The debate about employees working remotely has ended for the time being. Driven by the response to the COVID-19 pandemic that is threatening life and livelihood, working-from-home is the new normal. All you have to do is look at the sharp increase in the use of remote conferencing software and accompanying skyrocketing stock prices of companies such as Zoom. As society hunkers down to ride out this pandemic, companies are rushing to enable their employees to work from home, frequently leaving the security systems that kept them safe in the office behind.
The pandemic is causing tremendous emotional turmoil, and cyber criminals are having a field day. As people thirst for information and answers, crooks are exploiting and defrauding them – primarily using sophisticated email phishing campaigns, but also more advanced approaches such as weaponized Coronavirus-themed mobile apps that steal user information as they delivery pandemic updates.
How can companies avoid serving up their users to cyber crooks? Best practices include issuing company-owned and hardened devices, enforcing the use of strong passwords and multi-factor authentication (MFA), and having employees use a virtual private network (VPN) to connect to the company firewall. However, the reality for many companies is that these measures are difficult or impossible to effectively put in play:
- Companies may not have laptops, much less hardened ones, to issue to all employees. Additional devices, especially mobile ones, are expensive to buy and difficult to service and manage.
- Installing, configuring and training users on MFA can be challenging, and MFA may not be supported by the systems users are accessing. Some VPN solutions provide MFA, but only for access to internal network apps. Cloud-based apps have their own MFA controls that companies don’t control.
- What happens when users go home, connect to the VPN and access apps in the cloud? Companies are now backhauling all of that traffic to their corporate firewall for inspection, only to send it back out over the same network connection to the internet. Firewall, VPN and internet service that is sized for employees working in an office often won’t scale for a remote workforce.
As a result, many companies are faced with the unpleasant decision to either issue all employees hardened laptops and upgrade their existing firewall, VPN and internet service, or allow employees to use their personal computers (BYOD) to access internal company resources while bypassing security controls altogether for company resources in the cloud. It is easy to see how this plays right into the hands of cyber criminals who are keen to profit from this mad rush to remote work.
Fortunately, there is another option…
SASE for Secure Remote Access
The new normal, where workers are remote and apps are in the cloud, has fundamentally changed network traffic patterns, rendering existing network and security models obsolete. Traffic patterns are now inverted, forcing a change from data-center/corporate-office centric architectures to a model that pushes the security inspection and access control to the edge, where the endpoint and user are – an architecture called secure access service edge (SASE, pronounced “sassy”).
With SASE, it doesn’t matter where employees are working from (home or office), or what apps they are using (on premise or in the cloud). Why? Because users and all of their devices securely connect to a high-performance, auto-scaling security fabric in the cloud.
How can IT management pivot quickly to keep the organization running and your employees healthy and safe?
Discover why a secure access service edge (SASE) architecture is timely for shifting remote-access and remote-work requirements.
Listen to the Webcast, “Scalable Secure Remote Access for Mobile Users.”
Read the white paper, “How SASE Architecture Enables Flexible, Scalable, and Performance Remote Access for Workforces.”
A rapid cultural reversal on remote work has accelerated the need for a secure network edge.
Not too long ago workplace bosses and company policy enforcers (HR and recruiting) reminded us time and time again that the luxury of working remotely, aka telecommuting, or from home, should be viewed as a privilege, not a right.
Think back to the 1990s, if you’re old enough, and that occasional blizzard or day you had to stay home for family or personal reasons. We all had loved ones. Yet still it was difficult to ask your boss for permission to work from home for dread of that snotty answer, reflecting then-fair company policy: “We need all employees in the office unless it’s an emergency. No exceptions.”
But the shift to remote work has gained “gradual” momentum over the years… From the network guys and gals, “Okay, two days a week, you’re worth it. We’ll extend our VPN and endpoint coverage out to where you require access.”
By 2019, the reins on telecommuting had greatly loosened, and surveys indicated 63% of U.S. companies have remote workers, according to a 2018 Upwork survey.
Enter potential disaster COVID-19, and now abruptly, the ability to work remotely is vital, a key to business continuity and survival. As remote and mobile professionals, we’ve come a long way.
In a flash, our world has changed due to the COVID-19 pandemic, and remote work / working from home is an emergency requirement for business and human health. Now, remote work adoption is probably somewhere in the 90s percent range across most enterprise and individual categories, and we shall never forget to honor those still out there by societal need providing medical and public services in communal exchanges.
Exactly what did enterprises have to lose in the past by enabling network and data access to remote employees, and what does it still risk losing now?
The Remote Work Stigma
Well first let’s get supervision of these employees… babysitting, if you prefer… out of the way. We’re no longer in sight, and supervisory suspicion builds, maybe it should given today’s cybercrime schemas and scams, and human tendency to rest…. We’ve all had that manager who wanted us to respond while working remotely within 10 minutes of a request. Sheesh, I take bathroom breaks longer than that. We’ve all had that skeptical supervisor who didn’t think we’d be conscientious toward the job; presumed us loafers who didn’t care.
Less personally maybe there is security and performance monitoring of these distributed assets. Is the employee using company equipment or his or her own personal device? As a network administrator, CISO, or IT manager do you trust the device or virtual connections into your private data or cloud apps?
It’s been a network access avalanche, a sudden, enormous shift in networking resources… There’s a disastrous threat to business, both physical-world and ecommerce continuity; a virus that’s slowing down the human supply chain and people are dying and we can’t even get toilet paper online or during a scarf-filtered trip to the grocery store.
From a less physically granular perspective, from the virtual network management perspective, the sudden remote access demand is growing to a network tipping point. Do you have disaster recovery mechanisms in place that protect more than your initial digital attack surface through basic antivirus updates? Using converging network and security edge service provisioning (aka SASE), can your preparedness strategy empower employees to immediately work from home and safely use resources on premise or in the cloud, while empowering IT managers to sector off core enterprise data and backup?
We’re talking about preparedness, and this brings to memory a prophetically timely 2001 presentation in pre-911 America by Gartner infrastructure and security analyst William Malik on the topic of disaster recovery and how IT managers and employees could prepare for sudden blows to the business or wider market-striking agents that affect customers, supply chain members and people’s lives. It was a lesson in outward, disaster-scenario thinking, every detail being planned out with anecdotes about where your data might be co-located and how you might feed and support your physical front lines. Decades later, these are the types of details IT management teams are scrambling for now during COVID-19 and the demand for secure remote access.
Read the secure remote access white paper.
– Explores the changing considerations toward remote work, now essential for business continuity, as well as the need to shift network traffic and distributed data access patterns to address performance, security, and customer needs. Discover why a secure access service edge (SASE) architecture is timely for these shifting remote access requirements.
Mobile and small office/home office (SOHO) workers require connectivity to the same resources your campus-based, firewall-protected employees regularly access from the data center, private network, and now increasingly from the cloud. This poses problem and risk: Network IT departments have low visibility into the configurations, security defenses, and points of access for these employees and devices accessing data remotely.
SOHOs and mobile employee workstations consist of affordable, consumer-oriented network equipment (often BYOD) and security software, all of which is not as sophisticated, protectable and secure as the computing tools in corporate offices. Many IT departments, smaller offices, and remote workers are dependent on public Wi-Fi, inexpensive home-based routers, iffy VPN use, and basic-AV-protected computers to protect their confidential internal and customer data at the edge.
The equipment used in the outlying areas of your network represent the weak link for hackers, the low-hanging fruit, increasing the overall security risk for the organization and its B2B/B2C partners. Common risks include spying, infection of connected devices, and the ransoming of the wider network ecosystem. Compromised endpoint network equipment such as computers and routers can set the stage for sophisticated botnet attacks and the spread to other systems, networks and servers, including those of partners.
Are you going to regularly mobilize truckloads out to every possible remote router site to try to secure these new connections? More sophisticated security equipment requires technical expertise, something most home office workers and many branch offices lack. Constant truck-hauls to every distributed site add up from an overall cost standpoint. Bolting on security through software patches can be a struggle, especially when managing updates and renewals across several security vendors and your busy workforce.
In response to these security and cost challenges, best practices for protecting remote equipment endpoints include:
- Frequent, automatic software updates that don’t harass business-focused, non-technical home officer workers. Leverage security-as-a-service (SECaaS) to rapidly orchestrate and automate advanced security and smart cyber risk management.
- Virtual firewall as a service (FWaaS) that blocks unwanted traffic from your defined and controllable network endpoints, including wandering user devices.
- A VPN, or similar secure tunnel, that segments ISP traffic from private network traffic. This VPN capability should be “always on,” noninvasively coating the attack surface and protecting company used-devices from breach and deeper infection.
- Multifactor authentication (MFA), which helps to ensure the person or system trying to access a device, network or system is the same person or device authorized for access. MFA includes passwords, security tokens, and, in some cases, biometric identification.
- Cloaking of a device’s and network’s unique identifiers or presence, making it difficult for other people and devices in range to detect.
- Encryption and private circuit use to mitigate outsiders from viewing, stealing or ransoming sensitive data.
- Device hardening, so the endpoint can block legacy or unnecessary ports and services that act as doors for easy infiltration.
- DNS filtering. These are the oft-color-coded listings and commands, which involve preconfiguring devices with software agents to prevent infection from dangerous sites and other network entities.
- Avoidance of direct peer-to-peer computing or peer-to-private-server communication approaches. Remote Desktop Protocol and similar P2P network services are an easy gameboard for hackers. RDP sessions store credentials which can be stolen and wielded in “pass the hash” attacks. If you use P2P apps, it’s critical to orchestrate advanced, layered security mechanisms, including identity access control, encryption, and zero trust architecture.
- Seamless support of the latest Wi-Fi authentication and encryption standards, which can help to protect on-device data and access points.
Securing Your Mobile, Remote Workforce
Every digitally transforming organization has its traveling users, the consummate contributors; the mobile warriors. They are a worrisome potential target for close-encounter cyber-takeovers.
Wandering human endpoints access different networks. They use whatever means available to keep their device batteries charged and to stay connected. Sometimes these individuals work in crowded, cramped seating areas where strangers are in physical proximity or router range.
Common behaviors that put remote worker security at risk include:
- Connecting via unsecure, unencrypted Wi-Fi, or failing to authenticate through the corporate VPN while working from home, in a hotel, or coffee shop. Without the filtering and blocking of a leading firewall or VPN service, the employee can mistakenly land on a phony site or host (e.g., a man-in-the-middle attack), or click on a link from which malware can be delivered, infecting the device and from there seeking to spread.
- Directly accessing SaaS applications in the cloud beyond the visibility and control of corporate IT security. Employees are at risk of man-in-the-middle attacks in this scenario, and hackers can steal credentials from the endpoint device and use that private data to gain unauthorized entry to cloud servers or back into the enterprise network.
- Physically plugging into public charging stations, or attaching untrusted devices including other computers, flash drives and USB ports. Conversely, someone else might gain physical access to the network endpoint device and plug in a flash drive or perform some other type of direct tampering.
- Falling for phishing attacks. Social engineering schemes are getting more effective at fooling curious, emotional human beings into clicking on links that appear to be legitimate but aren’t. These IP spoofing, phishing, and websites appear authentic but have surreptitiously rerouted the user to an ersatz click-on/sign-in with credentials page…
Your mobile warriors need help identifying and avoiding these deceptive man-and woman-in-the-middle attacks.
OPAQ Provides a Secure Access Service Edge Through Security-as-a-Service
Your network’s edge needs easier IT security reinforcement; a cost-effective, circulating burst of easily distributed security-as-a-service software from the cloud.
OPAQ provides strong endpoint protection as a service to ensure secure access at the network edge, empowering what Gartner calls the secure access service edge (SASE). Harness your expanding workforce. To support your remote employees and protect your network and business ecosystem, reinforce protection at the network endpoint and workstation level with help from the cloud.
Visit our secure access service edge (SASE) page.
You might call it ‘living on the edge.’ A growing number of organizations are moving computing out of the data center, out to the edge of the network. The various reasons for this include increasing numbers of mobile devices and remote users requiring access, expanding digital opportunities, cloud adoption, reduction of network latency and backhaul costs, and more. Making this edge computing possible are technologies such as SDN, SD-WAN and cloud access service broker (CASB) capabilities, all of which provide points of presence (POPs) where distributed workforces need them.
Traditionally, however, easy provision of good security has NOT been one of the drivers for this pivot to the network edge. Hence, many companies that have transformed their network architectures haven’t yet modernized their security architectures. They continue to indirectly route traffic to security engines (tromboning, hairpinning, backhauling), defeating the whole latency advantage and racking up in-house equipment costs. Or worse, they’re not adequately inspecting the edge traffic and payload, leaving their users, network endpoints, cloud data and internal network data exposed to increasingly sophisticated cyberattacks.
That’s all changing with the convergence of computer networking and security at the edge, something IT analyst firm Gartner dubbed the secure access service edge (SASE), pronounced “Sassy.”
The secure access service edge is an emerging solution category combining wide-area network (WAN) functions with security capabilities such as secure web gateway (SWG), cloud access security broker (CASB), firewall-as-a-service (FWaaS), and zero trust architecture (ZTA) to support a wide range of digital transformational requirements.
SASE merges edge computing’s distributed approach – bringing computation and data storage closer to the location where it is needed – along with the advanced security near or at these points of access.
Cloud Security-as-a-Service for Your Edge Computing
However, SASE isn’t a security scenario that data center-based hardware appliances are going to feasibly address. When modernizing your network, your traditional security equipment can get bypassed in your traffic’s shift to a software-defined perimeter. Alternatively, equipment deployments and reconfigurations (in your data center and remote sites) may struggle to keep up with today’s pace of secure connectivity requirements.
Your distributed workforce is accessing cloud providers for things like SaaS applications, while your branch offices and mobile workers take advantage of direct Internet access. Meanwhile, the resultant data is no longer being centrally stored on, or accessed from, the premises. More users, devices, applications, services and data are located outside of an enterprise than inside, according to Gartner. With organizations still responsible for data privacy and security of individual employees and customers, that’s a lot of scattered data to protect.
The edge requires agile management, and this is where security software and software-defined perimeters step in.
From a cybersecurity perspective, protection can now come closer to where access is needed. A software-centric SASE approach can deliver zero trust security best practices over Web gateways, cloud access points, tunnels, and the devices themselves, while eliminating inefficient hairpinning of traffic inspection to your data center or nearest branch-office hardware.
The OPAQ SASE Cloud provides more ubiquitous and local points of presence, with the zero trust architecture capabilities you need to ensure secure access, control and segmentation.
The OPAQ Zero Trust Secure Access Service Edge (SASE)
Whether it’s a branch office, remote workstation, router, or VM, all of these endpoint identities need network access. Before they connect into your private network and data, they must be identified, authenticated, and properly segmented.
OPAQ delivers a Zero Trust Secure Access Service Edge that bases decisions on the identity of the entity at the source of the connection (user, device, branch office, edge computing location, time of day, risk assessment of the user device, and the sensitivity of the data or app being accessed).
Primary components of this Zero Trust SASE architecture include:
- User Authentication: IP spoofing, phishing, social engineering, identify theft, and bot break-ins demand a zero trust view of access. Is the device, person, or service attempting to enter into the network authentic? If access is allowed, what might happen next from a security impact perspective? OPAQ checks for a number of factors including user credentials, MFA, access privileges, device certificates, and more.
- Access Control: Access has moved out to the edge, largely outside of the reach of a perceived private enterprise network. The OPAQ Cloud keeps inspections away from your private data containers, and secures traffic and performance at the edge closer to where access and QoE is sought. Tunneling to the nearest POP, OPAQ SASE provides end-to-end encryption of each session, including over public Wi-Fi networks (cafes, airports, malls, etc.).
- Segmentation: Ransomware and other malware seek to spread and capture data and control as they go about their damaging business. Endpoint connections are underdefended by basic on-device antivirus updates, opening the door for the latest sophisticated attacks. OPAQ continuously extends layered next-generation security across the dissolving network perimeter, reinforcing workstations, VMs and other endpoints, and then making sure that distributed endpoints don’t expose vulnerable in-roads into your core network and data.
- Device State: What are your wandering workstations connecting to? Are these devices adequately protected with antivirus, anti-malware, intrusion detection, and more? How are the devices behaving, and are they putting your network and data at risk? OPAQ device state analysis and control secures multidirectional access for your wandering workforce and stationary endpoints and what they can safely connect to.
Transformational edge computing requires a rotating shield of SASE protection.
Four Steps Toward Securing Your Digital Transformation
The term SASE, pronounced ‘sassy,’ is kind of cute, isn’t it? But secure access service edge (SASE) is a serious focus for organizations seeking to protect their data in the cloud, across the Internet, and within private networks.
In its Research Note, “The Future of Network Security Is in the Cloud,” global IT research and advisory firm Gartner defined SASE as “a converged cloud-delivered secure access service edge.”
Why is this security edge so important in defending data?
Best practice security is multi-layered, and establishes security intricacies along the way, seamless and nonintrusive to the digital user experience, but which effectively make it difficult for malicious parties including bots to breach the network.
Whether you believe in the cute SASE term or not, the edge (aka your network endpoint connections) is integral in perimeter security and for protecting against threats, the spread of malware, loss of control, and massive contamination and business damage. The edge is almost always the initial point of digital infection; a vector for infiltration.
In what Gartner characterized as its early stages of adoption, SASE is being driven by digital transformation, the adoption of cloud-based services, software-as-a-service (SaaS), and mobile and distributed workforces. We have to connect to do our jobs, but along the way, we might ingest malware, which can lay dormant, waiting to spread. Spoofing the identity, looking for that next jump… We all know those unfortunate individuals on Facebook, whose identities have been used to spread contagious links.
Understanding the risk that comes with digital business growth, you definitely want to filter all this traffic coming into your network, so you might run it back through your on-premises security appliances and over network resources. This eats up a lot of network bandwidth and costs more than use of the public internet, IaaS, and the cloud.
SASE enables organizations to overcome this difficult security-versus-Internet-access tradeoff; this business transformation hurdle.
SASE Business Drivers
Why get SASE in your security approach?
When the data center is the center of your network universe, it can inhibit transformational business architectures. A social, non-engineering side of your “network” wants to grow: A workforce cost-effectively using the Internet to amplify business potential, and partners and customers plugging into your network, making transactions. But amid all these new connection points, is it really your network anymore? It’s understandable to have sudden network blind spots as connections outside your visibility test you for access versus maintaining digital security.
Gartner reports, “More users, devices, applications, services and data are located outside of an enterprise than inside.”
How do you encrypt and inspect all this traffic and filter all those packets and links before you allow them into the business’s bloodstream?
Rather than hairpin traffic back through your datacenter, smart and more cost-efficient network service can be achieved through software-defined networking (SDN) and SD-WAN deployments that are secured through the infusion of security-as-a-service from the cloud.
Why Evaluate OPAQ SASE?
Digital business transformation requires anywhere, all-the-time access to business IT services, many now located in the cloud.
OPAQ enables organizations to:
- Shift inspections out to the session layer vs. routing the sessions to software engines that have to centrally inspect and then reroute communications. Network traffic and sensitive data storage is shifting to cloud platforms vs. enterprise data centers. Why haul it all in for costly inspection when the OPAQ SASE cloud provides a safe, cost-effective barrier?
- Get over the business transformational hurdle of risk aversion. Use SD-WAN and MPLS backhaul offload projects as catalysts to modernize and optimize security through enterprising software-defined perimeters. Cloud-based SASE offerings heavily reduce the need to update security at the physical or software level. Network and IT staff won’t have to spend all their time setting up equipment and performing maintenance and instead can focus on business transformation, business tools, privacy requirements, as well as advanced, next-generation security schemas.
- Reduce network security complexity by moving to one or two third-party providers for the key components of SASE: i.e., secure web gateways, DNS, zero trust network access (ZTNA), and workstation segmentation. This favorable software portfolio reduction can reduce agent bloat and performance issues at the end-user level. OPAQ also provides the requisite peering partnerships critical for points of presence, reducing latency for performance-sensitive apps such as video, web conferencing and VoIP.
- Easily bolster network segmentation to avoid kill-shots as you connect with new data sources as part of digital business transformation. OPAQ protects your organization with separate secure tunnels for: A) private enterprise data access (through MFA and monitoring for sensitive data and malware) and B) always-on protection for remote employees surfing the web for business connections and while on public WiFi.
OPAQ delivers the core SASE components to protect your digital business transformation investment:
- Secure Web Gateways
- Firewall-as-a-service (FWaaS)
- Leading advanced endpoint protection and segmentation
- ZTNA (Zero Trust network architecture)
- CASB capabilities
Enterprise data centers, which traditionally scrubbed the network from contagion, aren’t suddenly vanishing; they just aren’t the center of the universe anymore when it comes to granting secure access. To protect endpoint connections, SASE clouds can drift more flexibly and cost-effectively to secure the fluctuating perimeter
Get secure where the user requires access with OPAQ.
Download the Secure Network Modernization white paper
Download the Securing Remote Workers solution brief