David Turner, Managing Director of MSC Digital, outlines the key features of technology design to ensure your organisation can support a complete or partial remote-first workforce
With COVID-19 restrictions easing, it is likely that most organisations will continue to embrace remote work for certain types of jobs, either fully or partially. However, while fast and reliable Internet connectivity makes it simple for staff to work from any Internet-connected device, the challenge is to provide a consistent and uniform user experience regardless of the users’ location.
Technology infrastructure has traditionally been architected to accommodate a workforce that is physically located in an organisation’s offices. This architecture creates an environment with a “perimeter” where everything inside is controlled, monitored, secured and managed by the technology team, and nothing outside is trusted.
With much of your workforce no longer working from a central office or using a corporate network (WAN), they are now outside the perimeter, yet the traditional architecture routes them via a Virtual Private Network (VPN) back inside the perimeter so their interactions can be managed as though they are located physically in the organisation’s office building.
Designing for remote-first workplace technology
Providing a uniform experience regardless of the user location requires a significant shift in strategy and considerable changes in the use of technology where the traditional concept of a corporate perimeter becomes redundant and counter productive.
With the Internet providing fast, resilient and always-on user connectivity, the WAN now becomes redundant, and the new imperative is to get your users on the Internet as quickly as possible and minimise the inline steps between their device and the data, applications or digital services they need to access, either from their remote location or your office.
Specifically, rethink any part of your infrastructure which is involved in authenticating or routing or filtering user traffic (domain controllers, firewalls, licence servers, certificate servers etc).
A cloud-based approach offers the simplest, most effective and efficient solution for remote working at scale, with cloud-native services handling identity management, device management, assured connectivity and security services in place of the traditional gateways, domain controllers and myriad legacy infrastructure components.
Without a corporate WAN or perimeter to secure, we must now trust the endpoints (users, devices and services they connect to), not the transport mechanism – leading us into “Zero Trust” territory.
Zero Trust is not a technology. It is a philosophy, an approach, and a framework. It will ultimately require a change of both technologies and processes.
The basic principles for architecting or designing a Zero Trust technology platform are as follows:
- Trust your endpoints (devices and services), not the network.
- The network is just a conduit – focus monitoring on devices and services.
- Replace complex systems with simple cloud-hosted IdAM and UEM solutions.
- Create a single strong user identity.
- Create a strong device identity.
- Authenticate everywhere.
- Know the health of your devices and services.
- Set policies according to the value of the service or data.
The core building blocks of a Zero Trust security strategy are the cloud hosted IdAM and UEM solutions.
The UEM service provides intelligent management and control of devices with assurance that the devices have the appropriate security and protection. It also regulates and controls application access and software licensing and provides automated updates and patching.
The IdAM service can replace Active Directory, security appliances and traditional multi-factor authentication and provide secure authentication without a VPN. Ensure your IdAM solution can ingest all identities regardless of the type and from identity stores at any location (on-premise or in the cloud).
With central IdAM management, the onboarding and offboarding of users (the Joiners/Movers/Leavers process) can also be simplified, synchronised and automated.
Security in a Zero Trust environment is based on a strict identity verification process so that only authenticated and authorised users and devices can access services, applications and data. At the same time, it protects those applications and users from advanced threats on the Internet.
Since the cloud UEM/IdAM services give access to a specific service or resource rather than the whole network – allowing for no lateral movement across the enterprise – the attack surface is minimised.
Data classification becomes crucial in a Zero Trust environment, so DLP (Data Loss Prevention) rules can be defined and applied – with Google Cloud Data Loss Prevention, for example.
In summary, the key features of workplace technology design for a remote-first workforce are:
- No WAN required – The Internet is the network.
- Trust the endpoints, not the network.
- No perimeter or gateways.
- Minimise the inline steps between the device and the service.
- Cloud IdAM and UEM services.
- No Virtual Private Network (VPN).
- Secure the user, the device and the service (application, data or digital service).
- Classify all data for DLP rules.
MSC Digital is an independent consultancy formed specifically to assist government, public sector, charity, and voluntary sector organisations with transforming their technology environments.
If we can assist with your workplace technology transformation journey, please contact us at email@example.com. You can also find us on G-Cloud in the Digital Marketplace.
Very few elements are required to effectively accommodate a remote-first workforce:
- A modern wireless device (laptop, tablet, smartphone).
- Wi-Fi connectivity.
- Internet connectivity.
- A cloud-based Unified Endpoint Management (UEM) service.
- A cloud-based Identity and Access Management (IdAM) service.
- Cloud-based productivity tools (Google Workspace or Microsoft 365).
- Digital communications tools (Teams, Zoom, Google Meet).
- SaaS business applications as required (with SSO).
- Cloud hosting for any data or legacy applications that cannot be consumed as SaaS.
*Please note: This is a commercial profile
© 2019. This work is licensed under a CC BY 4.0 license.
Editor's Recommended Articles
Must Read >> A new technology paradigm for your remote workforce
Must Read >> The pinball machine of infrastructure