A recently published report by NetMotion revealed a startling fact. Asked whether the remote workforce is as safe as similar employees working in an office environment, the response from a host of security and IT leaders was an emphatic ‘no.’ A full 97% of these experts answered that remote workers are exposed to at least some added risk, with roughly 47% believing stating that the risk was either high or extremely high.
With many organizations projected to continue this work-from-home policy for at least the near future, it seems increasingly unlikely that employees will return to the office en masse any time soon. Barring any sudden miracles, the job of providing employees with an easy-to-deploy, reliable and secure remote access solution will fall on the shoulders of IT teams.
Legacy VPNs are not the answer
When work restrictions first began, employers were forced to scramble. Naturally, they wanted to ensure that employees could access the data and applications that they needed for their jobs. But as companies with existing VPNs quickly discovered, the spike in demand placed on network infrastructure pushed those networks to breaking point.
Where did they go wrong? Much of the blame goes to legacy VPN hardware. In order to scale to meet demand, these systems required additional servers and load balancers that are not only expensive, they take considerable time to order and install. These systems may be fine when a small percentage of the overall workforce is traveling or working remote, but they were never intended to cater to an entire population of remote workers, let alone those using a patchwork of slower, often less reliable Wi-Fi and cellular networks.
To some extent, many of us have become numb to news about large-scale hacks and breaches. They no longer have any shock value. Breaches have happened before and they’re going to happen again, regardless of the brand name or its promises to value user data. While many breaches are the result of poor password management or the exploitation of security vulnerabilities in an operating system, we need to do more to minimize them. Far too often, breaches are made worse when a hacker has access to someone’s VPN credentials, allowing them to move laterally throughout a network to exfiltrate valuable data.
Less is more
That brings us to the new wave of promising technology, based on a concept called zero trust. The basic idea is simple: an organization can prevent (or at least greatly minimize) the risk of a data breach by removing trust from its network architecture. In the real world, an employee or device that tries to access an application or data first needs to meet predetermined criteria in order to prove its identity. In other words, a device or a user can be denied access to resources for any number of red-flag events, such as using an outdated version of an OS, or being in the wrong location. In short, this gives IT teams a completely new level of control and the freedom to establish highly specific, granular policies that prevent unauthorized access.
Applying the concept of zero trust to the field of remote access has given rise to solutions such as the software-defined perimeter (SDP). Software-defined perimeters create peer-to-peer connections between users and the specific resources they need. At the same time, the granular policy controls allow for ‘least privilege,’ meaning that users are only given access to the resource they requested and nothing more – preventing any kind of lateral movement.
SDP solutions come in all shapes and sizes, with various flavors of architecture, but they can do much more than just checking credentials. They gather a variety of data, such as the application being used, the location of the device, the trustworthiness of the network it is connected to and much more. It then uses this real-time data to build a unique risk profile for each individual resource request, evaluating it on its merits and determining whether the user should be granted access.
As pointed out in the Verizon Mobile Security Index 2020, a staggering 84% of enterprises today are increasing their reliance on the cloud. This is effectively putting legacy VPN technologies at a further disadvantage, since they were not designed to be used primarily by remote workers accessing remote resources.
While it’s true that the majority of organizations will continue to host at least a few applications on-premise for years to come, the shift toward a reliance on the cloud is undeniable. As a result, IT, network and security teams are finding that they need to work more closely together to ensure that they invest in the kinds of tools that provide greater visibility and control to wherever their employees and devices are at the edge of the network.
The writing is on the wall
With remote work not going away any time soon, the prospect for legacy VPNs looks bleak. It’s little wonder that the need for more secure, reliable remote access is pushing 80% of organizations today to seriously evaluate the merits of a zero trust solution. Where security is concerned, that change can’t come soon enough.
- Verified IT and security leaders reveal highest-rated ZTNA platforms in new G2 Grids
- Best practices in finance IT: Sven Goelles from Lincoln International
- Inside NetMotion: A security engineer’s view of SASE
- Best practices in public safety: Alex Bowen of the UK’s National Enabling Programmes
- Accountancy firms look for best practices in a “work-from-anywhere” world