The COVID-19 health emergency has forced many organizations to impose remote working practices on staff. The speed of change has highlighted the inherent weakness of a perimeter IT security model that differentiates remote and office workers into different access controls.

The temporary fix from stressed IT departments has been a rush to deploy more VPN capacity, but this approach ignores the more fundamental strategic need to move towards a zero trust and identity centric security.

Although not all jobs are suited to home working, many knowledge workers and service-based industries have attempted to shift staff into a home working schema supported by ICT. In the UK and replicated globally, there has been varying levels of success with some organizations finding that small scale remote working provision has been simply unable to cope with total home working.

Several high-profile brands within financial services, legal, media and communications have had to suspend entire service offerings and contact center functions simply because systems were never designed for home working at such scale.

This is not a finger pointing exercise, as even robust business continuity planning where organizations may expect to relocate to temporary offices in the event of a fire or flood are stretched when moving from mostly centralized to completely decentralized almost overnight. There are many areas where cracks have resulted in failure.

One of the most common is around secure access where most organizations have a perimeter approach with a firewall/VPN acting as a guardian between the untrusted public internet and the safe corporate network.

However, this ‘safe network’ proposition is unsound as at least 34% of all breaches happened as a result of insider threat actors - at least according to the 2019 Data Breach Investigations Report. The issue with this perimeter approach is that it assumes most workers are in the office, so there is no need to validate each connection flowing within the corporate LAN/WAN.

In the current remote working centric model, the flow is mostly inbound – and as such – there has been a dramatic rise in the need for VPN and traffic inspection. This has led to short term capacity issues – requiring more VPN – but also architecturally, many organizations need to re-engineer their network flows.

To give just one common issue. A company using a SaaS application with a perimeter approach is now expecting remote workers to connect from home via the public internet to a centralized VPN in the office, which in turn makes a secure tunnel, again across the public internet, to the SaaS. With the public internet slowing down across the board as homebound workers and millions of students try to connect – this inefficient workflow is having a dramatic impact on performance.

In normal times, organizations would also throw more bandwidth at the problem, but most ISPs have either suspended or dramatically reduced the number of new DSL / FTC installations due to the impact of COVID 19.

Instead, more progressive organizations are examining how they can shift to a zero trust approach that is succinctly summed up by O’Reilly Media’s Zero Trust Networks, as five underlying principles: