Future-Proofing Home Offices With Zero Trust Security

essidsolutions

The early wave of emergency actions to enable remote access has subsided and many organizations are mulling a hybrid workplace model. Tim Knudsen, Vice President, Enterprise Security, Akamai Technologies reveals how the zero trust access model will continue to be the pandemic all-star, securing remote workforces from known pitfalls by turning the home Wi-Fi into the new corporate WAN.

The COVID-19 pandemic has had an immeasurable impact across multiple facets of our daily lives. How we work is one big aspect and could have a lasting impact on productivity, security, and branch networking strategies moving forward. 

The early wave of emergency actions to enable remote access has subsided and many organizations have shifted into an “adapt” phase to prepare for long-term work from home scenarios. In this article, we will share best practices to enable a productive and secure remote workforce.

This often starts with wanting to scale remote user VPN Opens a new window capacity to ensure 100% of the workforce, including third parties, can access any critical application 100% of the time for all corporate apps regardless of their location. Clearly there are tradeoffs to continuing to invest in VPN and network access, whether that is in terms of complexity, cost, or even risk. 

Moving to a cloud-based zero trust access model that dynamically scales and maps users to application locations has the advantage of not having to implement capacity that may be idle for periods of time, moving quickly, and providing application versus full network access. 

Learn More: 10 Reasons for SMBs to Consider Managed Security Service Provider (MSSP)

More Devices, More Problems  

Another important consideration is the user experience. While it’s difficult to quantify the productivity loss of transitioning to a mostly remote workforceOpens a new window , it is imperative that IT organizations provide employees with the tools and user experience necessary to thrive in what is often a chaotic environment. Shared or ad hoc workspaces, children on vacation or homeschooling, and shifting work schedules can all be incredibly disruptive without compensating technology. Users need a seamless access solution that provides all the technological comforts of the office, with improved performance and a transparent security overlay.

The traditional method to assure performance has been to deploy regional VPN gateways and backhaul traffic across the private WAN. This can still be accomplished with appropriately sizing regional gateway capacity.  Alternatively, using an Internet performance overlay that optimizes routes and application protocols and avoids packet loss can achieve equivalent, and in some cases better performance, because performance optimization can be applied across significant portions of the connection. Furthermore, an Internet performance overlay can offload significant amounts of traffic from the private WAN in the event that all users require ongoing access.

Another critical point of consideration is which devices are used for access, the risk these devices present, and the access contingency plan in the event the corporate-managed device becomes inoperable. Though most users will access enterprise applications via corporate-managed devices, workforce behaviors from home indicate a stronger blurring between corporate and recreational use on those devices, thus generally increasing the risk of compromise. A recent studyOpens a new window by Akamai revealed a significant increase in the number of devices exposed to malware, thus illustrating a greater risk of devices being used to follow links or to access apps that are compromised.

Learn More: 2 Ways to Get the Most out of “Zero-Trust” Data SecurityOpens a new window

Vulnerable Endpoints Risk Insecure Connections 

End-point protection and forced backhaul to security controls are approaches for protecting against advanced threats. This approach introduces another scaling and complexity consideration for on-premises solutions which can be avoided through cloud-delivered protections. Another benefit of using a cloud-based Secure Web Gateway (SWG) approach, starting with DNS inspection, is the ability to insert protections as early as possible in the kill chain to prevent malware from even getting to the device and block all communications to remote command and control points.  

However, additional considerations to protect against a data breach should be considered beyond malware protection. Enterprises that move away from network-level access to zero trust, granular application-specific access, based on identity with multi-factor authentication (MFA) and conditional authorization based on device risk, can significantly improve the security posture. Said another way, restrict to what is absolutely required, after verifying that the identity and the device can be trusted, so the attack surface is as narrow as possible and lateral threats are largely mitigated.

This still leaves open contingency planning. What if the corporate managed laptop fails and unmanaged device access via a personal device is required? This introduces a significant number of new risk considerations as it is highly unlikely the unmanaged device can be brought to corporate image standards. Therefore, following a zero-trust access model with device posture that has a threat signal context based on what the device is attempting to communicate with can enable risk-based access to provide some level of business continuity. However, this does usually require an agent. 

Learn More: Email Is the #1 Attack Vector: Is Your Solution Good Enough?

Future-Proofing Home Offices: The New ‘Branch’ 

Alternatively, zero trust access via a browser to a rendered personalized remote desktop environment can avoid the requirement of agent software altogether, provide for access to all Web and legacy applications, while also permitting the application of additional controls to block copy and paste, local file transfer and other functions that could result in sensitive corporate data ending up on a personal device, either wantingly or not.

The simple truth remains that most work, particularly from employee-owned devices, can be done from a browser. While some applications may require an agent to access, this additional overhead does come with the benefit of device posture and additional threat signals that can be used to make dynamic authorization decisions.

Enterprises should consider the best practices above to ensure they have a secure and reliable remote workforce platform in place, assuring the workforce’s productivity for extended if not indefinite periods of time. Ultimately, we have seen a number of our customers use this as an opportunity to embrace the future of work from anywhere today. To take this full circle, this then triggers some natural questions – if the workforce can be productive from home, are homes the new branch offices? 

And if the home is the new branch, why not mimic the “home branch” and how can this eliminate costs and operational overhead (e.g. physical office locations, WAN and Internet circuits, and associated IT hardware can be eliminated, combined, or right-sized, etc.)? Why not make every legacy branch a Wi-Fi hotspot, like a cafe? Enabling the workforce during COVID-19 is clearly possible with a secure, reliable application and web access which also demonstrates the Internet can become the new corporate WAN. Why go back?

Let us know if you liked this article or tell us on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you

Contact ESSID Solutions

    By clicking Send Message, you agree to our Terms of Use and Privacy Policy.

    Reach out to us for a free consultation on big data consultancy and development services.

    Contact

    Rua Alexandre de Sa Pinto 143
    1300-034 Lisbon
    Portugal

    [email protected] +351927159955
    Privacy Policy Terms of Service Refund and Returns Policy

    © 2024 ESSID SOLUTIONS LDA