Prior to the pandemic, traditional work practices involved staff travelling to an office to complete daily work tasks. With most starting and ending at the same time, peak-hour crushes in lifts and on public transport are a normal feature of the workday.
Fast forward just a couple of months and the world has changed dramatically. The vast majority of finance sector staff are continuing to work from home with only frontline and customer service teams reverting to office life. Even when current lockdown rules are relaxed, many staff will continue to remain where they are.
Indeed, many banks are looking at a future when a large proportion of staff will work predominantly from home and only attend the office for scheduled meetings or special events. All other work and communication will be handled remotely.
This seismic shift in work practices poses significant challenges when it comes to IT security. Staff still need to access core applications and data stores but, rather than using the office local area network (LAN), they must do so over the public internet.
In the pre-COVID workplace, IT security was usually provided through the deployment of a firewall and other security technologies. Everything within this digital perimeter was then deemed to be secure and staff could freely access the resources they are required.
Now, things are very different. A staff member is just as likely to be working from a home office, potentially using a private personal computer or mobile device. Access will often be via an in-home Wi-Fi network and a retail internet connection.
When only a relatively small proportion of finance-sector workers were working remotely, this challenge was overcome through the use of virtual private networks (VPNs). VPNs create a secure and encrypted link from the user’s home-based device into the company’s data centre and network. The worker can then be treated in the same way as they would be when based in the office.
However, traditional VPNs have numerous limitations which are exacerbated when remote worker numbers explode. Departments are forced to increase VPN capacity in their data centres or find an alternative approach. In order to facilitate the significant increase in numbers some have turned to VPN concentrators located in disaster recovery facilities. While these were supposed to be kept in reserve for when disruption hit the main data centre, they’re now being put to work to support home-based staff.
Other firms have rushed to purchase and deploy new VPN concentrators. While this can be done, it requires additional capital expenditure. The hardware typically takes months to ship, requires sometimes weeks to set up, is constrained by capacity limits and creates a poor experience that impacts user productivity. VPNs force traffic to be backhauled through a data centre just to get access to the internet, SaaS applications or public cloud applications, leading to unwanted latency. Not to mention, this forces IT to invest in expensive, short-term, fixes that lead to purchasing outdated infrastructure that may never result in a return on investment once COVID-19 is over.
The challenge becomes even more acute when staff are expected to use cloud-based resources such as Microsoft Office 365 and Teams. With VPN security in place, traffic from the home office must be transmitted firstly to the corporate data centre and then out to the Microsoft cloud. Returning data must come back via a similar path.
The result is often significant decreases in performance when compared with the usual in-office experience. Slow response times and issues with availability have a big impact on productivity which leads to rises in user frustration.
The benefits of a ‘zero trust’ approach
A better approach for banks and finance firms is to adopt a strategy dubbed “zero trust”. The zero trust architecture shifts security functions to focus on protecting the user/device in any location, rather than securing a network perimeter that is eroding away. This ensures that users get secure, fast, and optimised connections, no matter where they are connecting from or device they are using.
Once all the components of an IT infrastructure have been secured, the perimeter becomes meaningless. Users can access cloud services directly and enjoy the same high levels of performance from data centre-based applications and stores.
Unfortunately, industry research shows relatively few finance-sector firms have so far embraced zero trust. However, with working patterns now irrevocably changed, this number is expected to increase quickly.
Taking the time today to investigate this strategy and how it can add value to workers in your firm agency will pay big dividends in the future. It’s time to begin your journey to zero trust now.
Budd Ilic, ANZ country manager, Zscaler