Today’s Hybrid Work Model Requires a Hybrid Approach to Security

Over the past several years, the traditional enterprise network, built around the campus and data center, has greatly expanded. It now stretches from home offices, remote sites and the enterprise edge, to legacy private clouds and new multi-cloud infrastructures.

The move to a remote workforce, while sudden, was not unexpected. Most organizations have been headed in that direction since the advent of ubiquitous broadband. All the pandemic did was force companies to accelerate their digital transformation as reflected in last year’s accelerated cloud migrations and adoption of collaboration tools. As with every other technological advance in history, there is no going back. Like it or not, work from home, indeed, work from anywhere, is here to stay. And IT teams now need to consider what steps they need to take in what was originally a temporary measure and make it permanent.

According to the recent "Forecast Analysis: Remote and Hybrid Workers, Worldwide" report from Gartner, the hybrid workplace, where workers divide time between being in the office and working from home, has shifted. Most organizations now estimate that their "knowledge workers" will be splitting their time each week between working in the office and working from home.

This shift to a hybrid workforce will have a lasting impact on networks. Issues like universal access to critical information and consistent user experience, whether an employee is on- or off-premises, will need to be addressed. A vital element of that conversation will be how to extend consistent security to every worker, regardless of their location or device.

This will be no easy task.

Today’s highly distributed networks are also highly dynamic with automated changes in routing, security, and clouds to meet changing requirements. They’re also increasingly more complex, which makes centralized visibility and control more difficult than ever before. And to complicate things further, many organizations have followed a piecemeal "secure-as-you-go" strategy. As a result, today's organizations now have an average of 45 security tools, from multiple vendors deployed across their network, with each cyber incident requiring coordination across 19 different solutions. This problem is further compounded when one considers the hundreds of thousands of unsecured home networks being used to access corporate resources. Unfortunately, such complexity inevitably leads to poor visibility, limited control, and exploitable security gaps.

To address this challenge, IT and security leaders need to consider the following five issues:

1. Consolidate. Consolidating security and networking functions into a common platform reduces complexity and delivers a number of other benefits. First, a unified solution ensures protections automatically scale and adapt as the network changes -- improving performance, as well as outcomes and experiences. This starts with selecting a broadly deployable firewall platform designed to support a full range of security features as well as SD-WAN for networking. Having a common platform that can be deployed as an appliance, VM, or cloud delivered service as the foundation of a comprehensive security framework deployed at every network edge, ensures end-to-end visibility, ease of management, granular control, and consistent enforcement.

2. Take a broad approach. There is a lot of hype in the market around replacing traditional security tools with a secure access services edge (SASE) solution. While that may sound good in theory, most enterprises will still require a hybrid network. Rather than choosing one or the other, the right strategy for most organizations usually involves an integrated strategy designed to support diverse network environments and a hybrid workforce.

Part of the reason that IT teams must take a more balanced approach to security is that many critical services simply can't be moved from the data center to the cloud. For example, pension data, intellectual property, critical business information, and other data simply can’t be shifted to public clouds for reasons ranging from regulatory compliance to risk management. This and similar challenges reinforce the importance of the traditional, on-premises firewall as part of a comprehensive security strategy. A hybrid security framework should operate natively in any environment to protect every edge -- spanning LAN, WAN, data center and cloud edges. Such an approach enables cross platform visibility and enables coordinated security enforcement across today’s distributed computing environment.

3. An integrated platform approach beats point solutions every time. Building out security in increments with a focus on products rather than a holistic architectural approach is what led to the product and vendor sprawl most organizations are struggling to manage. But no matter how excellent some individual security tool might be, if it can't effectively collect and share information and leverage threat intelligence for automated incident response, it's probably not worth it. The practical reality is that point solutions can never provide the same level of visibility, control, and responsiveness as a platform designed to work together as an integrated solution. Add the power of centralized management and orchestration through a single console, and you quickly outpace any advantages a single point solution might offer.

4. Performance is king. The transition to a software defined business model has enabled employees, partners, customers and other stakeholders to work and collaborate in ways that would have been impossible to achieve just a few years ago. Accordingly, we’ve seen the volume, variety and velocity of data expand, especially encrypted traffic. Indeed, according to Google, the volume of encrypted traffic passing through today's networks will soon reach 95%. However, most network firewalls, using off-the-shelf processors, have been largely unable to keep pace with growth of encrypted traffic for some time. This poses many risks as maintaining the performance levels today's applications require.

The fact is, you simply cannot secure a network when you are only really able to inspect a fraction of its traffic. IT leaders need to choose a firewall solution that can operate at scale across the network without getting bogged down with compute-intensive operations like SSL decryption, threat detection, and automated remediation.

5. Trust creates risk. Traditional network security is focused on preventing external attacks but does little to prevent attackers from moving through the network once the perimeter has been breached. This is especially problematic when criminals target home offices. IT teams need a firewall solution that can provide dynamic network segmentation. This prevents the lateral spread of north-south threats along with micro-segmentation to prevent east-west proliferation.

This can then become part of a zero-trust access (ZTA) strategy designed to strictly control access to specific network resources based on the role of a user or device and zero-trust network access (ZTNA) for per-application segmentation. Additionally, it must also manage the proliferation of headless devices, like IoT or IIoT, by seamlessly integrating with a NAC (network access control) solution to ensure that every device, application, and transaction is accounted for and secured.

Future-proofing your security requires tools designed to learn about the state of dynamically changing resources scattered across the network and then adapt in real-time. NGFW solutions must be capable of operating natively in any environment, including private and public cloud networks, so that they can deliver consistent security end-to-end across the hybrid IT architecture.

Today's environments require a solution designed to operate at any edge, in any form factor, to ensure consistent policy enforcement, centralized policy orchestration, real-time intelligence sharing, and correlated threat response. When security policies and enforcement can follow applications and workflows end-to-end, organizations can maintain broad visibility and control across their continually evolving networks while ensuring optimal user experience for today's hybrid workforce.

Find out how the Fortinet Security Fabric platform delivers broad, integrated, and automated protection across an organization’s entire digital attack surface to deliver consistent security across all networks, endpoints, and clouds.

Jonathan Nguyen-Duy is a Vice President in Fortinet’s global Field CISO team. He is a well-known cybersecurity author and industry speaker with unique global public sector and commercial experience with a deep understanding of threats, technology, compliance and business issues. Jonathan holds a BA in International Economics and an MBA in IT Marketing and International Business from the George Washington University.