Compliance withÂ securityÂ requirements and theÂ right to privacyÂ aren’t mutually exclusive,Â withÂ the former often eroding the latter. ButÂ IT can successfully achieve both through balance and some well-thought-out IT strategies, says Aaron Kiemele, chief information security officer at Jamf.Â
The world of technology continues to bring many advancements to users and organizations alike. It is difficult to argue any other field that has had so many positive impacts on different sectors, not to mention single-handedly redefining how we communicate, especiallyÂ in light of the pandemic. TechnologyÂ hasÂ transformedÂ how work can be done and where it can be accomplished.
The management of the very technology that has done so much to unite us is, ironically, often a force that separates us in the name of policies and security that aim to protect devices, the dataÂ contained thereinÂ and the users themselves.Â
Any ITÂ or securityÂ admin will tell you epic stories of the battles endured throughout their careers between ITÂ and security teamsÂ instituting well-meaning, but sometimes flawed solutions in the name of security; and theÂ end-users lamenting the loss of freedoms, privacy and sometimes even the ability to do their work in an effort toÂ â€œprotectÂ the crown jewelsâ€ without trials and tribulations.Â
Who’s right and who’s wrong? Depending on your organization, their risk appetite, and the skills and capabilities of the IT department, it could be one, the other, or several. It’s not a one size fits all scenario. After all, how can we possibly expect something so dynamic in nature to be controlled using static procedures?
Given the advancements of technology, the virtual elimination of the network perimeter, and the rise of remote and hybrid work environments, we prove this again and again. Also, to manage and secure our technology we have to keep adapting. IT admins do not need to resort to theÂ â€œiron-fistâ€Â approach of yesterday to maintain their environments at the cost of bullying end-users into doing things a set way. Rather, there are nuanced approaches that see IT working with their users to protect data in a way that secures devicesÂ while allowing users access to only the resources they need to perform their jobs.Â
Replace VPN With ZTNA
IT admins would benefit from giving up some of theirÂ â€œpowerâ€Â to receive someÂ peace of mind for both themselves and their users in return. Let’s look at a technology that is the de facto solution for accessing resources yet isÂ horriblyÂ ill-equipped in adapting to current remote and hybrid workplace needs: virtual private networkingÂ (VPN).
Yes, I said it.Â And I’m not alone in thinking this either, as many organizations have felt the sting of VPN’s limitations during the global pandemic. With staff being disparately placed outside of the cozy confines of the perimeter network, regardless of their need to access only specific organizational resources, Â all users have to receive blanket permissionsÂ (or in other words, access to theÂ entireÂ corporate network) to access anything, and all users have to share the often veryÂ limited VPN gateways into the corporate network.
This isn’t just a recipe for slow communication and low productivity due to the costly to manage and maintain antiquated hardware requirements intrinsic to VPN. It also inherently violates the security principle of only providing the lowest level of access required so users can get their work done. Adding in the lackluster end-user experience stemming from the stifling of productivity and subsequent loss of precious time due to connectivity issues- the topic of VPN has become a sore subject for organizations of all sizes, but particularly larger ones where scalability is not something VPN is known to handle well.
And yet, for many, the dread of VPN is better than the alternative of no security. Yet again, why must it always be an all-or-nothing scenario? It certainly doesn’t have to be. Enter zero trust network accessÂ (ZTNA). We’ve been talking about using a zero-trust approach to accessing resources for a while. ZTNA takes this approach one step further to allow organizations to secure their corporate resources in a granular fashion while drastically simplifying the network and user experience.
SimilarÂ toÂ firewalls with theirÂ â€œdenyÂ anyâ€ rule thatÂ preventsÂ access toÂ anythingÂ that doesn’t match any of the previous rules, ZTNA tooÂ defaults to deny when a user requests access to aÂ resourceÂ or service that they have not been explicitly granted access to by IT. No wiggle room, not endless password prompts to brute force against â€“ simply access is denied. This is a huge departure from VPN and is a welcome one since it limits the access threat actors have to any given resources.
Benefits of ZTNA
With ZTNA, access rights can get as granular as the organization needs, from access groups to individual user accounts or those based on specified criteria, such as company-owned devices with authenticated user credentials, 2FA enabled and passing a device health check.Â If your device doesn’t meet the criteria required for access, but you authenticate successfully, guess what happens? That’s right,Â no access!
AnotherÂ boon for both IT and usersÂ is that ZTNA access integrates with your identity provider, leveraging single sign-on (SSO) access to all the resources assigned to a user’s account. Users need only authenticate through SSO to gain access to their desired resources â€“ no messing with multiple accounts, entering credentials repeatedly, or contending with time-out disruptions. And given that ZTNA was designed with the user experience in mind and network traffic considerations, it does not backhaul all user traffic, which allows for lower latency and keeps traffic flowing.
A benefit for IT is the increased visibility and control over the monitoring of network and application traffic, identification of security issues, and subsequent mitigation of threats and risks. Since ZTNA splits the network and application levels, IT can glean infinitely more device, user, and access data, which is logged in real-time, making it a seamless process for IT to stream activity to their SIEM solution for analysis andÂ integrate thatÂ with their management system for policy and compliance enforcement.
Lastly, ZTNA can authenticate users and provide access rights to them on any device, be it company-owned or personal, simplifying the end-user involvementÂ (i.e.,Â download an app or agent). No tricky configurations or complexity are required to get up and to run, even on new devices out of the box. All this works with user privacy instead of against it, as communications and data exchanged using personal appsÂ (i.e.,Â non-corporate) are not governed by ZTNA policies, as those only apply to those resources your organization has provisioned for employees.Â The remaining apps and resources are not collected or monitored by ZTNA because it falls out of the scope of maintaining the security of the company’s resources.
At the end of the day, regardless of whether your role is in IT, sales or HRÂ we all just want to do our jobs with the least amount ofÂ headache possible. Sometimes we canÂ doÂ that for ourselves, other times,Â such as in this case, IT can do it closer alignÂ with aÂ zen-like stateÂ for themselves and their end-users.