have been to do with how people have accessed their network. Before Covid, the number of people connecting via VPN might only have been 10% of an organisation. But, now, the whole company is using the VPN – and, as users are very bad at passwords and we frequently reuse them, there is a very real risk of breached credentials being used against your VPN to see if they work. Then, once they have got into the network, they have an opportunity for encrypt your data and ask for a ransom. If you are reluctant, they may hit you with the quad-play of encryption, release of data, DDoS and also notifying your clients of the attack.

How will security adapt and respond to the future of work?

The future of work fits very nicely with the secure access service edge model. It is about having the security between the users and the applications; the users no longer need to sit in the fortress, they can be anywhere, and the applications can be anywhere, and the organisation can still have the same level of security. We want to shrink the fortress down and secure the core apps, leaving the users and access managed by the cloud, giving maximum security, but also much more enhanced usability.

This article forms part of PublicTechnology Cyber Week, in assocation with Akamai. Throughout this week, the site will bring you a range of content looking at the major security issues facing the public sector, and the country as a whole - as well as insights on how these challenges are being met, and how government and regulators can support this. We will also be hosting an exclusive webinar discussion in which NHS Digital will discuss the challenges it has faced in the past 18 months, ensuring the resilience of its services in the face of unprecedented demand. All content from Cyber Week can be accessed here.