Lessons learned from COVID-19 – practical options and deployment methods for business continuity
Coronavirus took the world by storm. And in terms of IT infrastructure, most of us did not expect anything like this to ever happen. Normally, IT departments would want to be able to scale up and down and be able to provide IT services in a controlled manner. However, from an IT perspective, many were thrown in at the deep end and huge issues came to light.
As the country went into lockdown, people were told to work from home in their thousands. For the last 10 or so weeks we have been working with several customers to respond to these overnight operational changes, but I’ve also had some first-hand experience working with healthcare organisations during this time. I wanted to share some of the learnings from this experience.
For those who had been used to working from home and who were set up with a corporate laptop, this shift to remote working was not necessarily an issue. They had the devices, the hardware and software, the licences, and the training to be able to do their jobs as normal. In the case of some organisations, including the NHS, staff were asked to work from home, but they had traditionally never had a remote IT setup before. They did not have work devices, whether it be a tablet, phone, or laptop, they did not have licences and certainly couldn’t access clinical systems on secure government private networks using personal devices.
Whilst having a corporate laptop can alleviate network access issues, it’s likely that an organisation’s infrastructure was not designed at the head end, in the centralised office, to be able to cope with every single person working from home, i.e catering for 100% concurrency. To have this in place, the infrastructure would have to have been hugely underutilised on a day to day basis and would be very expensive to provision to start with.
Practical options and deployment methods
So, if we are going to look at practical steps moving forward, there are a couple of options to plan for the worst-case scenario:
Devices for remote/flexible working:
- Option 1: provision all staff with laptops, with all accounts and licences, whether they are the type of people that would work from home normally or not.
That poses a massive constraint on finance, commercial and logistics. And the likelihood is that you have been highly provisioning for day to day usage. Utilisation will be very, very low and a waste of opex and capex.
- Option 2: move to a more secure and available ‘bring your own device’ policy.
In this scenario, we need to be able to separate business and personal life on a computer, tablet, or mobile device. Most people have at least one personal device at home. It’s how we can leverage what’s out there from a technology perspective, to allow them to use these devices in dire emergencies or on a more permanent basis – if that’s what the future of your operations includes – but still keep your environment safe.
Having the scalability to not have to provision one hundred percent utilisation concurrency, not wasting money and having the agility to be able to turn things on, scale up and spin things down, and mobilise your staff, will bring your business the flexibility to respond to any changes or incidents. But how can we connect these personal devices to the network?
There have been services around for many years such as MDM (mobile device management), which, in layman’s terms, is centralised control of a remote device. In a normal case, where it is a corporate device, the enterprise has full control so they can restrict applications, ensure that email is secured, and have the ability to track and remotely wipe devices.
Having good security posture gets a little bit more complicated when someone a personal device. An MDM, in that case, is done mainly at an application level where the device is subscribed and controlled by application. So, say for example, I could have a personal device, it is got all my games, my personal email and messaging apps. But I also want to be able to consume corporate email services that are generally very, very secure. An MDM enables me to give access that the enterprise can control. In this the company can remotely wipe the email services, but they cannot have full control and have all the data protection issues that you would normally associate with a personal device. There are some limitations, it does require licences and the costs and upkeep associated, however it can be mobilised fairly quickly.
Virtual desktop infrastructure (VDI):
Another alternative is VDI. This means that people can use any device to connect to an authenticated virtual desktop, which could potentially be built in a cloud environment, and it gives a full zero trust network architecture (ZTNA) and a full protocol break. This means that you do not have to have anything installed on the personal device. It protects the infrastructure from any rogue or malicious software on the end device.
A typical scenario here is pulling out a laptop that has been in a drawer for two years, it has not been updated and there is no antivirus software installed. But it means that if that laptop connects to the VDI session, there is a protocol break and the state of the laptop or mobile device does not really matter. It still can be used, and you have still got your secure access to the virtual desktop infrastructure.
Now, VDI in the old days used to be provisioned on physical hardware, potentially in your data centre. This would mean you would still have the same issues if you suddenly had your whole organisation working from home, with internet circuits constraints or the infrastructure not being scalable. VDI is available on pretty much every hyperscale cloud service. This means that it can be provisioned extremely quickly and it’s not using your existing network infrastructure. Cloud hosted VDI solutions can be privately connected at the back end to your estate, relieving all the pressure on your network.
Aside from the speed of provision, VDI scales quickly in the cloud and comes with lots of governance and security around it. You do not have to scale and build and do all your sizing based on 100% concurrency, you can start very low. In fact, you could turn it off and invoke it as part of your business continuity plan at the click of a button.
Web Application Firewalls (WAF):
The next one is WAF. For those applications that can be published to the internet that are genuinely web based, is WAF a good option? Well, WAF is effectively present in your applications, whether it be in on prem or in the cloud to the internet securely with authentication. The constraints are that not all applications can be run through a WAF. The mitigation for that is that more and more applications nowadays are web browser based – HTTP/HTTPS – or some kind of API that is run over those protocols. This means WAF is quick and easy to deploy, it can be pre-deployed in a business continuity strategy and turned off. As part of invoking the business continuity plan, these are turned on. And suddenly, you have got access to those applications published straight to the internet.
There are pros and cons of all of these different solutions, depending on the level of security, the level of maturity at the back end connectivity, the level of maturity in the application, how much governance, how much auditing you need, and the level of detail that you get from your logging.
There are lots of technologies which enable you to respond to changing needs and external influences on your business, however you need to be able to act very quickly, even beyond your business continuity plan, in some cases. Now is the time to make sure your infrastructure is ready.
The vast majority of organisations who have been able to scale on demand and turn technology solutions on and off where needed have already made the move to a cloud-based fabric. Now, the challenge is how to take these cloud-based fabrics and services and integrate them securely into your existing legacy on prem infrastructure.
If you are interested in learning more about that, we will be hosting a Digital Boardroom with CIO WaterCooler you can find more information and register here.
We will be sharing some architectural blueprints and use cases for business continuity. We will cover ways to implement them, how to augment your estate in times of crisis, and how-to future-proof your network.