Hybrid and remote working have become a mega-trend -- what are the security implications for today's enterprise?
Remote and hybrid working patterns have extended the corporate world into every home and user device, and as the global pandemic recedes, this is a trend that is here for the long term.
In fact, it is hard to overstate the pace and extent of digital transformation undergone by the enterprise environment in the past two years. As 2022 unfolds, the daily working experience for employees looks very different to the way it looked before the pandemic.
Why "the network" has become irrelevant
Now that the hybrid environment has evolved employees can be anywhere; in the office, at home, on a train or in a coffee shop. From a security point of view, locking down the enterprise perimeter and securing network access is no longer what matters; to some extent the network has become almost irrelevant, instead the focus is now around securing applications. At the same time, organizations need to harness the power of applications, they need to be highly productive with fast and easy access to the applications they need to do their job. This is not only essential, it is foundational to becoming a modern digitized business.
To enable this environment, businesses need reliable network access from the edge to the core and security based on a Zero Trust model to ensure robust, efficient and secure access to essential business applications from wherever employees are located.
As enterprises have accelerated their digital transformation initiatives the number of possible attack vectors has grown, as digital systems need to have multiple access points for customers, partners, and employees, and this has created a vastly expanded attack surface. As a result, cybercrime has escalated, and a record-breaking number of data breaches of increasing sophistication and severity are taking place year-on-year.
Operating on a Zero Trust basis
The stark reality is that this new hybrid workforce brings an increasing level of risk. With work happening at home, the office, and almost anywhere, and cyberattacks surging, security must be the same no matter who, what, when, where and how business applications are being accessed. Now that the security control organizations once had has quite literally left the building, this makes it critical that each and every connection operates on a Zero Trust basis. Cybersecurity leaders have historically called this "default deny", which it still is. Only now, thanks to cloud platforms that tie user and device identity into the equation, the controls to make it a reality are both scalable and elegant.
What we mean by Zero Trust is that organizations effectively eliminate implicit trust from their IT systems, and this is replaced or embodied by the maxim 'never trust, always verify'. In practice this means only trust those who have appropriate authority to access. Zero Trust recognizes that internal and external threats are pervasive, and the de facto elimination of the traditional network perimeter requires a different security approach. Every device, user, network, and application flow should be checked to remove excessive access privileges and any other potential threat vectors.
Nevertheless, working with a remote workforce isn’t a new concept. There are plenty of visionary enterprise organizations that have been thinking about this issue for a long time, but sophisticated solutions haven’t always been available. In the past, enterprises relied on Virtual Private Networks (VPNs) to help, albeit minimally, solve user trust issues, but now the time is right to re-think enterprise security models in light of the modern security solutions that are available which can be implemented easily and cost-effectively.
Rewind to the security backstory
Ultimately, any high-level security model really breaks down into a trust issue: Who and what can I trust? - the employee, the devices, and the applications the employee is trying to connect to. In the middle is the network but today, more often than not, the network is the internet. Think about it. Employees sit in coffee shops and log onto public browsers to access their email.
So now what organizations are looking for is a secure solution for their applications, devices, and users.
Every trusted or 'would-be trusted' end-user computing device has security software installed on it by the enterprise IT department. That software makes sure the device and the user who is on the device is validated, so the device becomes the proxy to talk to the applications on the corporate network. So now the challenge lies in securing the application itself.
Today’s cloud infrastructure connects the user directly to the application, so there is no need to have the user connect via an enterprise server or network. The client is always treated as an outsider, even while sitting in a corporate office. The servers never even see the client’s real IP address (because they don’t need to) and even data center firewalls are of far less value as the Zero Trust model, and expertly applied policies and controls, are now exponentially better.
Death to the VPN!
In this new construct the VPN dies, thanks to Zero Trust Network Access (ZTNA), and networks become simplified with lower operational running costs, thanks to SD-WAN.
So, does the old client VPN truly die? Yes, it does! The reason is that we are now only concerned with what we trust: the user, their device, and the destination. Notice that "the network" isn’t part of that. Why? Because we don’t trust users or their devices any more on the corporate network than we do on public networks. So even when connected to a LAN port on the desk, they have the same seamless security posture and always-on application (not network, but application) access that they would if there were on public Wi-Fi.
Just as film is no longer used for taking pictures, VPNs are no longer the future for application access. Everyone now sees that the real need is not for users to access networks, but rather just to access the applications as though they are all cloud accessible. That’s the Zero Trust-based future for us all.
Most enterprises realize that it is time to enhance remote access strategies and eliminate sole reliance on perimeter-based protection, with employees instead connecting from a Zero Trust standpoint. However, most organizations will find that their Zero Trust journey is not an overnight accomplishment -- particularly if they have legacy systems or mindsets that don’t transition well to this model.
That said, many companies are moving all or part of their workloads to cloud and, thus, greenfield environments. Those are the perfect places to start that journey and larger organizations, with complex IT environments and legacy systems, might see the road to Zero Trust as a multiphase, multiyear initiative.
This is where organizations can work with partners, like Xalient, to assist with implementing security controls and Zero Trust models in the cloud.
In today’s hybrid environment, implementing a Zero Trust approach enables organizations to start to really drive down the risk factors while ensuring the enterprise is future-proofed for 21st century business. With cyber threats only set to escalate, this peace of mind is essential.
Kevin Peterson is Senior Cybersecurity Strategist, Xalient. Xalient's Zero Trust Framework provides a firm security foundation to underpin digital transformation initiatives, helping organizations take their first steps towards becoming a Zero Trust connected enterprise. It does this by addressing common areas of compromise between a user or device and the application or data source being accessed or consumed. And it does it wherever the users, devices, data and applications are located.