Short-term crisis response as long-term strategy

April 1, 2020

These past few weeks have been chaotic for everyone both personally and professionally as the world responds to the threat of the coronavirus (COVID-19). While individuals have focused on protecting themselves and their families, organizations have scrambled to manage an increasingly dispersed workforce and deliver on company objectives in the face of rapidly evolving requirements.

As a national consulting firm that works solely in identity and access management (IAM) with a large variety of organizations, we’ve seen the challenges play out across all our clients’ industries. Having to change employees’ work location and availability virtually overnight is stressful for any organization, but it’s been especially stressful for those unprepared to respond with the appropriate plans, processes, and tools.

going remote in a day

One client, for example, had to figure out how to grant remote access to 4,500 corporate users who had never needed it before. Leadership gave them just one business day to figure it out and get it done. Here’s a short list of the challenges this presented:

  • Existing VPN services had a max capacity of 500 users 
  • Virtual Desktop Infrastructure had only been production-tested to support a few hundred concurrent users
  • No widespread corporate-owned inventory of phones or laptops
  • A help desk not staffed for the surge of support needed to setup VPN and remote desktops on personal devices

responsiveness requires agility 

The client’s capable IT managers needed to take steps that would surely sound familiar to many of you. For example, they:

  • Quickly checked the sizing of critical infrastructure that would be stressed under the wave of remote workers (VPN servers, VDI infrastructure) to ensure that it’s ready for the extra load. They spun up additional infrastructure to balance the anticipated increase.
  • Reached out to remote work software vendors (Zoom, Webex, Microsoft, Citrix, etc.) they could use for a temporary reprieve or to up-size existing licensing.
  • Quickly identified massive, repeatable tasks—such as setting up users in VPN and deploying automated scripting where no automation tools were in place. They built a rapid response team to tackle the automation tasks faster.
  • Reviewed which remote work tools would require hard devices, such as a hard VPN token, and reached out to vendors asking for a soft version that could be deployed quickly.
  • Identified internal-only data stores (shared files and other data) and prepared to move it to the cloud with tools like OneDrive, Box, Dropbox, AWS, etc.
  • Kept tabs on employee morale, and scheduled remote “social sessions” to make sure everyone feels connected and able to accomplish real work.

The keys to this kind of response are being agile and flexible. Sure, this is easier said than done, but flexing your IT staff to focus on the most important challenges and encouraging teamwork to overcome these challenges is how we all get through any crisis.    

short-term response as long-term strategy

It’s also important to consider the changes this crisis already has provoked, and whether these changes will become permanent or recur again in the future. 

As people travel with increasing ease and frequency it’s reasonable to expect these types of pandemics will continue, and the cycle of crisis and response could become the “new normal”. By some estimates, the threat of COVID-19 is forcing nearly 70 million Americans to work from home; undoubtedly some of them may not return to the office even when the threat has dissipated. Remote work could very well become the new normal in organizations that previously hadn’t even considered WFH policies.

As IT leaders, we will need to plan for future crises and also realize the impact our responses could have. Changes made to manage this current crisis will introduce new expectations around remote work and being able to rapidly manage users’ identity and access needs. It’s possible that the short-term response to this crisis will become your organization’s long-term strategy.

maintain a state of readiness to respond

Thinking about this in a longer-term strategic way means being ready for it to happen again: putting processes and tools in place to quickly adapt and change. It’s more important than ever to certify appropriate access on a regular basis. Tools to manage access—especially privileged access—become even more critical. As many more users are given remote access into corporate infrastructure than ever before, “identity is the new perimeter” isn’t so much a warning as a truth.

This readiness requires planning, strategy, and tactical steps for execution that make responding and managing as painless as possible. Companies that successfully execute on a strategy for readiness can introduce workflows into their tools that allow fast changes across their entire user population. You can give users the ability to work from home, onboard a new application quickly, set up user access, and revoke access as appropriate. 

In addition, organizations following a comprehensive IAM strategy can add levels of control for privileged accounts and monitor access to ensure it isn’t abused. Privileged access management tools maintain the required velocity of change while also reducing risk to the organization overall. This kind of velocity and control is quickly becoming the new baseline for businesses.

stay safe out there

We hope that your organization has been able to respond and provide the support needed for these rapidly changing identity and access use cases. Once this crisis passes and you’re ready to think about improvements inside your business, please know that we’re here to help. After all, we’re all in this together. We wish you good health during these times.