How do you secure the anywhere workplace? - an interview with Joe Robertson, Director of Information Security & EMEA CISO at Fortinet
For businesses around the world, the pandemic has shown that work is about what you do, not where you do it. The new workplace can now be anywhere, but with that freedom comes concerns for business security.
We spoke to Fortinet’s Director of Information Security, Joe Robertson, to get his perspective on the “Anywhere Workplace” and how businesses should be approaching our new normal going forward.
Q: Is the anywhere workplace a technology issue?
Frankly it is and it isn't! Really it’s been enabled by technology, but it's not being driven by technology. The anywhere workplace is evidence that a cultural change has occurred. This is in large part because of the COVID pandemic with people having to work at home. Workers proved over the course of a year and a half that they can still be productive, and they can still do the jobs that they used to do in the office.
So, the anywhere workplace is actually being driven by changing corporate cultures – that is a combination of top management promulgating directives like “thou shalt attend the office three or four days a week”, and employees pushing back because they've shown that they can work productively away from the office. A happy medium is hopefully starting to develop in most organisations, moderated by the human resource department, but also from a real estate perspective. Those expensive offices are shrinking and getting rearranged to have more hot desks, fewer fixed positions, more collaboration spaces, and more conference rooms, so that when people do come into the office, they can work together.
To put it briefly, the anywhere workplace is not the result of technology. It is a result of social changes that are going on, but it is enabled and is made possible by technology. That is why companies are looking to the technology to help them be as flexible as possible.
Q: If it's not a technology issue, but it's enabled by technology, how can businesses implement the anywhere workplace effectively?
I think there are three main areas that this boils down to. The first area that needs to be looked at is that connectivity within an office, which now has to have greater Wi-Fi and wireless LAN densities and greater security for them. Having the channels of the wireless LAN directly connected to the firewall, which is what we at Fortinet can do with a FortiGate and our FortiAP Access Points, is something that becomes very important for that office connectivity, whether it’s a branch office or a headquarters.
The second area is how you connect these different islands of users. The people in the branches, headquarters, or in the “anywhere office” all need access to their applications. Some applications are going to be in a data centre someplace and some of them are going to be in a cloud someplace. They need connectivity between where they're sitting and where the applications are. Here’s where we would be talking about things like secure software defined WAN (SD-WAN).
The user cares about their connectivity, but the company cares about the security as well as connectivity. That's why secure SD-WAN is important. Other technologies are, too, such as SASE (secure access services edge), where all of that connectivity and the security is delivered from a cloud somewhere for access into the data centre.
Then the third area, which is crucial, is how you can be sure the person who's connecting is who they say they are and that the device that they're connecting with is protected. This one all comes down to authorisation and authentication technologies, which are moving away from VPNs to what we call zero trust. Zero trust is a phrase that the HR department hates because it sounds like we don't trust our employees, but technically all it says is we don't assume that just because you're plugged into an ethernet within our building that your device hasn’t been infected by some kind of malware. Or that just because you are connecting via the VPN, you are the person that you say you are. As for the individual, we insist on multi-factor authentication – just because you know the password doesn't mean we trust that it's you. We want another form of authentication, like a code of some sort.
Q: What are the pitfalls that businesses need to look out for?
Let’s take a look at each of those three areas I talked about: building connectivity, device interconnectivity, and identity management. Starting with the pitfalls within building connectivity, there you want to make sure that your firewall and your security are at the heart of your network. We call that security-driven networking because security is very complicated. It's not straightforward, like a networking. Having it be the heart of your thinking is a very strong way of ensuring both connectivity and security.
If we look at that interconnectivity, the thing to be aware of is that a lot of people try to interconnect branches with SD-WAN, but you need to keep in mind that it has to be secure. When it comes to internet access into remote locations you want to make sure that this access isn't a two-way street, allowing attackers to get in.
As for the third area - identity management - it’s about making sure that you're dealing not just with the individuals, but the devices themselves. Are the devices protected? By combining network access control with identity management, that's what a whole zero trust environment looks like. It's about the combination of the individuals and the devices.
Q: How can businesses secure the anywhere workplace?
The biggest thing for securing the anywhere workplace is recognising that it is one environment, as opposed to a branch over here and homeworkers over there. It’s all manifestations of the same thing, so you want to be using the same technologies for all of them.
One of the key aspects is going to be zero trust access. Whether we’re at the office or at home, there are checks on our devices and multi-factor authentication. The fact that I'm in the office “behind the firewall”, shouldn’t mean that I'm trusted, and I still need to go through the same authentication processes. In Fortinet’s implementation, the FortiGate is the core that gives you access to the applications that are appropriate to you but nothing else. Because it doesn't let you access other things, if an attacker gets your credentials, they may have access to certain applications, but they don't have access across the board, and that's very important.
Also again, making that networking access point integrated with the firewall so that you can put policies in place for individuals and for types of users so that they are accessing only what they're authorised to access.
Q: From your perspective as a thought leader, what are your takeaways from public discussion on the anywhere workplace?
The thing that is clear when I talk with people (and I talk with executives from lots of different types of organisations across Europe), is that almost everyone agrees that we're not going to go back to 2019. We're not going to go back to an environment where everyone comes into an office and is expected to be there five days a week. Employees have had a taste of more flexibility and they aren’t letting that go. Companies that do not provide flexibility are going to be losing staff, in fact, many are already.
The proof that we can be productive away from an office means that many people are looking to take jobs much further away from home than they previously were able to because they don't have to commute. Leadership teams within companies are going to have to not just supervise the people who are in the office, they're going to need to be creative to be inspiring people to come into the office for collaboration, while being flexible enough to provide them with other options for working.
The technology is there as an enabler. 20 years ago, the technology wasn't able to provide the same flexibility we have now. Fortunately, COVID didn't happen in the year 2000! Technology can be invested in to provide that flexibility to organisations. Ultimately, a technology that is static will not react to the evolutions that the next few years are going bring for every organisation. Having flexibility and being able to react to changes in what the organisation requires is going to be one of the primary goals of the entire technology industry.