10 minute read 4 May 2020
modern office building stilts

How to build crisis-ready remote access capabilities

As the pandemic stress-tests your resiliency strategy and remote working is the new normal, how can you keep the business running?

Most firms prepare for unexpected events, including natural calamities, geopolitical crises and cyber-attacks. But despite these investments, they are almost always severely underprepared when facing unique, “once in a generation” scenarios. They must scramble to react and keep the business running.

The COVID-19 pandemic has tested even the most robust resiliency strategy. Few contingency plans envisioned an extremely rapid transition to 100% remote working with social distancing restrictions. But firms have had no choice, and they are now pushing the boundaries of solutions that were intended only to augment core capabilities. These solutions are now critical infrastructure for the foreseeable future as they support the virtual enterprise.

As the pandemic continues, what steps can technology leadership take to ensure they are ready for what lies ahead?

Over the years, technology has progressed significantly allowing employees to increasingly turn their home into their remote office, for some occasionally and others even full-time. Firms have grappled with the idea and finding the balance of productivity, creativity, and accountability as they continue to refine their policies. The capabilities that a virtual office has can vary significantly based on the firm’s maturity across several key technologies and the complexity of how to provide a secure, stable experience to remote workers. Some of these include: 

  • Virtual private networks (VPNs): The most common solution for remote access, usually providing unrestricted access to corporate resources
  • Virtual desktop access (VDI): Accessing a corporate-imaged virtual machine in the data center through a corporate internet gateway or directly in the cloud
  • Application-level access: Accessing a set of corporate applications over the internet (internal or external applications)
  • Mobile access to applications: Accessing email and other applications via managed mobile devices
  • Direct access to cloud-based applications (without the need for a VPN)
  •  Access to collaboration and communication tools, including video, file sharing, and chat solutions
(Chapter breaker)
1

Chapter 1

Know your users

Creating personas for key user types will help you get a handle on varying system and application needs.

It is important to note that remote working may not be a viable option for every business function at all times. While some capabilities can be performed outside of the office, others may require employees to be onsite.   It is vital for firms to recognize and have an understanding of which parts of their business can continue to operate in a remote capacity.  In all cases it is important to ensure security hardening and immutability of the changes to the environment, locking down all of the configurations, such as network and access control. Moreover, some of the changes, like direct internet access, may require additional security monitoring and tooling.

Unlike a regional disaster or weather event, the pandemic is forcing all employees globally to stay home to limit viral exposure and slow the spread of the disease. When large numbers of resources work remotely for an extended time, remote connectivity networks see much heavier-than-normal traffic, causing capacity and load-related access issues.

Here are some key questions to help you assess your current state:

  • Do you understand the types of users in your environment? 
  •  Do your remote worker solutions cover all necessary capabilities for users to do their jobs for extended periods?
  • How closely is your end-user service catalog aligned to the needs of your users and business demands?
  • What is your current capacity to support a remote workforce?  Do you know what your lower and upper limits are?
  • What is your burstable capacity strategy? Is your cloud strategy adaptable to support?
  • What levers could you pull to manage the uptime of critical business services?

Know your users

Different business functions have different technical requirements. For example, an application developer may be able to work remotely full-time with just a laptop, while an equities trader may require tools and technologies available only at an office location. In the latter case, they will obviously be limited in their ability to support the business when working remotely.

Firms should identify common themes across different work profiles and build a set of personas based on business functions. The process first involves defining user personas for all key user types and business/IT functions to understand and map system and application needs. Components of a persona include loadset (the dependency on certain technologies), support needs, and hardware and software requirements.

Firms should identify common themes across different work profiles and build a set of personas based on business functions.

The personas should then be aligned to the service catalog to understand capacity requirements for each key service, standardizing offerings where possible. The data should be leveraged to model remote access scenarios such as financial staff needing full VPN/trusted access to internal accounting systems while sales associates might only need access to cloud-based services. 

(Chapter breaker)
2

Chapter 2

Juggling capacity and load

Cloud-based services and the smart use of regional network hubs can help lessen the strain for some businesses.

As part of business continuity preparedness, firms must stress-test core capabilities and system capacity to simulate a pandemic scenario. During a crisis, active monitoring of remote connections and network load is critical to understanding capacity constraints, and periodic simulations help with fine-tuning technology and processes when one occurs. 

To manage potential challenges, a rapid deployment plan needs to be in place to increase capacity on demand, either by adding new systems or expanding the use of existing platforms. For example, many VPN vendors offer emergency licenses that allow scaling of concurrent sessions on the same hardware while other elastic capacity solutions leverage the commissioning of new hardware through your preferred cloud provider.

Firms with global operations can also choose to push users to other VPN concentrators regionally or around the world to meet demand requirements. Similar adjustments will need to be made for other remote access solutions such as virtual desktops.  Ability to increase the number of virtual desktops may be limited within an on-premises environment. Cloud-based virtual desktops could be a viable alternative to address this gap. 

Improving remote worker capabilities

While many firms are most comfortable hosting systems and applications inside their perimeter, there is significant acceleration in cloud transformation programs across the finance sector. Cloud providers are rapidly addressing compliance concerns with enhancements to their services. As those boxes get checked, Windows Virtual Desktop, Office 365 and other cloud services will enable organizations to scale end-user capabilities rapidly to meet the demands of a crisis.  

Key among the organizational concerns being addressed by cloud providers:

  • Many firms still trying to accelerate cloud transformation – struggle with solving for regulatory compliance and data security.
  • Many firms are still most comfortable when hosting data and applications inside the perimeter and provide access to users on managed devices from trusted locations.
  • As firms move data and applications beyond their perimeter, tighter security controls must be in place.
  • Firms seek to achieve optimal deployment to the cloud maintaining the required level of security controls while at the same time enhancing the end user experience and allowing greater flexibility.
  • As cloud adoption accelerates, firms achieve greater scalability and speed to market with end user and business capabilities.
  • Solving the risk and compliance needs with cloud services can help organizations scale end user capabilities rapidly in times of need.

Large cloud providers are rapidly addressing compliance concerns with enhancements to their services.

With increased cloud adoption, firms achieve greater scalability and can provide end-user and business capabilities more rapidly. The optimal balance for cloud deployment maintains sufficient security while also enhancing the end-user experience. 

Higher volumes of remote workers and a significant increase in network traffic is likely to strain corporate internet connections during a pandemic. Internet connections must be highly stable, carrier-diverse, geographically redundant and robust enough to handle a sustained increase in load. 

Separate dedicated internet connectivity may be considered for remote workers. Many global firms have regional internet routing hubs (Americas hub, European hub, Asia-Pacific hub and so on) which can reroute internet traffic if a particular region experiences excessive load conditions during an event.

The speed and quality of an end user’s home internet connection is, of course, another major factor in being able to work disruption-free and collaborate effectively with colleagues. Having the full complement of equipment for the job (monitors, keyboard, mouse, headsets and so on) also helps emulate the office experience, boosting productivity and collaboration.

(Chapter breaker)
3

Chapter 3

Managing remote access risk

Even as remote connectivity ramps up during a crisis, security and risk considerations cannot be neglected.

Whether it’s business-as-usual or a global pandemic, security related to remote access is indispensable. Here are six key risk and control considerations:

1. Build a robust, formally defined operating model across risk and control functions (Three Lines of Defense [3LoD] risk management model + front-line risk/control owners) that is flexible enough to account for the significant impacts to workforce capabilities during a crisis.

  •  Prioritize the risk services and processes that must be performed (and by whom) to avoid duplication of effort or accidental coverage lapses in key areas (IT risk assessments, risk reporting and so on)
  •  Provide adequate cross-training for risk practitioners to prepare for unforeseen absenteeism and mitigate against the loss of prioritized skill sets, such as risk monitoring, assessment and reporting

2. Identify, assess and address any key personnel-related risks across IT infrastructure and service delivery teams.

  • Determine whether remote workforce strategies and plans are appropriately balanced to counter an excessive concentration of skill sets and responsibilities
  • Ensure training plans are stress-tested to identify gaps in skill sets
  • Act to adequately disperse responsibilities for key services and activities

3. Mitigate access risks as needed in the context of a large remote workforce footprint.

  • Ensure that new IT infrastructure processes and technologies are deployed with consistent access and data protection hygiene, as required by defined standards
  • Assess whether access assignments remain appropriate, and that the principle of least privilege remains enforced. “Break glass” account usage and control should be diligently managed

Whether it’s business-as-usual or a global pandemic, security related to remote access is indispensable.

4. Proactively monitor and manage third-party service levels.

  • For third- and fourth-party providers, confirm SLAs and communicate as needed to proactively monitor and manage adjustments necessary to maintain delivery levels within risk tolerances
  • Ensure risk assessment strategies and processes are revised as necessary to adequately reflect heightened dependencies or service provider criticality levels

5. Maintain engagement with regulatory bodies and ensure compliance requirements continue to be met.

  • Ensure IT owners understand control-level implications in relation to regulatory requirements and standards
  • Maintain communication with relevant IT regulatory bodies to ensure coordination across exam activities, changes to regulatory expectations in a crisis, heightened IT resiliency requirements and so on

6. Ensure remote/home working arrangement risks are mitigated.

  • Maintain the same data protection hygiene while at home (home printing, information destruction, teleconferencing best practices and so on). Employee training and activation of Data Leakage Prevention (DLP) tools may help to prevent irreversible damage
  • Ensure risks to workforce availability and health are understood and addressed; in light of school closures, childcare needs may introduce new constraints or dynamics. Consider dedicated video sessions for employees’ children or special needs. Training employees’ children on internet safety and secure use of video/sharing platforms may also reduce the cybersecurity risks of your organization through malware on employees’ home networks and endpoints    

It may be too early to tell what the lasting effects of this most recent crisis will be but there are a few certainties that we can be assured of moving forward.  A firm’s ability to flex its workforce in a remote capacity, expand in an elastic yet secure manner and knowing its most critical business functions will ultimately determine how adaptive and resilient your enterprise is.

Summary

Business continuity demands understanding the range of user types, delivering the tools they need and managing network load.