Cloud 101CircleEventsBlog
Master CSA’s Security, Trust, Assurance, and Risk program—download the STAR Prep Kit for essential tools to enhance your assurance!

Corporate Contractors and the Requirement for Zero-Trust Network Access

Published 10/21/2019

Corporate Contractors and the Requirement for Zero-Trust Network Access

By Etay Bogner, VP, Zero-Trust Products Proofpoint and former CEO of Meta Networks

It’s not a stretch to say that most industries and organizations today have contractors in the mix who need remote access to the company’s network. Yet the traditional virtual private network (VPN) method of enabling access for corporate contractors—as well as other third parties such as vendors, partners, and customers—has a key flaw. The VPN model, by design, requires companies to place excessive trust in every contractor and third party who taps into the network, when a “zero trust” approach is really what’s needed.

What I mean by that is that contractors generally only require access to specific applications on the network to conduct company business, not to have free reign over the whole enchilada. Companies take security risks by enabling their team of remote contractors to have excessive access. To limit those risks, IT administrators are wise to upgrade from a conventional VPN approach and adopting a software-defined perimeter (SDP) security model that enables the principles of zero-trust security. What it means to have zero-trust network access is that the solution not only provides segmented access for every user, but also verifies and audits that access.

Here’s an example of what this might look like in practice if you have two remote contractors—let’s call them A and B. With zero-trust SDP architecture, Remote Contractor A might have her access restricted to a single cloud-based application, as well as one application in the data center. Meanwhile, Remote Contractor B might only be able to access one application at headquarters. Neither Remote Contractor A nor Remote Contractor B are greenlighted to access the full corporate network/data center, but instead receive very finely grained access, as granted by IT, based on each manager’s and/or department’s project requirements.

As you can imagine, there are a number of clear benefits in providing zero-trust network access for all of your corporate contractors. Below is a summary of four of the key advantages:

Risk reduction. VPNs create a high-risk situation in terms of providing network access to remote contractors, as VPNs were not designed with this particular use case in mind. Alternatively, using a zero-trust SDP network allows for the creation of boundaries around any application based on identity and context. An SDP approach also allows an enterprise to ensure that each contractor’s device follows a customized policy that’s enforced. Meanwhile, any resources that a specific contractor is unauthorized to access remain invisible to the contractor, which reduces the surface for potential attacks.

App-specific access, not full network access. On a related note, the SDP allows your company to outline security policies at a granular level, associating specific remote contractors with the exact applications and/or services that they require. This is a huge security advantage compared to VPNs, which roll out free access to the entire corporate network. SDP can accomplish this goal easily since each contractor’s user device can be assigned its own authenticated, unique identity, which then gets verified and authorized for every packet in real-time. Segmenting and securing access means that IT can designate each contractor the exact access he or she requires for a specific job to a limited subset of applications. This helps avoid potential security risks as mentioned above, as well as operational overhead.

Easy management. VPN configuration is notoriously complex, but an SDP approach allows for much simpler processes and management. You can use one cloud console to manage access policies for all enterprise resources in the cloud or data center. You can also easily tackle tasks like:

  • Onboarding new remote contractors
  • Assigning role-based policies
  • Sending a link to enable remote contractors to access a specific application from their browser

In particular, the onboarding of new contractors can be a real headache with a traditional VPN client, requiring annoying configuration issues and time-consuming troubleshooting, which can quickly become unsustainable if you’re not managing contractors’ devices. Fully onboarding a new remote contractor could potentially take days or even weeks in this circumstance, presenting impediments to your enterprise’s ability to focus on key parts of your business. These distractions vanish when you switch to an SDP solution.

Superior experience for contractors. No more VPN headaches for your remote contractors; SDP allows for a much more consistent and reliable experience with easy, transparent, worldwide access. The central management of a zero-trust network, which covers all of your applications and data, as well as all of your contractors and other third parties, assures not only granular security for the enterprise, but also a positive experience for users that will help improve retention of remote contractors.

If you have a widely distributed workforce or work with remote contractors in any capacity, consider the above benefits when weighing whether to continue with a legacy-style VPN, or switch to an architecture that’s user-centric and zero-trust. The latter offers secure, granular, controlled access to specific parts of your network or software platform and can be enforced consistently no matter where contractors are based or working—huge benefits in today’s increasingly distributed work environment.

About the Author

Etay Bogner is the former CEO of Meta Networks and now VP of Zero-trust Products for Proofpoint. He focuses on helping organizations provide secure remote access for employees, contractors and partners to corporate applications and the internet. To learn more, download a detailed whitepaper on the subject.

Share this content on your favorite social network today!