While remote work and hybrid work have always been a thing, they’ve recently become more popular, and that’s created new challenges for network security.
Some companies embrace remote work and/or hybrid work; some try to limit or reverse the trends. For some internal teams, remote work is easily achieved and often preferred. In other cases, in more hands-on and collaborative efforts, being physically onsite can be important.
The point is that there isn’t a path to follow that leads to a one-size-fits-all solution for remote/hybrid work policies that protect network security. A lot of firms will need to take a lot of factors into account and make different decisions for different working groups and/or regional groups.
It isn’t easy to find situations where a single policy makes sense for everyone. It’s a very complicated issue, with tradeoffs. Yet firms can’t allow the complexities to overcomplicate their general network security posture in a way that either opens them to risks or forces cumbersome, unwanted processes on their employees’ day-to-day workflows.
The need for a new access paradigm
In the past, there were two common ways to access corporate resources. You were either physically plugged into the network at the office or you connected remotely through a VPN.
The complexities of this were a decent trade-off. While remote workers were forced into a secondary process (connecting to the VPN for some or all work tasks), onsite workers typically had a smoother process to access resources (and often at a much faster speed).
Again, with remote work and hybrid work less common, it was a common tradeoff. If you were on the road, at a hotel or at home answering an important email while recovering from an illness, you accepted the process.
Today, the workplace looks different. And workers have different expectations. If you do 20%, 50% or 100% of your work remotely, the last thing you want is a different process to access resources depending on if you were in the office or doing remote work. Your access should be easy, seamless and consistent regardless of where you are.
Why access must be consistent from everywhere
On the other side of the equation are the resources being accessed. These are more commonly located outside the physical corporate network, so why should somebody doing remote work be required to connect back into the network through a VPN to hairpin back out to a cloud service?
The worker shouldn’t need to understand the complexities of the corporate network either. They shouldn’t need to know which resources are on the local network and which are remote. Especially in today’s network environment, where resources are often added, removed and moved.
It’s just too much to train and maintain the knowledge across the whole company about resource location and access. All resources need to appear to be the same to the common user. Edge cases exist, but highly sensitive systems or networks aren’t common for most workers.
Core access principles for remote work and hybrid work
So, this leads to the question of how to secure access in a boundaryless corporate network. One where there’s an expectation that some (or all) employees will be doing remote or hybrid work, sometimes on unknown connections. And how to give them secure access to resources that can be deployed in many different locations and methods, from on-prem to private cloud to public SaaS.
While there are many different technologies that will need to work together (too many to fully cover in this post) to deliver network security, the core principles of how they operate need to be understood:
The employee doesn’t make connectivity decisions.
The device needs to make those choices for the worker. When a user accesses a resource at www.company.com/resource, that traffic must be routed properly without the user needing to understand where the resource is located.
The device and the user must be known, assessed and trusted at all times to maintain connectivity to corporate resources.
The solution needs to verify many different variables to know the context of the connection. And those variables may change often or suddenly. It is up to the admin to deploy a solution that can evaluate these variables cleanly, quickly and over the lifespan of the connection.
Other connectivity shouldn’t be interfered with.
While it is important to validate that the device remains uncompromised, especially when accessing resources that aren’t owned or maintained by the company. The solution to this problem can’t be to block nonwork-related connections.
The workflow for the end user should never change.
Just because the user’s location changes or a hosted resource moves locations, the end user shouldn’t have to make changes to their workflow to access the resources.
Updates to resource access policies need to be instantly deployed, done in the background andnot force the user to know or understand the changes.
The admin should be able to bring up, tear-down and move resources as needed. If resources are moved, it should be easy to make policy updates about accessing them.
There should be a portal to show the user what they can access.
The admin needs to maintain a portal to show each user the exact list of resources they can access. This portal should be consistent and simple. But it shouldn’t be required to access the resources. Once a user knows what they need, they should be able to directly access their needed resources.
Network security solutions
There are different ways to achieve the principles we’ve just listed. The most common solutions are ZTNA(zero trust Network Access), SASE (Secure Access Service Edge)or SSE (Security Service Edge) solutions. They all carry different deployment methods, different complexities and different feature sets.
Often, a network security solution comprises a few different types of solutions working together. In the end, they tackle the same principles in much the same ways:
- They manage the networking on the device to direct resource access to the correct gateway, proxy or network.
- They manage data communications in a secure way.
- They manage the device to ensure viruses, spyware and phishing attacks aren’t present, downloaded or triggered.
- They verify the owner of the device and verify the user on the device.
- They manage the backend communications with the corporate resources to permit hybrid deployments and hybrid access.
There isn’t a one-size-fits-all answer, especially with the arrival of new challenges like the internet of Things. There are just too many complexities to consider. But failing to meet these core principles will only make network access more risky and harder to maintain and use in this age of remote work and hybrid work
Blog post written on Ivanti.com