Not even global pandemics last forever. “My advice to companies right now is to really think about what will happen next,” said Fortinet VP and Global Field CISO Jonathan Nguyen-Duy. “What are they going to do to shift operations so they’re more resilient? How are they going to do cloud migration — what workloads can be migrated into the cloud, whether it’s public or private? And then begin putting together the resources to do that.”

In addition to being a CISO for a leading security vendor, Nguyen-Duy also has a background in pandemic planning. As the coronavirus spread and governments around the globe enacted stay-at-home mandates, Nguyen-Duy said he noticed a couple things in common among enterprises and service providers that successfully sustained their operations with newly remote workforces.

“They had a business continuity plan that did stress for the ability to manage a much more remote workforce in the case of a disruption,” he said. “And the second aspect is that a lot of the ones who are using technologies like Fortinet offers were able to scale their remote capabilities seamlessly.”

These Fortinet customers easily added virtual private networking capabilities and virtualized security, which then allowed them to shift more of their workloads to the cloud, he added. “So I think that the first lesson from this is going to be that the companies that were already migrated to the cloud, or were cloud natives to begin with, had a distinct advantage over companies that weren’t, and that were struggling to do not only remote working but also cloud migrations in the midst of a disruption like this pandemic.”

However, this puts added pressures on cloud architects, CISOs, and service providers because “companies are all going to want to be cloud native literally overnight,” while service providers and vendors must be able to scale to meet this increased demand, Nguyen-Duy said.

It also emphasizes pre-existing shortages within the ecosystem including the lack of skilled security professionals and cloud architects. Neither of these are new or COVID-19 induced, but they will be exacerbated by the pandemic.

“But it also means that from a security operational perspective, we’re going to be much more hybrid, and then ultimately cloud centric,” Nguyen-Duy said. This requires a highly distributed security architecture that puts security wherever the data is generated, used, and stored. Fortinet calls this “security-driven networking,” and it’s necessary because the “new normal” will be a distributed, mobile workforce, Nguyen-Duy said. Work is no longer a place. It’s something we do from anywhere.

Additionally, securing networks and corporate resources in this type of environment means companies should adopt a zero-trust framework, he explained. This starts with the assumption that cyberspace is a hostile environment.

“You should presume that your devices have been compromised, your network has been compromised, and the identity of your users has been compromised, so that you cannot trust anything,” Nguyen-Duy said. “Zero trust means that the presumption is that everything is hostile until verified, so there’s no trust before verification. And even after that, you continually assess the risk of that session.”

Although zero trust security has been around for over a decade, it’s received a lot of attention lately because of the pandemic and related spike in remote workers. This approach assigns rules and policies to workloads, virtual machines (VMs), or network connections, and then only allows necessary actions and connections in a workload or application while anything else gets blocked. It provides high levels of assurance that only the correct users and devices are accessing what they need without requiring physical access.

Last week Google made available an enterprise product based on its BeyondCorp zero-trust approach that it has used internally for almost a decade. Other companies including Duo Security (now owned by Cisco) have been selling their own products based on BeyondCorp for years.

And earlier today Microsoft touted its zero-trust approach that helped it accommodate a tenfold influx in its remote workforce because of COVID-19. The tech giant spun up 32,000 virtual desktop infrastructure sessions in two days while only needing to increase its virtual private network capacity 1.5 times.

Nguyen-Duy suggests focusing on outcomes rather than underlying technologies or specific products. But in general, he says zero trust requires technologies to identity and authenticate users and devices and detect anomalies in users and devices’ behaviors — which network resources they access as well as when and from where.

“There’s lots of ways of doing it,” he said. “I think Fortinet’s Security Fabric and our solutions from endpoint to SIEM [security information and event management] to network access control and artificial intelligence do that. But it’s going to be the CISO that will have to combine these technologies and combining multiple vendors to get to one outcome is not inherently viable.”

Because of this, he suggests a security-fabric based approach that uses orchestration and artificial intelligence “because there aren’t enough people. AI can sift through vast amounts of data and help automate the more mundane things.”