To fully protect enterprise data, security teams have to balance two principle security threats: those coming from inside the organization, such as employees managing sensitive data, and those originating from malicious external sources.
Data loss prevention (DLP) capabilities within a broader CASB (cloud access security broker) solution have emerged as the most effective platform to prevent legitimate remote users from accidentally or maliciously sharing business data that could put an organization at risk. Providing visibility into all types of cloud-based applications (SaaS, IaaS and PaaS) running across all types of devices – managed and unmanaged – is a pre-requisite for securing business data against insider threats. Add-in real-time access control, as well as threat protection for managed apps, and IT has the full toolset needed to fast track cloud adoption while de-risking breaches caused by internal users.
How about external malicious threats? How should we protect against these threat vectors when the workforce is highly decentralized across a multitude of locations and using a variety of managed and unmanaged devices to access corporate data?
Network security solutions such as firewalls, secure web gateways, and anti-virus software products have been deployed for years to protected against “outsider” threats, i.e., malicious attacks from hackers looking to steal confidential business data. These types of tools were sufficient enough when users worked on-premises. Working with the performance and cost downside of using a VPN tunnel for a small percentage of the mobile workforce to access data centre-based applications was a calculated trade-off.
Today, that has all changed, workers are largely remote, business applications are hosted externally in the cloud running over a cloud-as-a-service architecture (SaaS, IaaS, PaaS), and accessed by users carrying between three or four types of devices at any one time – both managed and unmanaged. In other words – more and more data is being shared and created outside the traditional enterprise security boundary, running on networks that IT doesn’t own and where the device and access methods are determined by the user.
Together, these changes broaden the attack surface and increase users’ vulnerability to malicious external threats that are beyond the reach of traditional network security products like firewalls and on-premise SWGs. Such legacy network security solutions use a combination of appliances and passive endpoint agents to inspect network security for users in the office or on the go – leading to high management overhead and high latency. Furthermore, encrypted traffic is inspected at the gateway, which infringes user privacy.
Fast tracking an agile yet more secure remote workforce requires a recognition of the fundamental importance that cloud services and mobile access play for today’s users. What’s needed is a converged, less complex solution that fully protects against both insider and outsider threats. That solution is a secure access service edge (SASE) solution that integrates web security (SWG) at the device edge with cloud security (CASB), data loss prevention tools (DLP), threat protection and identity access management (IAM).
Deploying a SASE layered defense solution is a more secure, agile, and cost effective on which to build a productive remote workforce for any organization.
To learn more about how you can fast track your remote workforce with Bitglass’ innovative SmartEdge Secure Web Gateway click here.
*** This is a Security Bloggers Network syndicated blog from Bitglass Blog authored by Jonathan Andresen. Read the original post at: https://www.bitglass.com/blog/pushing-web-security-to-the-edge-is-common-sense-1