More than a year after the initial COVID-19 lockdown began and millions of corporate employees transitioned to remote work, U.S. companies are beginning to announce plans for a return to traditional office work.
The shift from offices to home-based environments presented enormous security challenges to companies, as traditional security perimeters gave way to ad hoc work environments. Workers that once sat across a desk were suddenly forced to collaborate across often insecure local networks, frequently sharing a Wi-Fi connection with their remotely educated children.
IT security officials had no visibility into what employees were doing on their networks.
"The increasingly distributed global workforce that has been spurred on by the pandemic has greatly taxed the perimeter that traditionally protected the organization and created new vulnerabilities for cybercriminals to strike," said Bhagwat Swaroop, president and GM of One Identity. "In the emerging hybrid environment, firewalls and VPNs are no longer sufficient to protect your systems and data, as employees login from anywhere at any time."
During the early stages of the pandemic, security issues were considered important, but were generally outpaced by efforts to maintain worker productivity, according to Eric Haller, VP of security operations at Palo Alto Networks.
As a result, company data was likely accessed from unprotected or unmonitored devices, either directly using personal devices or indirectly via SaaS applications.
Threat volume rose 48% between March 2020 and February of this year, which coincided with the first year of the COVID-19 lockdown, according to a March white paper from email security company Mimecast.
There is a 95% likelihood that threat actors will continue to target the workplace going forward, according to Mimecast. The targets include remote employees and those who return to the workplace, as the environment will continue to remain unsettled.
"The traditional perimeter is dead, as we've brought the network into our individual homes," Jeremy Ventura, senior security engineer at Mimecast said.
An office return
As the U.S. ramped up a massive rollout of COVID-19 vaccines, some of the nation's leading technology firms disclosed plans to begin returning to the office.
Following a mandatory work-from-home policy starting last May, Microsoft has reopened offices in 21 countries, with about 20% of its 160,000 member global workforce back in office. Starting at the end of March, the company began to reopen its headquarters in Redmond, Washington and nearby campus facilities.
For more than a decade, Google has operated under a zero trust model called BeyondCorp, which was implemented in response to the 2009 Operation Aurora attacks, which was a sophisticated APT campaign against numerous U.S. technology firms.
Google created a system internally that allowed all of its employees to securely conduct business, without the need for VPNs from any location globally, whether sitting at a corporate workstation or remote coffee shop.
"What that allowed us to do is to kind of control the dial on what we could be doing post-pandemic," said Sunil Potti, VP and general manager, cloud security at Google.
In January, Google opened up the platform to the larger enterprise community by launching BeyondCorp Enterprise, which is a scalable, agentless module that operates through the Google Chrome browser.
Google is planning a limited return to the office starting this month, based in part on state-by-state COVID-19 data and vaccine availability. The company plans to reopen offices starting Sept. 1, however will allow workers to apply to continue working remotely even after that date.
Beyond the perimeter
The transition to a hybrid work environment means that security officials need to rethink how they approach authentication, according to Billy Spears, chief information security officer at Alteryx.
The Irvine, California-based data analytics firm is still operating remotely, however it has reopened its Munich and Prague offices and plans to reopen additional locations over the course of the year.
"Traditionally in security, we sort of build our security posture on this network-based perimeter, meaning here's the hardware we have to run our company, how can we make sure the goodness of the information stays in the company for the intended purpose, and how can we prevent bad things from coming in," he said.
Now companies are operating in an environment where an employee may log on from multiple locations during a given week, while working other days from inside the office.
"We need to understand this is a legitimate person that should have access to the data, rights, privileges, etc. in our company, and we need to authenticate normal [behavior] versus abnormal," Spears said.
As employees return to the office, Haller suggested that companies should develop work policies that will enable productivity, while leaving room for unplanned events. Some policy considerations include the following:
Data classification: How do employees access data consistent with company security objectives?
Remote access: Define how employees can connect to company assets, for example, via laptop, smartphone or other devices. Also define what data they can access. For example, customer data and source codes can only be accessed on a corporate device using a secure connection. A company directory must be accessed on a secure device and data cannot be stored.
Acceptable use: Provide sanctioned use cases to make sure employees do not expose the network to cyber risk. For example, corporate devices cannot be used to access and download free software on the internet.
Device security: This would limit exposure to devices that are used by remote workers for a long time. The policy tells employees what needs to be on their devices and how to ensure devices are secure. Examples would include a ban on using jailbroken mobile devices from accessing company assets or making sure any device accessing the network has updated anti-malware capabilities.