Excerpts from a conversation with Naveen Palavalli, VP of Products, Netskope, in which he speaks about the importance of hybrid work and how the zero-trust model will ideally suit the hybrid work era.

Why do you think hybrid work is here to stay?

Hybrid work requires the ability to access the applications and data needed to do the job from any device or location. Earlier reserved to a small set of employees and use cases, hybrid work has evolved significantly in the past few years and has become a prominent feature in many organizations post-pandemic, mainly to provide the flexibility for employees to work from any location of their choice and save on the real estate costs by minimizing office spaces. As we look ahead, there is no doubt that hybrid work is here to stay. Post-pandemic, organizations have realized that employees value flexible work environments and retain and attract the talent they need to support this new reality of hybrid work regardless of the maturity of their digital transformation initiatives.

A study titled 'Recruit, Retain and Grow', conducted by Poly, found that 74% of Indian employers believe that the hybrid working model is here to stay. Interestingly too, 86% of Indian employers have seen an increase in productivity since the shift to hybrid work.

What are the big challenges being faced by Indian organizations as a result of the shift to hybrid work?

Not only in India but across the globe we have witnessed organizations facing network and security-related challenges as a result of the hybrid work shift. Some of the major challenges include:

Poor user experience: Many organizations continue to rely on the legacy perimeter-based network architectures that backhaul all the traffic to centralized servers for security inspection and policy enforcement. The traffic is then routed back out to the internet, where the majority of applications and data resided. This adds to the network latency and results in a poor user experience, impacting productivity.

Limited visibility and control: To circumvent the above problem, many organizations allow direct connectivity to data and applications hosted across web, SaaS, and IaaS environments. This renders the enterprise security solutions blind to direct-to-cloud traffic, limiting their visibility and control over data, threats facing users like ransomware and phishing, and user behaviour, increasing the overall risk posture of the organizations. Organizations need to have real-time control over data moving to and from the clouds or between the clouds to prevent sensitive data loss. Additionally, the security posture of personal devices connecting to corporate resources must be thoroughly verified to mitigate the threat attack surface.

Increasing deployment and operating costs and complexity: Further to avoid network performance issues, organizations started shoring up their existing legacy architectures, when ideally, they should have moved to a cloud-first deployment model. Reliance on MPLS and VPN infrastructure greatly increased network costs, while security teams were forced to bear the complexity of leveraging a number of siloed security tools in order to secure access to the web, cloud, and private app resources.

A solution to these hybrid work challenges can be found in the adoption of a Secure Access Service Edge (SASE) framework. While the term SASE was only coined by Gartner in 2019, it has quickly risen through the ranks to become one of the biggest technology trends in recent times. SASE converges networking solutions such as software-defined WAN (SD-WAN) with ‘Security Service Edge’ (SSE) security solutions such as secure web gateway (SWG), cloud access security broker (CASB), zero-trust network access (ZTNA), data loss prevention (DLP) and cloud firewall on a unified, cloud-native architecture, allowing secure access to corporate resources hosted anywhere from users and devices located anywhere. This is the perfect blueprint for enabling hybrid work. It will not only allow ubiquitous access to critical data and solve network performance-related issues, but also enable complete visibility and control over the data and users to mitigate security risks, allowing organizations to remain sustainable, secure, and cost-effective while driving their hybrid work initiatives.

What is Zero Trust and how can it help in this situation?

Zero trust is a security concept based on the premise that resources should not place implicit trust in any entity that wants to connect, and access to resources should be granted in a "least privileged" manner after evaluation of several contextual elements, including user identity, device identity, device security posture, geolocation, time of the day, the sensitivity of the data being accessed, etc.

The zero-trust model is ideally suited for the hybrid work era. For example, zero-trust network access (ZTNA), built using zero-trust principles, can provide fast, secure, and direct access to private applications hosted anywhere, improving the user experience and eliminating the need for expensive VPN and MPLS deployments. Another example would be eliminating the risks through context-driven access to specific resources while concealing the rest of the resources. For example, an employee using a secured corporate device can be granted full access to an application hosting sensitive data, while changing the access permissions to read-only mode when using a personal device. Of course, access is granted only after the posture of the device passes through all the mandatory security checks.

What advice would you give to any organization starting out on a zero-trust journey?

First of all, organizations must realize that zero trust is not a single product or solution, but a set of guiding principles that allows them to transform their underlying technology architecture to defend against internal and external threats. While a traditional and most common approach would be to start with protecting the network and enabling direct-to-cloud access with zero trust network access (ZTNA) and MFA/SSO solutions, at Netskope we recommend a holistic security approach with transformation across networks, clouds, and data. Network transformation should maximize cloud-based functions and reduce requirements for expensive and often illogical network choices. Cloud transformation entails consolidating the trust controls for web, SaaS, and IaaS traffic in a single platform, generating deeper visibility into applications, users, and devices, along with insights into company vs personal app instances for establishing context-driven access. Data transformation focuses on uncovering the behavior anomalies and refining the trust posture to protect the data at rest, in motion, and use.