Security’s “New Normal”: Remote Working Supercharges the Shift to Cloud Security
 

With many organizations now expecting employees to continue working from home indefinitely, how will the future of IT security unfold? According to Scott Crawford, Head of Information Security Research for 451 Research, COVID-19 is supercharging trends that were already reshaping security—including the shift to cloud-based security solutions. In the session “Security’s New Normal: We’re Not Going Back, But Where are We Going?” at Mimecast’s 2020 Cyber Resilience Summit, Crawford describes how he expects IT organizations to leverage the cloud to safeguard people, assets, and networks distributed more widely than ever.

Outgrowing the Legacy of Homegrown IT Security

Even before COVID-19, organizations were rapidly expanding their use of cloud-based security tools, as part of a broader adoption of cloud-based applications. But many organizations still relied primarily on a security strategy originally developed for a legacy “homegrown IT” environment, in Crawford’s words: applications and resources within a data center on the enterprise’s premises, with resources it owned, operated, and exclusively controlled.

By the time COVID-19 exploded, organizations could extend access to employees virtually anywhere—but they often protected users via premises-based controls, segregating sensitive content and enterprise traffic from the public internet via VPNs. Safeguarding employees still meant bringing their data traffic onto the enterprise network to monitor their activity, filter content, enforce policies, and prevent threats such as malware and data theft.

Now, accelerated by COVID-19, this is changing fast. Entire workforces have been working from home, and Crawford says 38% of companies “expect expanded or universal work-at-home policies to be long-term or permanent.” Having invested heavily in remote work, organizations intend to drive as much value from it as possible. That’s speeding the transition to cloud-based applications—and similarly, Crawford, says, it will drive faster adoption of cloud-based security solutions.

Cloud Security Solves the Problem of Reaching Remote Devices

Why is this shift accelerating? First, says Crawford, the older enterprise network-centric security model is becoming unsustainable as networks grow more distributed. “It’s a problem of reach. How do enterprises deal not only with their own distributed sites, but an increasingly wide distribution of functionality? What about the growing landscape of mobile devices and remote users, and new endpoints such as IoT and operational technologies with more native computing capabilities, and more access to production networks and the enterprise?”

The number of client devices that enterprises need to manage will nearly double by 2024, Crawford notes, even without counting smart consumer devices. 5G will fuel the trend by making enterprise-class network availability and performance available in more locations. Only cloud security can offer the ubiquitous reach and scalability that’s needed to support this increasingly distributed and diverse environment. Enterprises will no longer have to funnel traffic from remote devices back through the data center in order to apply security controls: endpoints will get threat prevention, policy enforcement, monitoring, and response directly from the cloud.

Cloud Security Advantages: Agility, Cost, Faster Innovation

As Crawford argues, cloud security providers have proven that they can deliver the same compelling advantages of scale, elasticity, rapid deployment, and lower upfront cost that organizations are gaining from other cloud applications. And because organizations acquire security functionality via subscription, it’s possible to eliminate upfront investments and ongoing management costs. That can be particularly appealing to companies looking to restrict capital investment due to the financial impacts of COVID-19.

Using cloud-native technologies, providers can quickly spin up new functionality and distribute incremental improvements. “This is invaluable for security, which must respond to a fast-changing threat landscape. Cloud-based providers can rapidly see new threats emerge across their customer bases, and respond faster than individual organizations can,” Crawford says.

The cloud model also facilitates faster access to key innovations. For example, as machine learning matures, it’s becoming indispensable to operating and automating security at scale. Few organizations can afford huge investments in machine learning for security. But cloud providers can, by spreading costs across multiple customers.

Using cloud-based machine learning and related advances, enterprises may finally be able to move beyond traditional username/password-based access control, says Crawford. “We see a growing embrace of more sophisticated approaches to access control that relieve us from basing security strategies on simplistic notions of trust.” Historically, for example, some organizations have assumed that if you’re on the VPN, you’re trusted. But that’s an inadequate criterion for granting access to sensitive resources. With cloud-based, AI/ML-enabled security technology, it will be possible to make more fine-grained decisions about granting access, Crawford says. “We can consider context. An individual seeking to access an HR system from their home network might be acceptable, but the same user trying to access it from a robotics assembly system might be suspicious.” As systems mature, enterprises can grant access “not on trust, but on proof.”

Leveraging the Cloud for Email Security

Email remains the most business-critical application at many organizations. So it’s no surprise that attackers relentlessly seek to compromise enterprises via email content. Yet, says Crawford, “users are still presented with decisions about whether a message is trustworthy. The enterprise effectively leaves security in the hands of individuals who can’t possibly be security experts in all cases.”

Employees may have learned to recognize when a third-party domain looks suspicious. But what about email that seems to come from a trusted partner, or mail sent from a third-party on behalf of their own organization using its own domain and brandmarks?

Says Crawford, new email security technologies can make content demonstrate its authenticity and prove its veracity before it reaches a recipient. Equally important, email security intelligence can be increasingly integrated into security operations, providing timely information about email-borne attacks. This will help SecOps improve threat assessment, clarify attack origins and intents, limit penetration, contain impacts, and harden the organization against future attacks.

The Bottom Line

COVID-19 is accelerating the move to cloud-based security, helping enterprises of all sizes protect widely distributed environments. The cloud model is especially valuable in security, where speed, responsiveness, and scale are exceptionally critical. Cloud-enabled innovations will help organizations transcend traditional approaches to trust, assess emerging threats faster, and safeguard the entire organization.

Watch Scott Crawford’s full presentation and explore other insights into the emerging security landscape at Mimecast’s 2020 Cyber Resilience Summit.