Network Security for the Cloud and Mobile Workforce
Blog Article Published: 04/08/2020
By Etay Bogner, VP of Zero-Trust Products at Proofpoint
An increasing number of enterprises today have made large-scale shifts to cloud-based IT resources by putting their applications in the cloud, subscribing to ready-to-use software-as-a-service (SaaS) applications, and supporting an expanding remote and mobile workforce. However, these practices strain the capabilities of legacy networks built around site-centric connectivity and security stacks. There are many recognized challenges tied to dependencies on data-center-based Firewalls and VPNs, such as large network attack surfaces, unreliable end-user experiences, and administrative headaches.
The Mobile Workforce, The Cloud and Secure Networking
Many enterprise applications, workloads and storage have shifted to the cloud as companies adopt a "cloud first" strategy to get out of the requirement of owning and operating infrastructure. They are migrating their own custom applications to the cloud to run on public cloud infrastructure, in addition to subscribing to enterprise SaaS applications and countless other productivity applications.
The idea of people always working in the same office location during specific work hours seems quaint in 2020. The workday doesn't end at 5 PM; many people work extra hours at home in the evening and on weekends, and they need remote access to their office computer. People are mobile; they work from home or wherever they happen to be. In fact, some people may never even go to a company site—especially if they aren't actual employees of the company. An organization's workforce is very likely to include contractors, partners and consultants who need varying levels of access to applications, data and other company resources. What's more, workers may use non-corporate-owned, unmanaged devices as they access the network and applications.
With people and computing resources scattered about, unknown devices connecting from near and far, and cloud-based applications now essential to business operations, the traditional site-centric perimeter of network security is long gone. Nevertheless, strong security is needed more than ever as concerns become more pervasive and damaging, and cyber-attacks and breaches surface with alarming regularity.
The Problem of Network Security with an Overly Permissive VPN
In terms of networking, people have to connect to something regardless of where they work. Most organizations do that today by connecting workers to the network in the corporate data center or headquarters.
For those employees in an office, it's typically a simple LAN or WAN connection; those outside the office (i.e., mobile or remote workers) usually connect via a VPN. The security paradigm for either method of connectivity is flawed because once authenticated users access the enterprise network, they are considered "trusted" and have overly broad access to the network. VPNs have their own problems because the user experience can be bad, and from the IT perspective, VPNs can be difficult to manage.
The connectivity and security challenges escalate when the organization uses cloud applications. For branch or mobile workers, the enterprise can either bring all traffic back to the headquarters network hub and then send it out to the cloud or allow the traffic to go straight to the cloud from wherever the user is. Backhauling all remote traffic to a central facility isn't practical. Companies do it to enforce the on-premise security stack, but this practice puts a strain on network and application performance and degrades the user experience. What's more, mobile users lose "locality," meaning that someone who is traveling quite far from the home network – perhaps out of the country – still has their traffic backhauled to the network hub, which results in latency and throughput issues.
Allowing user traffic to go straight to the cloud or the internet is too risky. This practice circumvents corporate security infrastructure and policy and doesn't allow all traffic to be logged for audit and security purposes. Companies compensate by installing one after another security solutions—CASBs for SaaS applications, and VPNs for IaaS/PaaS, which becomes more complex and expensive with the growing number of instances.
It's simply not practical or cost-effective to deploy so many security solutions, especially for cloud applications. It forces corporate IT departments to become systems integrators to make a lot of disparate solutions work together for the sake of trying to hold onto a porous security perimeter.
Enter Secure Access Service Edge (SASE)
Cloud-based IT resources serving mobile workforces and others in the enterprise require highly available network access that is reliable and secure." According to a recent report by Gartner, "As a result, secure access services need to be everywhere as well. The data-centric model will not scale. Network gymnastics to route traffic to and from the enterprise data center make no sense when very little of what a user needs remains in the data center. Worse, we impact user productivity, user experience and costs by restricting access to SaaS only if a user is on the enterprise network or has used a VPN, or requiring different agents for SWG, CASB and VPN, which creates agent bloat and user confusion. In other cases, branch-office traffic is forced through the data center for inspection when users access any cloud-based resource, increasing latency and the cost associated with dedicated MPLS circuits."
To provide a more secure and manageable alternative to legacy networking solutions SASE offers reduced risk, application-specific access, efficient management and a consistent end-user experience. Administrators can onboard each network resource to a SASE platform once and manage all policies centrally in the cloud, avoiding the need to configure and sync across different locations. Fully-cloud based SASE platforms require little setup or maintenance and operate in the data center or VPC that the user is enabling access to. All of the intelligence, as well as the security enforcement, is done in the cloud.
Next generation network service providers are building the fabric that delivers user-centric computing to enterprises. Advanced Zero trust SASE platforms offer a multi-tenant global overlay network but can function like a private enterprise wide area network for organizations. All of the infrastructure of this network is provided by the vendor in the cloud, so there is no hardware for a customer organization to deploy. SASE platforms provide the micro-segmented access to applications and network resources that workers require. They deliver a best-of-breed network security stack in the cloud to help enterprises chain together the needed security services at every point in the network.
About the Author:
Etay Bogner is the former CEO of Meta Networks and now VP of Zero-trust Products for Proofpoint. He is focused on helping organizations provide secure remote access for employees, contractors and partners to corporate applications and the internet. To learn more, download a detailed whitepaper on the subject.