The mobile workforce has been growing over the years, but recent events, like COVID-19, have led to a sudden increase in remote workers, with many companies not prepared or able to quickly adopt technologies to securely enable the transition.
For companies seeking to securely connect and scale remote workforces – either temporarily or for the long haul – one option to consider is a cloud-based service. A Secure Access Service Edge (SASE) provides a fundamental solution for this need, as it combines networking services and security services delivered from a single cloud platform.
Remote Working Evolves
Years ago, working with technology and protecting users was relatively simple. Users commuted into an office where they used stationary desktop computers to access company resources via local area networks. As time went on, users were able to gain some mobility with laptops and occasionally connected to corporate resources with virtual private networks (VPNs).
Even before its recent rise, remote work was becoming more popular. The 2019 State of Remote Work Report revealed that 42% of remote workers plan to work remotely more frequently than they currently do in the next 5 years, and that more than half of on-site workers want to start working remotely. Not only are users becoming more mobile, they are using multiple devices, such as laptops, tablets and smartphones, in order to be productive. Additionally, applications have been moving out of the data center to the cloud, adding to the complexity.
SASE: Providing Connectivity with Security
Traditional VPN technologies can still be used to apply some level of security and access but are not ideal for the rapidly changing environment and increasing performance expectations of users. The need for direct to internet connectivity from anywhere on any device, securely, has led to the adoption of technologies like Software Defined Perimeter (SDP) and Zero Trust Network Access (ZTNA). ZTNA is a fundamental component of a SASE solution to implement the “never trust, always verify” philosophy and authenticate access to the cloud, restrict access and minimize data loss. ZTNA provides users access to organizational resources located in public or private clouds while the company has complete inspection and security over the data being accessed. However, ZTNA products based on an SDP can lack content inspection capabilities needed for consistent protection.
Some vendors blur the lines between the two technologies, but you should ask a few questions before adopting a solution, especially if rapidly deploying to previously unmanaged or unknown devices:
- Does the solution allow for specific controls on what applications and protocols a user/group can access? Traditional VPN brings users fully onto the network with no control of their lateral movement. Segmented application access is essential for security purposes.
- Can my users access SaaS, Private Cloud and Public Cloud applications securely from a point of presence (POP) relatively close to their physical location? Modern users have high standards for user experience and bandwidth. As applications move out of the data center, applying security close to the user is essential to enable user productivity.
- Is it possible to inspect my traffic to ensure that malware prevention and data loss prevention (DLP) policies are applied? Remote access creates an additional threat vector to organizational resources. If traffic is not inspected to apply DLP and antimalware policies, the attack surface is significantly increased.
- Does the solution have functionality for unmanaged device access? Users may require the ability to work using unmanaged devices, especially in critical situations. Allowing secure access to resources from unmanaged devices can reduce or eliminate shadow IT while enabling user productivity.
- Can my vendor handle peak bandwidth without disruption or outage? As we have seen with COVID-19 response, some vendors are unable to handle significant increases in usage as organizations onboard remote users. It is critical that your vendor can dynamically scale to handle these situations and prevent service disruption.
- Does the solution provide the ability to connect to endpoints for troubleshooting or management needs? Being able to connect to endpoints is extremely valuable for troubleshooting, management and support purposes to help you provide support for your users when they need you the most.
- How difficult is it to implement and transition from my hardware VPN solution? Real world factors need to be considered when selecting a vendor. Ease of deployment, ease of management and time to value are key areas for any organization to evaluate. Ideally, SASE solutions should be manageable using as few administrative interfaces as possible and be quick to deploy based on existing policies.
A True ZTNA Approach to Secure Connectivity
By considering these questions, you can ensure you are adopting a true ZTNA approach that will enable you, when ready, to onboard a SASE vendor. SASE is critical in enabling your users to work remotely with limited bandwidth disruptions and provides security while accessing the Internet, SaaS applications, cloud applications and private data center resources. As practitioners, we must enable our users to be productive while ensuring we take all the necessary security precautions. If a “Zero Trust” vendor isn’t inspecting traffic, are they really providing secure access?
Learn more about securing remote users without compromising connectivity.
This blog is part of a series explaining the modern realities of cloud security. Read the previous entry, “Why Proxy-Based Firewalls Are Not Enough.”