General Electric recently announced it may "disconnect" as many as 5,000 sites from its corporate network. Is the idea of a secure, corporate network for employees past its prime?
Corporate networks have been a staple of IT departments since the dawn of IT as a corporate function, and it has been assumed that if you have employees, you'll need to provide a secure internal network for them to get their work done. However, many companies like GE are rethinking this strategy, and providing their employees with connections to the public internet rather than a secured network. Here are some of the reasons behind these moves.
The Internet is now the de facto network
I remember when I was first granted access as an employee to the mysterious entity called "the Internet." Multiple forms were completed and duly signed by various supervisors, and I had to have special proxy and monitoring software installed on my company desktop to search AltaVista and be granted an internet email address. With the rise of globally dispersed workforces, telecommuters, and mobile workers, most companies have provided means to access key software and services over public networks for years. In fact, with my last employer I never connected to the physical corporate network, using the internet for everything from email access to cloud-based tools to get work done.
As companies increasingly prepare applications for access from anywhere, a distinct "company network" seems a bit anachronistic, and in many cases presents an administrative burden, as IT must maintain secure server networks, firewalled "DMZ" networks, and semi-secure employee networks that offer little benefit when the tools for external connectivity are already in place.
Physical security really isn't
One of the major drivers for maintaining a corporate network was the theory that it offered additional security. If someone had already made it into your physical facility, a network jack that offered relatively unfettered access to company resources seemed sensible. However, that theory has long been debunked by anything from physical hacking attempts to "sick" laptops brought in by users. In most IT shops, the internal employee network is assumed to be just as "dirty" from a security perspective as the external internet, and assuming otherwise is often highly risky.
Most network security advocates have shifted IT security from attempting to build a virtual wall at the employee device level to shifting the wall to protect the resources themselves and the networks that deliver those services. Simply providing an unsecured internet connection at every ethernet jack and access point lets you stop worrying about what devices could connect to the employee network, and allows for maintaining a single set of security policies and technologies at the service/server level that no longer has to discern between an employee accessing the service from their home or the cube farm down the hall.
Ditching the corporate network
Several IT leaders I've discussed this topic with are initially taken aback. Suggesting that a longstanding function of IT, providing an employee network, be abandoned seems like heresy. However, after a bit of consideration, it's intriguing that the notion of a "special" employee network has lasted so long is nearly comical with the advent of remote workers, cloud services, and retrenching IT security away from the endpoint. You're likely already delivering some or all employee services over public networks, and VPN tools can likely fill any gaps.
Using public networks not only reduces your network maintenance and deployment costs, but removes any remaining illusion that the employee network is "secure." The work required to further harden applications and services will likely pay off in allowing your employees to be productive from anywhere, speeding integrations and expansion, and reducing the cost of maintaining dedicated links that glue the employee network together.
Next: Employee devices
If the assumptions that would allow you to stop maintaining an employee network hold true, the next logical extension is abandoning company-issued computing devices. Many companies have introduced Bring Your Own Device programs for mobile phones, and by moving security and maintenance away from the endpoint, these programs could function in a similar manner with employee devices. While there are challenges ranging from how you'll support employees and provision software, to preventing company data from "walking away," providing company-issued devices will likely become like providing company-issued uniforms and shoes: relevant for some specific jobs but a matter of employee preference for most others.
Why a modern security strategy demands endpoint protection
Why the CIO is essential to digital transformation
AirWatch Connect: VMware boosts unified endpoint management, BYOD security with new features