This post originally appeared on LinkedIn.
A blizzard helped a fellow CISO understand a better way to do IT security and, in the process, prepared his organization for an even greater crisis a few years later.
I was talking with one of my CISO peers about adapting to various crises—in particular, natural disasters—and he relayed the following story to me. Early in his CISO career, he deployed company-wide security. The plan was straightforward, or so he thought: Build a single, centralized security control architecture. All traffic—local, branch office, remote user—would get routed through the “castle-and-moat” design, examined and inspected, then sent where it needed to go.
Centralized security controls promised a unified way for his security teams to keep threats at bay. It made sense strategically and financially: Replicating security at different locations would have multiplied the effort, the equipment, and the cost.
His plan met with early success: his team’s security blocked a virulent malware attack and they all patted themselves on the back for a job well done. They had made the right decision! But his sunny, centralization journey was experiencing a calm before the storm.
Their castle-and-moat security architecture routed all traffic from everywhere—including traffic bound for the internet—through their security stack. Security became a huge bottleneck. Users couldn’t access simple things like social media. Media applications such as YouTube slowed to a crawl. Important productivity applications became unusable.
The user experience degraded below an acceptable threshold, and people found new ways to use apps and services—ways that bypassed centralized security. The more protection the team put in place, the more latency was introduced, and the more people started using other channels to get online: Home networks, mobile connections, or public Wi-Fi. Employees avoided security using unsecured links and unapproved proxies. Now the company’s network was less secure, and its highly prized (and highly expensive) security system was failing under the weight of the side effects caused by its intended use.
As a response, my CISO colleague was forced to do what he had tried to avoid: His security teams created three new data centers and cloned “centralized” security in each. In theory, this allowed people to get better performance by providing localized access, splitting one big, bottlenecked traffic load into three smaller distributed loads. It also tripled the cost, management, and complexity of their security footprint, but they could justify it with the hope of improved user experience.
Even with these new breakouts, the users still avoided security controls. Employees were used to accessing applications and services however they liked and were understandably reluctant to go back to indirect security routing.
That point got hammered home a few winters ago. During and after the blizzard, no employees could come into the office. Everybody was out of the “castle” and outside the perimeter protection of the company’s security “moat.” They had VPN access available, but as people jumped on VPNs and their traffic competed for limited bandwidth, app performance slowed to a crawl. Everybody stuck working from home defaulted to the path of least resistance to get things done: Home broadband, Wi-Fi, and mobile connections.
His security teams lost all control of any corporate devices not using their network. They couldn’t see anything employees were doing, or the status of device health, until users reconnected to the corporate network.
Once those devices rejoined the network, the security teams could see and stop malicious traffic. But the damage was already done: There was a huge increase in malicious traffic once devices reconnected. The blizzard buried my friend’s security teams in threats.
Through this experience, the team realized important truths about the changing workforce and began to realign their security strategy to be more flexible and resilient and to focus on user experience as a key component of security and access control. Here’s why:
My friend’s team realized that even though blizzards don’t occur every day, the workforce was changing, with more and more people working remotely. At the same time, the company was using as many cloud-delivered applications and services and they had in the data center. The castle-and-moat security model would not effectively secure employees connecting from home and on the road and would create a poor experience for those connecting to cloud apps.
They turned to SASE.
The secure access service edge (SASE) solution is a better alternative to a centralized security model. Cloud-based SASE positions security inline, securing every connection between users and applications, no matter where they (the users or the applications) sit. SASE security services are distributed across the cloud, near each user: Users can go directly to the internet to access applications, infrastructure, or data. This negates the need for backhauling all traffic through a central security stack and removes bottlenecks to SaaS applications like Salesforce.com and Microsoft 365.
Because the team learned from its experiences during and after the blizzard and adopted a SASE model, it was able to pivot quickly to a fully at-home workforce in the wake of the COVID crisis. While many organizations had to make do in the early days with overloaded VPN infrastructures and inadequate security, my friend’s organization was ready, thanks to SASE, and able to keep employees safe and productive, while maintaining security.
A SASE cloud security platform is built to accommodate digital transformation and the modern enterprise is an excellent way to ensure application and network performance and scalability. It allows users to directly access applications and services in the cloud without routing traffic through centralized security stacks that become bottlenecks for user experience. With a globally distributed platform, users are always only a short hop to their applications.
During unexpected crises of any size or duration, businesses need to be able to continue operations with minimal disruption. In this hyper-connected world in which the majority of business communications and activity is conducted over the internet, the answer is SASE.