Hybrid Work is Driving a Shift to Identity-Centric Security
The COVID-19 pandemic has inarguably been one of the most disruptive workforce events of the century. The disruption began when organizations were forced to deal with a remote workforce, finding it was not only possible—it could be productive.
The past eighteen months have significantly shifted organizations' attitudes about remote work, but not so much as to fully embrace such a model moving forward. Yes, there are organizations who are, and plan to continue, operating in a "fully remote" mode. But a more likely model is a hybrid one; a model in which some employees work both from home, others from the office, and still others in some combination of the two.
Debates rage about who should decide where employees work on any given day, as well as how many days they should be in the office, but in general the notion of a fully hybrid workforce has been accepted across those industries that can support it.
More than half (55 percent) of 1,200 workers surveyed between Nov. 24 and Dec. 5 said they prefer working remotely three days a week. Meanwhile, 68 percent of 133 U.S. executives said workers should be in the office at least three days a week, citing concerns that company culture will not survive a purely remote work model.
(Source: SHRM)
I personally watch these discussions with detached interest because, well, I was never in the office and trust me, I'm not going to be. I94 to Seattle is a really, really long drive.
To be honest, the implementation details of a hybrid work model aren't as important as the result: there will be employees working from home and from the office every day of the week. Hybrid work is the new default.
This seemingly simple statement has a profound impact on the future of access strategies.
IP-Based Access
You see, traditional IP-based technologies rely largely on a fixed set of network ranges and addresses. Policies deny or allow access to network and application resources based on IP.
That's the point of a VPN; to effectively assign you a "local" IP address that is part of the range of IP addresses allowed to fritter freely around the corporate network.
Now, we could keep doing that. But we won't—at least not for most of the workforce. There will always be operators and engineers that need the kind of network access provided by a VPN, but let's be honest; I don't need a VPN to browse Confluence or SharePoint or bug the architects on Slack. If my productivity and communication needs are fully served by applications, then I really don't need access to the network.
And let's be frank, restricting access to the network is probably the best shift in security strategy we could make right now given the increasing incidents of malware, ransomware, and other nastyware. The fewer resources these destructive constructs can access, the better.
This is a real threat because the reality is that a hybrid—largely transitory—workforce is likely to pick up some nastyware and one day log into the VPN and then, BAM! You're in trouble. That's part of the reason a good VPN solution includes scans and health checks before anything else. But not all VPN solutions are good solutions, and some organizations don't require scans even if the VPN solution can provide it.
This doesn't mean sunshine and unicorns for application access solutions either. Because many of them are based on IP and, in an enterprise, there are a lot of IP addresses to manage.
The number of network devices a single NetOps must manage is alone significant – more than half are managing between 251 and 5000 devices. (NetDevOps Annual Survey)
Add to that my personal, private, home IP address and the personal, private, home IP addresses of everyone else who might be working from home today. Oh, and let's not forget the increasing number of machine-to-machine communications that need to be secured. Cisco’s Annual Internet Report predicts that "by 2023, there will be more than three times more networked devices on Earth than humans. About half of the global connections will be machine-to-machine connections."
The result is an untenable model that overwhelms operators, security teams, and ultimately the services and systems that must enforce the policies.
Identity is the Way
The security challenges associated with hybrid work are accretive to those arising from the rapid pace of digitization. Together, these challenges will drive security models toward an identity-centric approach. This approach considers not just human users, but machine users in the form of workloads, devices, and scripts. After all, workloads are increasingly as transitory as people. And ultimately, workload A is still workload A, no matter what IP it might be using. Just as I am still me, whether I'm in my home office or in the airport at Minneapolis, or at the office in Seattle.
While certainly IP may be a part of an identity-centric security policy, it is not the primary or determining factor for allowing access to a resource. Rather it becomes an attribute that helps determine what level of identity verification should be required.
If I'm on the VPN/corporate network, perhaps my credentials are enough. But if I'm not, then perhaps my credentials and a second factor should be required. And if I'm attempting access from a previously unseen IP address, perhaps there's a third factor.
Regardless of how IP address is used, it should no longer be used alone. Not even for workloads. After all, nastyware may be "on" the corporate network but should never be allowed access to applications and resources.
Furthermore, we need to expand our understanding of identity beyond people to the workloads, applications, and devices we increasingly rely on.
I'm sure I don't have to mention the debacle of SolarWinds. But were you aware of threats like Siloscape, described as "malware [that] pries open known vulnerabilities in web servers and databases so as to compromise Kubernetes nodes and to backdoor clusters" and the threat of misconfigured management consoles. Many management consoles are secured primarily by IP-based controls that end up disabled because they interfere with remote access—a must in today’s hybrid work model. A more robust, identity-based set of access control would provide protection against hijacking and unauthorized use, no matter the originating location. Additionally, robust identity-centric security would provide protection from compromised systems that attempt to infect, hijack, or otherwise exploit other resources from the safety of "the corporate network."
We have been slowly moving toward identity-based security for a long time. But the explosive growth of automation and digitization, along with a trend toward hybrid work models, will accelerate that movement until we finally ditch IP addresses as a primary method of access control.
Identity-centric security is the way.