Applying Enterprise Access Lessons From COVID-19
The pandemic showed that VPNs were no longer the gold standard when it came to network access
COVID-19 is impacting our world in many ways. One likely consequence of the pandemic will be an increase in mergers and acquisitions as the strong take over the struggling. In mid-July, Barron’s declared, “Merger Monday is Back.” “So far in July, about $52 billion in deals have been announced in North America and Western Europe,” compared to $34B in all of July 2019.
How does an acquisition impact IT and security teams? They suddenly must simultaneously plan and implement a strategy to give various levels of access to an entirely new set of employees, third parties, contractors and suppliers. In a sense, it is the COVID-19 shutdown all over again, with many of the same objectives and challenges that require addressing.
When employees around the world were told to work from home in March, COVID-19 revealed some fundamental weaknesses in corporate networks, especially with legacy VPN solutions. Many of these limitations such as onboarding new users, scalability and ease of deployment, are applicable to M&A scenarios and quite frankly have been known for years but have never been put to the test. Until somewhat recently, VPNs had been accepted as the gold standard. Fast forward to today.
Security teams quickly realized that they lack visibility into, and have no control over, what is happening through VPN communication. They have no visibility when employees circumvent their VPN to access cloud-based apps from personal devices. To understand what is happening is far too complex and manual of a process to be effective. The team is deluged with raw logs lacking context. This means they must manually build the alerts, the connections to the SIEM and more. They must ingest sessions, then sets of sessions to understand what happened at a point in time or over a period of time. Raw logs and the process of interpreting, learning, reinterpreting them over a period of months, coupled with already overburdened security staff and hundreds of daily security alerts, clearly do not scale, nor is it an effective strategy.
During the pandemic, the downside of VPNs fully revealed themselves as impediments to not just access but also business continuity, and now enterprises are faced with addressing this growing issue as WFH becomes a long-term or even permanent solution for some organizations. Add to this a merger or an acquisition, and you have the perfect storm. For example, poor user experience is not sustainable when VPNs are overtaxed due to remote work. The need for immediate scale was met with roadblocks such as licensing issues and operational challenges, including hardware upgrades, adding agents to endpoints and other scalability issues. No company was immune. Even Cisco Systems was forced to ration VPN access for staff as the strain of 100,000+ home workers hit its network. As VPN infrastructure rose in importance to the enterprise, attackers took notice and started attacking it.
In addition, an argument can be made that pre-COVID, VPNs benefited from the sunk-cost fallacy. According to behavioral economist Daniel Kahneman, co-recipient of the Nobel Prize for Economics in 2002, people tend to “throw good money after bad” in part to avoid feelings of regret. In business, this results in investing in projects because they have already consumed a lot of resources.
With the painful lessons about their VPN infrastructure still fresh, the sunk-cost fallacy is no longer enough. Too much has been revealed by this crisis. So what is an organization to do? There are better ways forward than investing further in legacy VPN infrastructure. Right in the middle of the pandemic, in June, Gartner laid out a road map for a better way forward in its Market Guide for Zero Trust Network Access (ZTNA). Gartner’s recommendation is to augment VPN access infrastructure with ZTNA solutions.
An acquisition is an ideal situation to apply the access lessons learned during COVID-19. ZTNA solutions offer a modern approach to a modern problem. Business leadership is all about managing change. The ZTNA market has emerged at a fortuitous time, when a crisis revealed the manifest weaknesses of legacy VPN solutions, from the poor user experience to the difficulty operating the infrastructure, to additional security risks faced by the organization.
