Anurag Kahol at Bitglass argues that organisations must move to a zero trust framework for remote working.
In the highly digitised modern world that we live in, the idea of commuting to a central office every day just to sit and work on a computer has long felt like an outdated approach. However, despite growing calls in recent years, the majority of businesses resisted the move to remote-based working models, usually citing productivity as the main concern.
However, the circumstances over the past few months have caused a rapid shift to having a remote workforce. While many businesses now admit to being pleasantly surprised about the continued high levels of productivity following this shift, the reticence they had about doing so means they simply weren’t prepared for such a monumental and long-term change in working habits. Consequently, they are scrambling to put infrastructure in place that enables productivity without compromising on security.
With so many question marks over the road ahead, enterprises are in need of a solution that enables flexibility to work in any environment as we all try to acclimatise to the ‘new normal.’
Since then, IT teams have been revisiting their infrastructure and likely finding that they are in need of meaningful changes. Enabling zero trust remote work is a great solution for just that, bolstering business security without significantly impeding worker productivity or system flexibility.
The essential components of zero-trust remote working
In order to work effectively, remote employees need unobstructed access to public cloud apps, the web, and internal applications from both company managed devices and unmanaged personal devices. At the same time, top security considerations for remote working include:
- Identity and Multi-Factor Authentication (MFA): Strong identity management via Single-Sign-On and MFA is essential. Remote workers are subject to greater risks from phishing attacks and MFA is a critical second line of defence.
- Robust Access Control & Data Loss Prevention (DLP): Access to corporate data must be controlled with respect to the context of the access, depending on user, location, type of device, sensitivity of the data, compliance requirements, etc. DLP policies must be contextually enforced on content flowing into and out of applications.
- Zero-Day Threat Protection: Remote workers operate off the corporate network and are therefore subject to greater risks of hacking and malware. Protection from such threats is essential across all devices, networks, and applications.
- Visibility: All regulated businesses must acquire and maintain access logs for remote workers to satisfy compliance requirements.
The question is: How do organisations effectively balance the needs of employees with the security measures required to keep sensitive data secure? Too stringent, and you’ll stifle productivity and flexibility. Too lax, and you risk attack.
Let’s look at the above security requirements in the context of the three aforementioned areas: public cloud apps, web access, and internal applications.
Access to public cloud applications
A typical business uses dozens of different public cloud applications such as Office 365, Salesforce, and Dropbox. While these application providers secure their own infrastructure, the applications themselves are freely accessible to any user, on any device, from anywhere in the world. As such, it’s the responsibility of the organisation itself to secure any data it has within each app.
Many rely on the vendor to provide application controls. However, because each vendor optimises security differently, this approach creates disjointed security across applications which result in security gaps and major management headaches.
The nature of public cloud applications means single sign-on (SSO) and MFA should always be enforced. Access to applications must also be controlled by context (user group, location etc), with DLP policies used to control the type of data that can be downloaded. Elsewhere, sensitive data should be identified and either blocked, masked, or encrypted upon upload--while all sessions should timeout when devices are left unattended.
From a threat perspective, reputable third-party end-point protection software must be installed on all managed devices, while uploads into cloud applications from unmanaged devices must be scanned for malware prior to transmission to the application. Finally, all activity, whether from managed or unmanaged devices should be logged for visibility, with logs retained as required for ongoing compliance.
Remote workers accessing the web from managed devices are exposed to all manner of threats and data leakage risks. The traditional VPN approach is sufficient for a few users but becomes problematic as the number of users rise. This is due to the increased load on the VPN firewall, throttling performance and creating a major bottleneck.
The best way to overcome this is by pushing processes to the edge and using direct-to-cloud connectivity with an elastic Secure Web Gateway (SWG), capable of handling shifting loads.
From an identity and MFA perspective, access to the SWG from managed devices must require authentication via corporate SSO. When it comes to access control and DLP, web browsing should be restricted to appropriate content, and policies should scan all uploads for sensitive data to enforce appropriate controls and blocking or loging all web transactions.
For effective zero-day threat protection, risky URLs should be blocked entirely, while downloads must be scanned for malware and blocked in real time. Finally, as before, all activity should be logged and retained as required.
Every remote worker also needs access to applications within the corporate network. As mentioned, the traditional VPN approach is not a scalable or cost-effective approach that is becoming increasingly untenable with the rise of remote work. Furthermore, VPN access from unmanaged devices is not feasible, presenting significant issues amongst workforces where bring your own device (BYOD) programmes are popular.
One of the best ways to overcome these limitations is through the use of Zero Trust Network Access (ZTNA).
After authentication via corporate SSO and MFA is acquired, access to corporate resources must be contextually granted based on user, group, application, location, type of device etc.
Additionally, to protect against zero day threats, access should also be restricted to devices with up-to-date and reputable third-party endpoint protection software to scan file uploads and downloads. This will enable organisations to have real-time protection and stop zero-day threats.
With millions of workers around the world now getting used to the reality of full-time remote working, security teams must implement new solutions that provide the appropriate level of protection needed without stifling productivity or scalability in such an uncertain environment.
Adopting a tailored zero-trust approach to remote working can provide organisations with a simple, and cost-effective solution to operate remotely, and securely.
Anurag Kahol is CTO of Bitglass where he expedites technology direction and architecture. Anurag was director of engineering in Juniper Networks’ Security Business Unit before co-founding Bitglass. Anurag received a global education, earning an M.S. in computer science from Colorado State University, and a B.S. in computer science from the Motilal Nehru National Institute Of Technology.
Mainimage courtesy of iStockPhoto.com