Your enterprise no longer ends at the door to your organization. Instead it has expanded to include the world at large. This has become even clearer during the past year’s COVID pandemic as thousands of enterprise workers have left the relatively secure confines of their offices to work remotely from homes, vacation spots and other non-office spaces. This has, of course, made for some interesting security challenges. In the past, you may have encountered bring your own device or BYOD requests where employees wanted to use – and you needed to secure – their mobile devices. Often this meant making policy decisions regarding supporting mobile phones and apps.
Today’s remote working scenarios have made the challenge much more difficult and nuanced. Now you are managing various classes of access and computing activity conducted by a remote workforce that is also increasingly using a multicloud environment for applications, collaboration and communication, and data access.
We have identified three specific security challenges facing enterprises with remote workforces today – all of which share a common theme: They exist at the edge of your traditional enterprise:
- Access – Connecting to and sharing network and enterprise resources.
- Authentication – Providing secure identity authentication and protection from fraud.
- Agility – Delivering a seamless security experience for your workforce, no matter where they are, on premise or remote.
Let’s review the challenges to securely providing Access, Authentication and Agility, and then we will look at an approach to providing remote security, called Secure Access Service Edge (SASE), that can help you meet these challenges.
Remote Access and Sharing Issues
One of the biggest security concerns for IT teams is providing the same level and type of secure connectivity for remote workers and branch offices that has been provided to on-premise workers. Connectivity to remote offices, whether a branch office or a home office, traditionally requires dedicated private lines running a variety of protocols including Multiprotocol Label Switching (MPLS) or site-to-site Virtual Private Networks (VPNs) over an internet connection.
For most remote home workers, remote access VPN is the most common; they are using a home router to connect to the internet via a local broadband provider, and then using a VPN client to provide a secure tunnel for office connectivity. Many organizations had their internet head end circuits sized to handle branch WAN traffic over VPN, but not for their full staff working from home over VPN.
Remote Authentication and Identity Concerns
Email is the most common application used by remote workers. It also remains the most prevalent attack vector for malicious threat actors. While enterprises and (most) home office workers have email security and some type of firewall in place, most email gets delivered unless it has been flagged as spam or malicious content. Today’s advanced phishing tools combined with social engineering techniques and a lack of “someone to ask” may pose an even greater challenge for remote workers than for on-premise workers.
Credential theft, leveraging the identity of a known contact to commit a data crime, is on the rise. Cisco estimates that 68% of recent enterprise breaches have originated on endpoints from bad actors leveraging pandemic-themed malware and phishing campaigns1.
For example, an email that appears to be from a company executive regarding new COVID policies may not be as easily confirmed by a remote worker who then mistakenly acts on its malicious payload or instructions. This problem can grow exponentially as thousands of remote workers receive similar phishing – or more targeted spear-phishing – emails making identity- and authentication-type requests including password changes, redirects to malicious sites, updates for outside payments or payers, and other similar fraudulent acts.
Remote Seamless Security Experience Challenges
When it comes to delivering an agile computing experience for your on-premise and remote workforce, how you select and provide security can make all the difference. You want to make the computing experience as seamless as possible without resorting to lowering your security profile. This means ensuring that, whether an employee is on-premises or remote, they will experience the same level of security and authentication when logging into and accessing your enterprise network and applications.
However, access must be seamless across multiple user equipment types, whether that includes workstations, laptops or mobile devices. You will also need to determine access levels for organization-supplied, sanctioned and unsecured BYOD device types. Beyond the user devices, you need to be able to provide secure access to enterprise resources.
SASE: A Cloud-Native Approach to Enterprise Security
Secure access service edge (SASE) provides a cloud-native alternative to traditional on-premise data-center and endpoint security models. This is important, because as your users, devices, applications, and data are increasingly located beyond the walls of your enterprise, you need a modern and scalable security model designed to provide edge-to-edge security.
By integrating networking and security into a service that is cloud-delivered, SASE offers greater data protection and increased performance across the entire enterprise network, including your data center, on-premise workers, branch offices, remote workers, and roaming users.
SASE delivers networking and security functions that are traditionally offered through separate solutions via an integrated cloud service. Some benefits you can expect from SASE include:
- Reduced costs and complexity
- Centralized orchestration and real-time application optimization
- Secure seamless access for users
- Additional secure remote and mobile access
- Restricted access based on user, device, and application identity
- Improved security by applying consistent policy
- Increased network and security staff effectiveness with centralized management
Let’s see how SASE can resolve our three remote workforce security challenges.
Delivering Secure Remote Access
Part of the SASE model is the use of secure and cost-efficient software-defined wide area networking (SDWAN) technology to deliver connectivity to remote workers, whether they are at a branch office or at home office. Unlike traditional wide area networking, SDWAN enables your users to connect to your network without forcing all traffic through your headquarters or data center. Additionally, SDWAN delivers internet access at a lower cost without the need to backhaul through your network using expensive carriers. Instead, using a Secure Internet Gateway (SIG) in the cloud, your users can take advantage of the flexibility and lower cost of direct internet access (DIA) by connecting with internet and public cloud resources directly through the SIG. You can integrate your branch with a cloud SASE solution at the branch office or home office rather than a central location because your security now exists in the cloud.
To provide greater security for your users, you can employ a cloud access security broker (CASB) that adds an additional security layer to approved or sanctioned cloud applications, and prevents things like shadow IT, data loss, and accidental public sharing of sensitive data. This extends your on-premise security and protection to devices, remote users, and distributed locations anywhere. By enforcing your security and access policies for public cloud application access and usage, a CASB solution provides a way to identify and disable risky applications that could compromise your enterprise. Additionally, by applying advanced web filtering at the domain naming service (DNS) level, you can deliver real-time internet threat detection and mitigation to your remote users.
Securing Remote Authentication and Identity
The second important aspect when securing your remote workforce is defining a way to prevent identity and credential theft and provide fraud protection. In this case, the use of strong multifactor authentication (MFA) delivered via the cloud is the right solution to consider for your remote workforce. With MFA, your users are required to provide two or more factors of authentication — something they know (a knowledge factor, such as a password), something they have (a possession factor, such as a security token) and/or something they are (an inherent factor, for example, a fingerprint) — before they may access enterprise resources.
MFA typically uses the primary factor of a username/password tightly coupled with a second source of validation, such as a mobile phone or hardware token, to verify user identity before granting access to an enterprise resource. MFA provides a foundation that includes rapid onboarding, self-enrollment and self-management – all perfect for your remote workers. MFA is used by all types of organizations and can be purchased for a small monthly per-user rate. Most importantly, MFA provides a simple, streamlined and frictionless login experience for every user and any application, whether on-premise or in the cloud, all while integrating easily with existing technology.
Providing a Smoother Remote Security Experience
This is critically important, because making security easier improves your security posture and minimizes risks to your business. Providing a more seamless experience via SASE solutions for secure connectivity can include both SD-WAN integration at the branch, and the simple use of an agent that runs in the background of your end users’ workstation, mobile, and remote devices to detect when they are on-premise, remote or roaming.
You get the benefit of offering the same level of protection in each scenario. Your in-office, branch or at-home users can then access applications and data from behind your secure internet gateway, yet the entire process is seamless to them.
The key to SASE is its cloud-native delivery – all your security controls and functions live in the cloud and can be accessed from anywhere.
Click here to read the full ebook.
Post written by Cory Kramer, Principal Architect, Cybersecurity at Logicalis US
1Cisco blog: Securing Remote Work: Questions You Should Ask