Nearly three years on from the COVID-19 pandemic forcing swathes of the global workforce out of the office and into semi-permanent remote working environments, many firms still face the question of how to optimise the employee experience without compromising on vital security features.
While each panellist at Computing's Deskflix: Identity & Access Management event this week approached hybrid security differently, they all agreed that the challenge was not in the initial move, but in ongoing support.
"We've transitioned completely to a laptop environment," said Terry Willis, Director of Technology at the Church of England, "and we use different technologies to make that happen and secure those devices remotely. Our world was predicated on a single corporate network [pre-pandemic], and now it's made up of diverse endpoints that could be anywhere from Australia to Amersham."
The Church found it very easy to shift to remote working, as it regularly ran remote days and staff already had laptops. It was even easier for Nick Ioannou, Information Security Officer at Goodlord, an eight-year-old startup that was already completely cloud based.
"All we had was laptops, no infrastructure whatsoever... There was no pain other than, instead of everyone being in one building we were dealing with issues like internet speeds aren't what people think when they're actually working from home. But the thing worked really well because we were geared up to one hundred percent cloud from the very start... We more than doubled in size during the pandemic."
On the other end of the scale is Bucks County, Pennsylvania, where John Regula is the CIO.
"As a government service agency, we still had many services that had to be conducted in-house: our emergency services, our correctional facilities, our skilled nursing facilities still had to operate throughout the pandemic... We were forced to ramp up education as far as what security tools and measures had to be used.
"We got to deploy 1,800 new laptops between 2020 and 2021, and we were just rolling out MFA at the time, so to get both of those delivered we had to do it in stages... We were not at the security posture we wanted to be, but we grew there pragmatically and quickly."
'Convenient' doesn't mean ‘easy'
Working from home is a big draw when employees are looking for a new role, but their convenience can mean headaches for IT and business leaders, who have to deal with issues around onboarding, education and culture.
"Onboarding users [is our biggest challenge]," said Nick, describing Goodlord's habit of not using email internally - all internal communication is done via instant messaging and video calls, which can be a culture shift for new joiners. "We've definitely evolved the process... We've moved in-person onboarding to Google Meet and sharing screens, and it works just as well."
For John, the issue is around education. His biggest headache of recent years is "trying to help people through navigating their own home environment to communicate with the County."
"Many of our employees either borrowed internet, did not have sufficient internet or did not have a sufficient home environment to properly conduct County work. Putting up guidelines and protocols for them to follow, and even having them ask the right questions of their ISP [was helpful]... It's really an ‘off my network' concern, but it really was a concern to try and help all of our employees sustain at home what we're asking them to do. So really, navigating protocols for home environment use from an employee perspective was the largest challenge."
The Church of England, meanwhile, has streamlined its onboarding process:
"We reimagined the [laptop rollout] process from start to finish," said Terry. "We're primarily a Microsoft stack, so we use Autopilot. We ship laptops directly to end-users and we email them a PDF that says, ‘Here are the three steps you go through', and that device sets it up in their home...
"The non-technical parts, the logistical and administrative parts, were probably the biggest challenge."
Zeroing in on security holes
Of course, security remains an ongoing challenge, and hybrid working has exposed new vulnerabilities on corporate networks around the world.
Zero trust is an increasingly popular approach to address these issues in the remote working era. Under zero trust, people only have access to the systems they need to do their job, rather than unrestricted access to every file and folder on the network.
"When you look at somebody 10, 15, 20 years ago, when you logged in you got all of your network access and rights," said John. "You would connect and have access to the network, and you could move about freely, both vertically and horizontally. Now, we're tying access requests to a specific resource."
Goodlord adopted zero trust in 2021, helped by the fact that the business operates on Chrome Enterprise. Zero trust is built into Chrome, where it's known as Context-Aware Access.
"Basically even if you have a username, password and two-factor [authentication], you still can't log in," explained Nick. "Your device still has to be approved, plus loads of other conditions have to met as well. It meant we could actually trust who was using what, rather than just sending out credentials and seeing various devices in the logs and wondering who owned what. Now unless we approve the device, it doesn't hit the system."
Even the Church of England, which many might think of as a legacy institution, has taken on a form of zero trust, buying an off-the-shelf product last year.
"We're also tying in a multi-layer approach," said Terry. "We're primarily a Microsoft stack so we use conditional access and set rules around that. When people log in we direct them to the asset they need, in a very similar way to John. We have a solution that allows us to do that.
"We still have a small amount of infrastructure sitting in a datacentre, so that allows us to have a line directly into the datacentre, but outside of that it gives us this shield of trust from the internet, which is multi-layered and conditional access and other Microsoft technologies underneath, protecting the end-user."