Securing our Future Workplace

By James Shira, Network & US Chief Information & Technology Officer and Chief Information Security Officer, PwC

COVID-19 ushered in the era of remote work practically overnight. Even when considering the prospect of vaccines and a safe return to the office, working remotely partially or full-time will remain the ‘future of work’ for many organizations. This future workplace not only affects corporate culture and ways of working, it also turns the traditional network paradigm on its head.  For many, this relocates endpoints - such as laptops and mobile devices - from inside a corporate network to a personal home network. In this new hybrid working environment, organizations should prioritize hardening their endpoints, while also preparing for the evolved role of the endpoint in the next three to five years.

Traditionally, companies have built their security model under the assumption that endpoints stay within the “four walls” of a company - i.e., endpoint devices remain physically located in an office and access applications and systems hosted in an organization’s data center. In this model, protective controls are emphasized at the perimeter (e.g., firewalls, IDS/IPS) securing endpoints from the ‘outside-in’. Throughout the years, the shift to an increasingly mobile workforce and exponential growth of the cloud have redefined the network perimeter and dissolved the “four walls.” 

And, given the events of COVID-19 and workers using their endpoints at home, corporate devices are now more often than not co-mingling on a home network with personal devices such as home computers, SmartTVs, and other increasingly popular “Internet-of-Things” (IOT) devices. Organizations cannot confirm the security of these other personal devices, presenting an increased attack surface for corporate endpoints. Therefore, security controls must be pushed from the traditional perimeter down to the endpoint itself.

Several years ago, we made a strategic decision at PwC to embrace an inverted network architecture. Several organizational factors, including our size, geographic distribution, and frequent workforce travel, drove this decision. In practice, many of our servers and applications are hosted in the cloud rather than a traditional data center, making this particular flavor of an inverted network architecture known as an “Internet-first” architecture. As part of this model, we emphasize security in our cloud environments and at our endpoints. Key endpoint security controls include, but are not limited to:

• Routine patching of the endpoint operating system and its applications;
• Utilizing defensive tools, such as anti-virus, anti-malware, and endpoint detection and response (EDR);
• Fine-tuning data loss prevention (DLP) rules to detect untoward usage of data; and
• Encrypting the endpoint hard drive, as well as certain confidential data on the endpoint.

We also have embraced endpoint-adjacent security controls, such as using cloud-native solutions, creating realistic security awareness training (e.g., securing your endpoint in a co-mingled environment), and bolstering our logging and monitoring of endpoints.

The above controls are “table stakes” for meeting the current risks we face. Companies that do not embrace these capabilities should evaluate their ability to do so. If constrained by budget, you should focus on unlocking untapped value in existing products and contracts. For example, it may be exciting to discuss the acquisition of a cutting-edge threat prevention tool, but you also greatly reduce risk by prioritizing the patching of existing vulnerable endpoints.

Endpoint-centric security controls can assist your organization in meeting current needs.. However, with trends such as cloud-first adoption and browser-based applications - leading to an “Internet-first architecture” - the role of the endpoint will evolve again. In three to five years, I foresee the simplification of the endpoint, given that the intensive processing, memory, and data storage needs will happen in the cloud. Not only does this have an impact on cost, but it also changes the visibility required to secure data. So how do we shift our monitoring capabilities? Ultimately, security controls may become simpler at a high level, but moving towards an Internet-first paradigm means that custom applications built for a specific business need are stored on the Internet, with potentially robust security controls around them. 

In addition to hardening your endpoint estate to address the risks of today, plan to have more of your security controls in the cloud, closer to the data you are trying to protect.