The year 2020 is likely to go down in history as one of the most memorable and pivotal periods in generations, due to the COVID-19 pandemic that has affected everyone and everything on the planet, in myriad direct and indirect ways.
Social distancing, masks, shelter-in-place mandates, virtual learning and restrictions on public gatherings at restaurants and sporting events, and many other changes have profoundly impacted our daily lives, both personal and professional. Work-from-home (WFH) initiatives have blurred—if not completely erased—the neat divisions between work and personal time and space. While technology enables many workforces to operate from home, it also creates new opportunities for hackers and cyberthreats.
For organizations committed to keeping their workers both safe and productive, the need to securely connect remote users suddenly became a top priority. More than half a year into the pandemic, some workers in some areas have returned to their offices, but an overwhelming majority are still—or again—logging many work hours from home. This new normal of home-office/personal-professional convergence has stressed organizations, especially IT and operations groups that must provide the tools to support remote work without compromising security.
Of course, no one knows exactly what the new normal will look like in the post COVID-19 period, when it arrives. In all likelihood, however, more employees will work from home, at least part of the time. And the need to securely access dispersed corporate resources, through a variety of managed and unmanaged computing devices, will surely grow.
The tough security questions the pandemic has brought to the fore have not been resolved and have no easy answers: How can organizations keep users connected to the mission-critical resources they need to remain productive while ensuring a sufficient level of cybersecurity protection? And how can they do this regardless of when, where and from what type of device, managed or personal, they use to connect to corporate applications and resources?
Creating a Unified and Secure In-Office/WFH Playing Field
The pandemic has undoubtedly accelerated digital transformation initiatives for most organizations, especially when it comes to migrating resources to the cloud and enabling anywhere, anytime access for their employees.
This move to the cloud aligns with and generates momentum for adoption of secure access service edge (SASE) solutions, which converge enterprise networking and cybersecurity technologies and deliver them as a global cloud service. As Gartner initially highlighted in research published in August 2019, SASE reduces enterprise complexity. The service is always on and interconnects with any eligible device via the cloud. As a result, SASE delivers security and connectivity at a lower total cost of ownership than other solutions, provides a better end user experience, and increases organizational productivity.
Surf the Wave of the Future Without Ditching Networks that Have Served You Thus Far
While SASE represents the wave of the future, at present, much enterprise networking is still earthbound. Even as they transition more activity and resources into the cloud, organizations need pragmatic solutions that work with existing infrastructure, enable simple and secure access and are future-compatible.
To conceptualize the secure access needs of enterprises during this transitional period and beyond, it is helpful to consider the interaction between the location of the user requiring access to enterprise computing resources and applications and where the resources and applications themselves are located.
The access needs of modern enterprises can be visualized as a 2×2 matrix, with four possible scenarios that must be secured (Figure 1). Each scenario leads with the user location, with the second descriptor indicating the location of the organization’s resources and applications:
- Out-to-In: Users working remotely who need access to private applications or resources that reside within the enterprise local area network (LAN).
- Out-to-Out: Users working remotely who need access to corporate applications that are located on the public cloud or the internet.
- In-to-Out: Users working in the office, connected to the enterprise LAN, who need access to corporate applications on the public cloud or internet.
- In-to-In: Users working in the office, connected to the enterprise LAN, who need access to corporate applications located on the enterprise LAN.
How can organizations enforce uniform, secure, least-privilege access for authenticated users under every scenario? How can businesses taking a gradual approach to digital transformation affordably enable users to access resources they need, regardless of the user’s or resource’s location, without multiple scenario-specific solutions that add unwanted complexity and costs?
Let’s dive into each of these four scenarios to understand the issues and propose possible technologies and approaches to resolve some key challenges in each.
The least-privilege dilemma
For the Out-to-In scenario, the basic challenge for organizations is how to efficiently enforce least-privilege remote access—a key tenet of zero trust—for authenticated users.
Today, most remote access solutions grant overly broad access to corporate applications, implicitly trusting all users who authenticate onto the enterprise network. The answer, of course, should be identity-based authorization, with individualized policies based on each user’s unique needs. Creation and ongoing management of granular, per-user authorization policies, however, is a daunting administrative task, particularly for organizations that must enable access for thousands of geographically dispersed users that include contract workers and consultants, as well as employees.
While many organizations are investigating zero-trust network access (ZTNA) solutions, this administrative task is a significant barrier to true least-privilege implementations. For this reason, many ZTNA solutions, such as software-defined perimeter (SDP) technologies, are deployed with their “out-of-the-box” configuration enabling any-to-any access. Unless these access policies are individually configured, their least-privilege advantage over existing virtual private networks (VPNs) and next-generation firewalls (NGFWs) is negligible, since all connections have application-level visibility to all resources.
Most network security solutions provide the ability to set group and user-level access policies for applications and other IT resources such as databases. For large organizations, group-level policies are easier to create, assign and manage, and many IT administrators opt for this simple per-group authorization approach.
This type of coarse-grained authorization policy, however, is rarely ideal. Access needs of individual users frequently vary widely within a large group, leaving IT administrators with a dilemma: opt for group-level access policies and deal with a constant stream of exception requests from users and/or some likely over-privileged access, or add sub-groups that increase operational overhead, create entity sprawl and expand the organization’s attack surface—but still do not enable true least-privilege access.
Automating end-to-end creation, management and enforcement of granular, per-user policies is the optimal way to address the authorization policy overhead dilemma. Automated “learning mode” authorization solutions based on machine learning (ML) and artificial intelligence (AI) add truly granular least-privilege, default-deny capabilities to existing enterprise remote access solutions such as SDPs and VPNs/NGFWs.
Limiting lateral movement once access is granted (or seized)
Another challenge related to remote access is the excessive resource visibility given to all users, authorized or unauthorized, when they gain access to a network. The “flat” unsegmented nature of most networks creates an easy means of lateral movement, which dramatically expands an organization’s attack surface. ZTNA solutions work by creating a dark network, making applications and IT resources invisible to any unauthorized user and eliminating attack surfaces. Organizations can complement their traditional enterprise VPN/NGFWs with these types of microsegmented access security controls to cloak resources while continuing to leverage their current infrastructure investments.
Most ZTNA deployments have focused on the Out-to-In remote access scenario, replacing VPNs and NGFWs in some key situations using SDP-based solutions, which have gained currency as the up-and-coming solution for remote access needs. However, while it excels at establishing secure connections and cloaking unauthorized resources (if granular policies are properly configured), SDP primarily addresses the north-south data traffic heading in and out of the enterprise network, and not the other scenarios in our 2×2 model.
Securing SaaS Access
With increased enterprise adoption of public cloud services and sanctioned SaaS applications, organizations need to formulate and enforce policies for securing remote access to these applications, especially by users utilizing unmanaged personal devices. To address this issue, organizational IT administrators have turned to a combination of cloud access security broker (CASB) technologies, endpoint agents, reverse proxies, data loss prevention (DLP) and more as a way to secure any-device, anytime access for remote users to cloud applications.
The increasingly prevalent scenario of remote users connecting to SaaS applications such as Salesforce utilizing unmanaged devices is particularly challenging. For this access path, most CASB solutions lean on an approach that rewrites SaaS application locations using vanity URLs, which allows for unmanaged device traffic to be routed through the CASB service for policy enforcement. This is a less-than-ideal solution since SaaS vendors frequently change URLs associated with their applications as they scale their infrastructure or add functionality to their services. For organizations using numerous SaaS applications, it simply becomes untenable to keep up with the constant URL rewriting required to support all SaaS applications. Enterprises I have spoken with have summed up reverse-proxy based solutions as “brittle.”
Remote browser isolation (RBI) is a better solution to this issue. An RBI gateway provides exact and fully interactive copies of web pages in the end user’s browser or in web apps, without any native web content being downloaded to the end user device or browser. RBI can be used to route SaaS application traffic from unmanaged devices through CASB security controls. It is a simple, elegant solution that removes all of the brittleness that I described with the reverse-proxy approach. Another benefit of the RBI approach is that it supports virtually all SaaS applications, unlike proxy-based approaches, which typically only support a few dozen.
Securing Access to Risky Sites
Another critical Out-to-Out security issue involves employees accessing the web and email from remote working locations. Statistics from numerous studies clearly indicate that web and email are the two biggest threat vectors organizations face, and in the era of COVID-19 hackers have doubled down on the use of web and email to deliver their malware and steal data. If a user clicks on a link in a phishing email or browses to a dangerous website, the device can be infected with ransomware or other malware, which can then spread to other enterprise resources. Alternatively, phishing attacks can direct users to spoofed sites designed to trick users into divulging credentials such as usernames, passwords and bank account or credit card information.
The websites and malware used in these attacks are often neither categorized nor classified, since each URL is used for only a very brief time to avoid detection. Likewise, malware variants evolve constantly to avoid leaving any signature or fingerprint. As such, traditional secure web and email gateways or endpoint protection (EPP) tools are hard-pressed to detect them and prevent attacks. RBI can play an important role in addressing this problem. With RBI in place securing interactions with the web, users browsing to malicious sites independently or by clicking a URL embedded in a phishing email are completely safe, since no web content is ever executed directly on their devices. Only safe-rendering information representing a website is sent to a device’s browser, providing a secure, fully interactive, seamless user experience. Websites launched from URLs in emails can be rendered in read-only mode to prevent users from entering credentials for additional phishing protection. Finally, attached files can be sanitized before being transmitted to endpoints, ensuring that malware within downloads cannot compromise users’ devices.
Securing Cloud and Web Apps from Remote Attack
Organizations’ own cloud and web applications are targets as well. Hackers, using their own devices or employees’ devices that have been compromised in some way, can connect to the front end of a private cloud or web app, seeing exposed APIs, website code and more. This level of visibility helps hackers identify vulnerabilities they can exploit to exfiltrate data, disrupt operations, encrypt systems or other malicious activity. Web application firewalls (WAFs) play an important role in securing these applications, as does RBI. Rather than shielding endpoints from web dangers, RBI can be used in this scenario to wrap corporate web and cloud applications in an isolation layer, so devices interact with only an app’s virtual representation and not the actual one. This eliminates any access or visibility to an application’s code or exposed APIs, shielding them from a range of attack techniques that hackers use when they target applications.
Users working in the office on managed or unmanaged devices that are connected to the corporate LAN generally require access to the public internet as well. Of course, this exposes them to the same risks mentioned earlier since the majority of enterprise cyberattacks are initiated via phishing emails or browsing to a malicious site.
RBI-as-a-service can secure this access path in a similar way to the one described earlier. Users can safely access any site they need on any device or browser without concern of infecting their device or the network. This holds true for general web browsing or for web sessions initiated via the click of an URL embedded in an email. Based on the zero-trust mantra of “never trust, always verify,” RBI operates on the premise that all internet content might be malicious and as such must be strictly isolated from endpoint devices and enterprise networks.
Organizations that apply least-privilege controls for Out-to-In scenarios need to apply the same level of control for In-to-In access. This internal office network traffic, known as east-west traffic, constitutes a significant potential threat attack vector. Insiders have been responsible for some of the highest-profile data breaches of recent years, with many disclosing data from resources and applications to which they did not actually require access for their usual, daily tasks. Similarly, organizations that permit overly broad insider access create a simple path for cybercriminals who leverage stolen credentials or brute-force attacks to move laterally within the network, to spread malware or steal data.
To protect resources and applications against these east-west threats, In-to-In access should be limited to only the resources each user needs for their job responsibilities. This cybersecurity imperative can be enabled by enforcing per-user identity-based authorization policies that provide granular, microsegmented access to only the specific resource that is being requested by the user at any given time. This approach would cloak all other resources and applications from that user. It would also, in essence, turn the entire network dark to any unauthorized users who might access the network via a vulnerability in one of its lines of defense. For the highest level of security, access policies should be created, applied and maintained on a per-user basis, creating the equivalent of one-to-one network microsegments on the fly when a user is connected to the resource they are requesting. While coarser-grained group-level policies are much easier to create and apply, they also create an overprivileged access environment that can be exploited by cybercriminals.
The COVID-19 pandemic has changed the world in ways that will have an impact well into the future, perhaps even forever. Where we go from here is anyone’s guess, but it is safe to assume that organizations will continue to embrace remote work environments as well as hybrid office/home combinations to a much greater extent than they did prior to our abrupt exile this year.
The evolution in where work happens applies to digital resources as well as workforces. The growth in remote work has further accelerated digital transformation and organizations are gradually shifting activity from traditional data centers to public cloud services and workloads.
These vast changes in the way business is done has exposed cybersecurity vulnerabilities that adversaries are keen to exploit. Along with the operational changes, organizations must revise their cybersecurity postures, creating relevant new constructs that enable anywhere-to-anywhere connectivity and productivity via managed and unmanaged devices, while safeguarding essential resources and tools regardless of whether they reside on the corporate network or the public cloud.
I hope the 2×2 model that I propose is a useful framework for organizations considering how to secure their new normal, whatever that might be. It is up to forward-looking thought leaders to consider the security challenges that exist in each of these areas—the ones I have covered as well as others that may be equally or more important for them. Defining the most relevant approaches for their operations will result in a better, more secure future for their organizations.