The COVID-19 pandemic turned this whole concept on its head as remote working became a necessity. Whilst the past twelve months were a challenge, and the transition to remote working pushed companies to their technological limit, the journey back to the office through hybrid networking should prove significantly easier. Migrating from a fixed office environment to a completely remote workforce in the space of a couple of weeks was understandably difficult, but transitioning back to the office, at least in part, should be more straightforward given that this is the set up that workers are used to.
During the mass shift to remote working, many businesses will have updated their security solutions for remote workers so they could access the cloud directly from any location. Any remaining traffic going back across the VPN would solely have been to access any existing on-premises applications, reducing any disruption to day-to-day access.
The last year has proved the concept that work is no longer a place, it is an activity. The traditional perimeter has been made obsolete and a new model has taken its place. The modern perimeter is now centred around identity and context, with new security frameworks, such as Zero Trust and Secure Access Service Edge (SASE), paving the way for a secure hybrid future.
A recap on Zero Trust
The Zero Trust model has been building steam for some time. Previously known as the Software Defined Perimeter, Zero Trust Network Access adds a level of adaptability to SDP. Ever since John Kindervag developed the outline for the Zero Trust Security Model, the concept of trusting no one, regardless of whether they are inside or outside the network, has changed the way companies approach security. Zero Trust Network Access depends on a new perimeter based on context, including identity, but also device integrity, location (network/IP address), and geolocation. With its elements of adaptability that change in response to behaviour, ZTNA will be a fundamental approach for businesses journeying through hybrid networking over the next couple of years.
There are three primary approaches to Zero Trust: user and device, network and applications, and data. Most organisations will adopt a user and device approach – which is identity based – with an element of network, designed around micro-segmentation, secure routing and virtualisation. Previously, individuals would be able to connect to a network and then authenticate their access with login details. Zero Trust, however, reverses this process so that users will be forced to authenticate before they are able to connect to anything, thereby making the network more secure.
Bringing in SASE
Secure Access Service Edge is also going to play an important role in the evolution of security approaches moving forwards. SASE is the bringing together of Network (as a Service) and Security (as a Service), delivered regardless of where users, applications or devices are located. The SASE approach creates a single point of control, where each user has access to the same level of capabilities from any location, in the office or at home.
Just like Zero Trust, SASE is not a product. It is not something a company can go out and buy to solve all their problems. It is a concept, a goal to head towards. Gartner predicts that 40 percent of organisations will have a strategy to adopt SASE by 2024. This means that in three years, more than half of companies will still not have developed a plan for SASE, let alone implemented it.
As for its relevance today, adopting a SASE approach will help solve short-term technology decisions, ensuring that the long-term journey to SASE is as swift and straightforward as possible. ZTNA is likely to be the first stop on the SASE journey for many organisations. Further, SASE itself is simply another journey, not a destination. Firms will need to approach SASE implementation with a long-term mindset that anticipates further developments in the coming years.
The challenges for those trailing behind
Without a doubt, those companies who have been determined to hold onto traditional perimeters will struggle the most moving into a hybrid network environment. Instead of forcing all of their users back into the corporate network over a VPN, businesses should start to move controls closer to the user and device, reduce services delivered from DMZs and segment the network to separate users away from the data centre.
Gartner pointed out that the last twelve months have exposed the limitations in legacy models and technologies. Deciding to ignore these warnings and returning to old processes will only hinder a business’ development and will certainly complicate their future security journey. Instead, they should be dedicated to ring fencing key applications and moving across to Zero Trust. Through this process, organisations can start to introduce flexibility and adaptability based on behaviour which will strengthen their security posture overtime.
The journey ahead
The format of each security journey will differ for each company. It will be dependent on each businesses’ priorities and the position they are starting in. Here at Censornet, it is no different. Whilst our entire development team has moved to Zero Trust, we still have call dialler software which requires teams to connect to a VPN for the office network. So even when the majority of a company has made the successful transition to these new perimeters, there will still be elements that need legacy infrastructure. Fortunately Zero Trust is iterative and incremental rather than binary to accommodate edge cases.
It’s important to recognise that these developments take time and will not solve every problem overnight. Therefore, companies who make the decision to extend their focus beyond the pandemic challenges and adopt long-term strategies will find themselves in a much stronger position should similar workplace challenges arise again.
By Richard Walters, Chief Technology Officer at Censornet