Remote Work Infrastructure
The discussion for or against remote work is mostly settled — and remote work has won despite the wishes of the tech giants. The studies prove that remote workers are more productive, are less likely to churn, and expect remote work to be normalized going forward. When it comes to the critical metrics of workforce productivity and employee retention, remote work is a clear winner. Embracing remote work also means saving money in the long run for both employees and employers.
Detractors of remote work have their own reasons as well. Many executives do not trust their employees to work at capacity without coming into the office, or simply want to monitor their employees to remove productivity blockers. Many extroverted employees and workers do not thrive while working at home, and some believe in-person work facilitates an atmosphere where ideas can grow organically. Finally, there may be a sense of isolation for individuals working at home, which may have a negative impact on the organization’s work culture. Unfortunately for detractors of remote work, the measurable reasons have been disproven through studies and the reasons that cannot be measured are difficult to prove.
Which leaves just one last measurable argument for proponents of in-office work: corporate security. The transition into remote work during the pandemic presented an unprecedented test of each organization’s internet infrastructure. While many companies successfully connected their workers to the corporate network and infrastructure, the speed at which they did so left their infrastructure with security and control gaps.
This terrifying and sudden expansion of the corporate perimeter prompted the US Government’s Cybersecurity and Infrastructure Security Agency to release an alert addressing the alarming increasing trend of global ransomware. Cyber insurance claims and payouts rose during the pandemic and as a result, “cyber insurance direct written premiums rose 74 percent year over year in 2021 to over $4.8 billion.”
So while the shift to remote work is desirable for employees and employers alike (assuming the work can be done remotely), it does present a clear and present danger to the organization’s cybersecurity posture.
This blog post will explore the following:
- Security Concerns With Remote Work
- Securing Organizations Against Remote Work Vulnerabilities
- Improving Operational Agility and Overhead Without Friction
Security Concerns With Remote Work
Security is a genuine and tangible reason for being against remote work — when companies need to give remote workers access to sensitive data and services, the company’s security boundaries become stretched and attack surface areas increase accordingly. The sphere of trust is being forced to include each employee’s home network and personal devices, a new reality that most network security paradigms were not built for.
The nature of the sudden global shift into remote work strained corporate VPNs much like a patchwork dam, but also increased the risk of corporate breaches:
With increased VPN demand comes increased security risk. While the field has recently seen some innovative privacy developments, the nature of current VPN technology makes it a prime target for exploitation. All of a user’s data is essentially funneled to a single company, whose servers may be located anywhere, and accessed by anyone.
Malicious actors have long used VPNs as cheaply created vehicles for data harvesting and malware injection. Even seemingly innocuous VPNs can — via shoddy security — endanger users in countries where VPNs are outlawed.
A separate and far more technical blog post would be needed to dive into security gaps surrounding VPNs, but the issue of security is exacerbated at scale when entire workforces are suddenly logging in to work through VPNs. This has forced IT departments to massively expand their organization’s perimeter-based security policies to include the home environments of end users, the IT equivalent of opening your home windows during the summer and expecting no insects because surely everyone else is doing their job with quashing pests.
Worsening the issue is how this shift in infrastructure means organizations are back-hauling all of their data to the organization’s data center or cloud. At best, this is an increase in bandwidth cost and an unnecessary expense; at worst, the additional “hop(s)” incurred will result in worsened productivity.
These security gaps exist because the organizations have shifted to adopt remote work for their employees before the technology stack and infrastructure could be reoriented for the new work paradigm. The result is companies utilizing remote work exposing themselves to greater risk of security breaches so long as the underlying reasons for these security issues stay unaddressed.
The good news is that while the security concerns are real, they can also be mitigated without much friction. Companies only need to make a shift in infrastructure and tech stack to support remote work to achieve the higher productivity, employee retention rates, and cost savings provided by remote work initiatives.
Securing Organizations Against Remote Work Vulnerabilities
Organizations using VPNs to enable remote work policies have two core issues:
- Access management and security
- Operational overhead resulting from remote work with VPNs
Before remote work became normalized, typically only a select number of employees were allowed to use VPNs in remote work. These employees were probably trained in cybersecurity hygiene and best practices to qualify for the privilege of being trusted with access to the corporate network. Now that remote work has expanded the need for VPN access, security teams have been forced to grant access to all sorts of users that may not have gone through training.
Because those users aren’t trained, network policies and firewalls become necessary to ensure least privileged access. Previously, these policies could be set up for the small number of users expected to use them. But if organizations are suddenly 10x-ing the amount of users needing specific network policies, the network administrators can be easily overwhelmed. Help-desks will experience an increase in ticket counts for employees needing specific access not prescribed by their default roles.
These core issues are strong, valid reasons for denying remote work initiatives. But when the modern workforce is full of talent prioritizing flexibility and remote work options, organizations are loathe to say “no.” Yet remote work changes require increased operational and security overhead or the commitment to reorient the organization’s infrastructure with tools to support it. So network administrators and security teams scramble to adjust, but this is the direct cause of the growing burnout in SecOps roles.
The current over-reliance on SecOps teams to ensure operational agility is ultimately unsustainable for a company’s operations and long-term employee retention. Organizations should either prepare to invest a lot more in IT and security with head count or opt for a more flexible approach not based on the network perimeter.
Improving Operational Agility Without Friction
Friction occurs when “No” is the response. Organizations hate saying “No.” People hate being told “No.” Users want to do the thing but… “No.”
“Can we work remote?” — “No.”
“Can I deploy this application to the cloud?” — “No.”
“Can I give/get access to…” — “No.”
“Can I…” — “No.”
“No” is the default answer from Security and Operations teams until users or management force them to give a “Yes.” Maybe the developers want to deploy something and the default answer is “No” until they go through the necessary channels to get approval. Maybe employers want to source remote work from anywhere in the world but the VPN experience does not allow for it without jamming up help-desk tickets.
The process to saying “Yes” a lot involves restructuring the company’s network infrastructure to realize the pursuit of flexible working environments. An organization that fails to do so will rack up technical or management debt paid in daily dividends made of friction and internal frustration.
And that friction does exist. If your organization believes otherwise, here’s a question: If VPNs supposedly duplicate a 1:1 user experience as though users are on the corporate network, then why don’t organizations mandate logging in through a VPN for all users? After all, the VPN authenticates the user and provides the same experience, which means mandating VPN logins at work will just result in increased security, yes? Try it. If there’s pushback against mandating VPN logins for all internal users no matter where they are, that’s because VPNs do not provide a good user experience.
But the underlying sentiment — ensuring the same, smooth network experience no matter where the user sits — is a good goal to have. It ensures remote work can proceed for any number of users without friction. It reduces operational overhead for administrators to worry about while providing operational agility for productivity to continue unabated. Even better, the organization is empowered to say “Yes” knowing they have their operation and security bases covered.
Embrace Remote Work with a Context-Aware Gateway
Pomerium is an open-source context-aware access gateway for managing secure, identity aware access to applications and services. Organizations can easily deploy Pomerium with their existing infrastructure to adopt a secure, identity-driven access to their internal services. IT management teams can easily use Pomerium to provision access and ensure security for all users without sacrificing productivity. Context-aware access is increasingly necessary as the workforce shifts to remote-work and organizations open their internal infrastructure up to the dangers of the internet.
Check out our open-source Github Repository and give Pomerium a try today!
