The New “Attack Surface” – Securing the Business Beyond Conventional Boundaries
In 2020, just under half the UK workforce worked from home at least some of the time, according to the Office of National Statistics. In the United States, a survey by Upwork found that over a quarter of professionals expect to work fully remotely within the next five years.
Working from home has been propelled into the mainstream by the COVID-19 pandemic as well as the resulting lockdowns and restrictions on traveling to work. But the pandemic only reinforced and accelerated a trend that was already evident.
And that trend towards remote and flexible working is changing the security threats facing all organizations.
Changing Threats
Flexible and remote working – and by extension, working from home – demands a different IT architecture to the conventional workplace. Employees using mobile devices, potentially including privately-purchased hardware, presents a different risk to corporate desktops that are deployed and managed by the IT department.
Working outside the corporate firewall and across networks – domestic broadband, public WiFi, and 4G and 5G cellular – presents a different attack surface. The perimeter is far more dynamic, if there is a perimeter at all. Devices and applications are less easy to update or patch. And physical security comes into play. Devices can be lost, stolen, or potentially tampered with.
But the “back office” has changed, too. Flexible working is only possible if employees have reliable, consistent, and secure access to business applications and data.
Previously, organizations relied on virtual private networks to connect remote workers to enterprise applications. VPNs proved vulnerable to attack during the pandemic, and they quickly became a bottleneck.
With larger numbers working away from the office, relying on VPNs is no longer viable. Instead, the emphasis is now on software-as-a-service and web applications. But these, too, will need to be secured.
Security in a Flexible World
These changes in the way businesses operate are forcing a change in the way enterprises approach security.
The changes are unlikely to be rolled back. Even once the global pandemic recedes, organizations will want the resilience that comes with operating remotely. And the drivers that led to growth in flexible working before the pandemic, including greater business agility, have not changed.
This is leading IT security teams to re-examine how they ensure security. Some elements are tried and tested. These include mobile device management and end-point security as well as robust policies around personal (BYOD) equipment.
Others, such as improving security and data integrity for cloud applications and software-as-a-service are perhaps still a work in progress. But they require CISOs’ attention nonetheless.
Cloud and web applications are not always developed in a way that puts security first. If flexible working is business as usual, that must change. Software development more generally needs to put more emphasis on security and on building in security earlier in the process. Organizations also need to consider supply chain risk from code reuse to the use of third-party tools.
But if those are the immediate priorities, CISOs also need to look forward. Today’s percentage of remote workers, averaging perhaps 20-30%, might only be a fraction of the numbers who will work that way in the near future. Already some organizations, and not just in Silicon Valley, have said that all employees can work from home at least some of the time.
Entirely different approaches to cybersecurity might then be needed.
Zero Trust is one approach that could prompt whole-scale changes to the way we implement security.
By working in the background, Zero Trust should be less intrusive to the user than many conventionally perimeter- or identity-based security measures. But it has the flexibility to adapt to changing situations and to new risks. And it enables IT security teams to ensure consistent security locally, remotely, and in the cloud.
Beyond the Boundary
The closed network and the perimeter have gone. Instead, we are in a world of mobile workers, cloud data, and web applications.
The business now demands flexibility, and this has increased the attack surface. There is no escaping this. CISOs have to adapt to new risks. But the technology is there to bring the business with them.
Editor’s Note: This blog post is based on an event, The Changing Role of the CISO: Security in a More Complex World, hosted by RANT and sponsored by Tripwire.
About the Author: Stephen Pritchard is a video journalist, broadcaster, and writer. He works as a freelance producer, presenter, and moderator, and he writes news, analysis, and feature articles for the international and UK press, trade media, and magazines. Stephen’s main beats include technology, telecoms, security, science, and management. He is a contributing editor and columnist for IT Pro and for Infosecurity Magazine. Stephen also writes for a number of newspapers including the Financial Times, The Guardian, and Sunday Times.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.
The post ” The New “Attack Surface” – Securing the Business Beyond Conventional Boundaries” appeared first on TripWire