nterview: Critical infrastructures in Times of Online Collaboration and Home Office

Critical infrastructures in Times of Online Collaboration and Home Office

The corona crisis is now affecting companies in several ways. Suddenly the home office is part of the work model. Collaboration tools enable what was considered unthinkable just a short while ago. At the same time, the crisis highlights the importance of being well prepared and securing critical infrastructures in organizations in the best possible way. André Grueneberg, Chief Infrastructure Architect at Unbelievable Machine, has the answers to the most important questions and explains the requirements.

André, how do companies secure access to important data across locations – and even from the home office?

A central question in the midst of the crisis. The best way for companies to secure data access and traffic is, of course, to connect their infrastructure widely even in good times and provide their employees with mobile workstations that grant secure access. 

One of the most common problems is that many companies have servers on site, but the company locations are not connected widely. This means they have a normal consumer DSL product with 100 Mbit downstream and a few Mbit upstream. So they guarantee a data traffic that only works for a few people. However, this does not allow scaling for more than five people if they need to access the server from their home office.

What can companies do in terms of infrastructure?

Above all, companies must weigh up their options: Either they provide outsourced data centers where broadband is the standard and where the physical and organizational security of the IT infrastructure can be provided accordingly. 

Or they actually want to have their entire IT infrastructure on site. In that case, they also need to provide a broadband connection to the office location so that they can be reached there even if more employees are working from the home office. They also have to ensure that redundancies are in place in case one line fails. Because at peak times, as is currently the case, network providers often like to say: “Our fault clearance times are just a little longer because people are in the home office”. This is one of the potential problem areas at present.

The basic recommendation for companies is therefore to store data in the data center rather than on servers on site in order to be prepared for such incidents in the future and have constant access? 

Definitely. In the end, of course, this also requires data centers and office locations to be connected via broadband lines. But in case of doubt, this procedure is easier. Once this infrastructure is in place, you can act much faster in the event of a failure.

Assuming that a company is located in a region where no corresponding bandwidth is available. After all, there are still some locations in Germany. 

Unfortunately, there are still far too many – despite the “broadband expansion initiative” promised by the German government since 2005. The affected companies are structurally disadvantaged for the first time. For them it is important to weigh up which application they can and want to optimize. Employees in the home office have the same problem: If they are in the home office and live in structurally weak areas, as far as Internet access is concerned, this does not work either. Whether it is the company location, where 50 people have a poor connection, or the home office of the respective individual, is basically the same. 

It may be easier for a company to get a broadband line than it is for private individuals. Residents have their network provider and few alternatives. A company, on the other hand, may well hire a better line provider to deliver. Even Telekom can do this in structurally weak areas at the appropriate price. This is where companies have to decide how much effective cooperation is ultimately worth to them.

What can companies do to prevent hackers and cyber criminals from opening up gateways through home offices and private households?

The topic has many dimensions, because security does not only concern IT. Imagine, for example, an employee taking his files home with him in paper form. A whole lot can happen with that as well. Even if it’s just that his child accidentally knocks over a glass of coke and soaks the file with it. This can also have expensive consequences – and it makes it clear how difficult it is to safeguard against such dangers that lurk in a household. 

In the end, it’s not much different from the office. The first step should therefore always be to sensitize your own employees to the topic of security. They must be aware of how important this is and what they need to pay attention to. Training is the be-all and end-all at this point.

Also in terms of securing infrastructure and equipment?

Yes, also there. In the company and in the home office, it is essential that work equipment is secured according to the current state of the technology. In most companies, firewalls, virus scanners and so forth are now a natural part of the IT equipment. They have become part of the standard. And exactly the same standard must apply to home office and remote workstations. Notebooks used by employees outside of the office must be encrypted in the same way as notebooks at the office. 

However, it is of course also possible to have a break-in at the office. Potentially even easier. Offices are not occupied at night and are often located in less frequented areas. In contrast to most residential areas, where break-ins tend to occur during the day.

Which is not the big problem in times of home office.  

Precisely. (laughs) In general, you have to be clear about what the individual risk situation is and how you want to protect yourself from it. When it comes to burglary or theft, the situation is similar, but with different signs. Otherwise, it is almost always the human factor that creates security risks. As I said, regular training courses help to prevent this. 

Are there criteria that good training must meet and which companies should consider when selecting a training course?

Training can be provided in various ways. There are face-to-face trainings, e-learning offers and many more, from which every company can choose what suits its own requirements. The most important thing is that the training takes place. Just like the annual occupational safety training that every employee should receive and which is required by the Employer’s Liability Insurance Association, regular safety training is needed with regard to IT use and its dangers.

Does the use of collaboration tools work under this premise? And without downtimes even at peak access times?

As far as broadband connections are concerned, yes. Collaboration also includes video conferencing, which has become part of everyday office and home office life. In this context, most companies rely on ready-made Software-as-a-Service solutions such as Microsoft Teams, Google Meet or Amazon Chime.

When it comes to security, all three providers are very sensitive and emphasize that all relevant global and national regulations, including the GDPR, have top priority. However, risk management within the company is also required here, and it is important to train your own employees accordingly when they use the tool.

The issue of peak access times – basically the strain on IT systems – depends on the classic rules. To manage peaks, for example, I need to have my IT designed accordingly, for example to scale automatically via the different cloud services.

At the beginning of the home office phase, Microsoft teams were suddenly overloaded due to the high access rates. How can this happen despite scaling?

Even with SaaS solutions such as Microsoft Teams, Google Meet or Amazon Chime, scalability problems can occur in extreme situations and with very rapid changes. Companies must always be aware of this. Microsoft Teams, however, got a handle on this problem very quickly and more than doubled the number of users from 32 to 75 million in just two months. This scaling was made possible by the use of container technology. An approach that will make such rapid changes and developments much easier in the future.

You mentioned the “human factor”, which also plays an indirect role in the data center. How can the failure of IT administrators be prevented?

An IT administrator is just a human being. (smiles) And of course people can be absent due to illness – as can happen everywhere in everyday life. Every winter there is a wave of the flu or other illnesses. And there is also staff fluctuation from time to time. In this respect, there is actually always downtime. At least in this respect Corona is nothing special.

It is therefore important to be optimally positioned at all times to prevent breakdowns and ensure the safe operation of the entire infrastructure. 

Exactly. That is our job. After all, our customers rely on us.

This might interest you, too:
Corona and AI: Ravin Mehta on digital exit strategies out of the crisis
Are you prepared for social engineering and the next big corporate hack?
Five drivers of success for the data-driven company 

This post is also available in: German