Customer Advisory Board Conversations: Zero Trust and the Remote Workforce

Until the last 45 days, an organization’s industry, company culture and the role of an individual were the primary drivers behind remote working policies. However, recently we’ve seen an unprecedented shift to remote working due to the concerns over Covid-19. For some organizations it’s been relatively uneventful, for others it has been a monumental change for their workforce, not to mention stress on their IT and security teams.

During our recent security leader webinar, we took a quick poll of the participants to better understand the change and whether it’s here to stay. Before Covid-19, 43% of the participants said more than half of their workforce works remotely. As expected, most everyone is working remotely during the stay at home orders, with the exception of those determined to be essential. But looking ahead, 59% of the participants indicated that they expect more than half of their workforce to be remote. While this quick poll may not be statistically significant, it does seem to align with other recent polls (see Gartner).

Percent of workforce that works remotely (n=69)Pre-Covid19 Stay at HomeDuring Stay at HomePost Stay at Home
Less than 25%37%3%13%
26% – 50%21%3%28%
51% – 75%22%18%35%
76% or higher21%76%24%

As the headlines indicate, the rush to enable a remote workforce primarily focused on productivity has been at the expense of corporate security policies. There are employees at home who are working on financials and contracts, who would normally be in the safe confines of their office and corporate network. A slew of unmanaged devices are now accessing corporate resources, including home computers and personal mobile devices, all in the name of business continuity. With this shift to remote working, ensuring that workers are productive AND secure is the primary objective.

Julie Talbot-Hubbard moderated the panel discussion and asked the panel “did you feel more prepared for this significant shift given your focus on Zero Trust.”  Here’s what they said.

James Carder, CISO and VP LogRhythm Labs

We have a cloud first strategy, with 95% of our operation in the cloud and SaaS. Security also owns the identity budget and is the accountable party with IT being responsible for implementing and managing. We have a solid partnership with IT, so we have gone down the Zero Trust path together. With that approach, location is not a significant indicator of trust or the only indicator of trust in some cases. Because we were built on a Zero Trust model, we didn’t lose any security visibility when we transitioned to a completely remote workforce. Because we were following a Zero Trust model, we were minimally affected, with the exception of some capacity issues that we were able to quickly identify and rectify.

Morey Haber, CISO and CTO BeyondTrust

We have chosen a full cloud strategy for our IT resources when we combined organizations in 2018 (Lieberman, Bomgar and BeyondTrust). Because we were all in the cloud (over 90% of our applications), we had 60% of our workforce remote prior to COVID-19. We’re now at over 95% remote and there are only a few people that have to go to the office for a variety of reasons; there is just no way out of it. To that end, we were able to leverage our own remote access solution that we develop to provide secure remote access to our extended remote workforce.

For my team, the effort and changes were minimal to implement the technology and bridge the gap for the remainder of the staff now working from home. Finally, the last thing we did was ensure all remote access logs and monitoring was enhanced (detail turned on) and tagged to very appropriate user behavior. This is ultimately about the health and safety of our employees, so it wasn’t a painful shift having embraced the cloud for directory and identities services. That actually made it very easy to do.

Clint Maples, Program Security Advisor SigFig

We were fortunate to have started on the cloud first, Zero Trust path about two years ago. We also decided to issue laptops to all of our employees. I’ve been in organizations that, because of the lower up-front cost, opted to issue desktops to all of their employees and built much of their IT infrastructure on-site. We invested the time and resources to set up zero touch provisioning for our endpoints as well. This enabled us to order laptops from our vendors and ship them directly to our remote employees without needing to image or configure them in advance. This eliminated the need to spend 1-3 person hours setting up every new employee computer and dramatically increased the number of new devices we can onboard per day. As a small IT shop it’d be nearly impossible for us to support an entirely remote workforce without this in place. Our back office apps are in the cloud, we secure them with Single Sign On and Multi-Factor Authentication, and we can purchase, drop ship, provision, and remotely manage our laptop fleet. Having all of this in place allowed our employees to take their laptops home and work remotely without missing a beat.

A great question came in from the participants that was most likely reflective of most companies:  But if you haven’t started on a Zero Trust initiative and weren’t really prepared what should you do? Should you be actively pursuing transformation and meeting the demands of the current landscape or should you be continuing to push status quo until they have more time and energy to focus on the future?  Here’s what they said:

Julie Talbot-Hubbard, VP and Global General Manager, Identity and Data Management Optiv

I actually think that we’re going to see more companies adopt work from home post-Covid.  I think some organizations, have more trust in their security, but this will also prove that employees can be productive when they’re not in the office.

Morey Haber, CISO and CTO BeyondTrust

Sure, I’ll take I’ll take a first stab.  First, if you don’t have a good identity model, and a good relationship of identity to accounts, making people work from home gets really messy, really fast. The only other option is VPN to extend their persona, their system to tunnel into the environment as if they were in the office and then having to cross network zones or anything else that may be appropriate. If you focus on identity or you have a decent identity account relationship model already, whatever remote access technology you choose, it’s really not that hard to spin people up remotely. But it goes back to the foundation of your identity management.

James Carder, CISO and VP LogRhythm Labs

I think in the short term, if you weren’t ready for this, then you likely scrambled to ensure operational productivity and are most likely in a constant pursuit right now to regain the same level of security and other.  More than likely, even if you got operational capability back with this new normal of a remote workforce, you probably made concessions on security. You may have lost security visibility that you’re traditionally used to having.  So, as a security practitioner, you should be constantly in this pursuit phase until you get to a point where you can get all of that capability back.

Clint Maples, Program Security Advisor SigFig

I think one of our main jobs as security leaders is to win hearts and minds. If you’ve had to work hard over the years to collect political capital, and the current stay at home orders may have even earned you some additional goodwill, be careful how you spend it. I’d suggest focusing on stability, up-time, and enabling the business. It can be tempting to “never let a crisis go to waste” but change can be scary and the last thing you want to do is burn up all your goodwill by causing an outage or impacting business velocity. When things return to normal, invest your political capital to make the necessary changes to prepare for the possibility this all comes back in the fall.



Let's work together to help everyone become more secure.