Considerations for securing a work-from-anywhere world
Fortinet
During the pandemic, moving to a work-from-home model required companies to move critical resources to the cloud, ensure employees have access to critical business applications, and secure communications between the home office and the corporate network. Now, instead of moving all employees back to corporate headquarters, many companies are moving to a work-from-anywhere (WFA) approach, with some employees working from home, others on-site, and still others spending some of their time at each location.
This new approach gives employees the flexibility they want and a better work-life balance, which increases productivity and job satisfaction. Companies also benefit from the logistical and financial advantages of reducing office overhead. However, adapting to this hybrid workforce also requires hybrid networks that balance security and ease of use.
Quality of experience and EFC
Quality of Experience (QoE) measures how satisfied employees are with their overall work experience. This includes things like easy and quick access to key resources, consistent availability of business-critical applications and quality of service for things like voice and video conferencing.
However, maintaining QoE for an EFC workforce is challenging. It requires seamless access to business-critical applications and data both on-premises and in the cloud, regardless of where the user is accessing them from. Moreover, all of this must be done without compromising network security, which is a particular challenge given that home networks and remote devices are notoriously inadequately secured.
Three key IT pain points in EFC models
Ideally, access to enterprise applications and data should be seamless from any location, but remote connectivity often impacts the user experience and security posture. To address these issues, three key IT pain points need to be addressed.
1. unpredictable experience
A common approach to maintaining security when handling remote traffic is to route and inspect all application and internet traffic through the organisation's data centre before it reaches its destination. However, this increases latency and wastes bandwidth compared to a direct connection. Such architectures can also be complex and expensive to operate, as the IT department has to individually configure and manage the routers in the branch offices and set up firewall policies.
For end users in the branch offices, QoE becomes inconsistent as backhauling of application traffic can affect application reliability. Home users are forced to access applications through a VPN tunnel to the corporate network, leading to even more unpredictability due to fluctuations in bandwidth capacity at home.
Even when companies allow direct access to cloud applications, challenges remain as the enhanced application experience comes at the expense of security. Home users also still need to use a VPN to access internal resources, resulting in an inconsistent overall experience.
2. inconsistent policies
It is difficult for IT teams to ensure consistent policy enforcement across the network when different security systems are deployed on-premises, in the branch, in the cloud and in home offices. This is because a general lack of visibility and control creates a landscape that is predestined for threats to seep through. In fact, threat researchers have recently noticed a shift in the behaviour of threat actors who aim to exploit policy inconsistencies by targeting home or smaller branch offices rather than attacking traditional network devices. These malicious actors can access a device deployed on an inadequately secured network and use it to hijack a VPN connection back to corporate resources, rather than having to navigate their way through commercial security measures.
3. implicit trust
Many organisations use an implicit trust model when granting access to applications. Those using a VPN connection are typically authenticated with a generic process that allows access to the entire network, assuming that any device connecting through a secure VPN tunnel is trusted. However, an attacker need only compromise a remote user's machine, identity or credentials to gain access to the entire network via this trusted VPN connection.
Overcoming WFA challenges with SD-WAN and ZTNA
When implementing an EFC model, organisations need to adapt their existing infrastructures and security models - traditional security and connectivity solutions are simply not up to the task. The good news is that the challenges described above can be overcome by using Secure SD-WAN and Zero Trust Network Access (ZTNA) solutions.
While SD-WAN is great for providing reliable connections to cloud-based applications, most SD-WAN solutions lack built-in security. In contrast, Secure SD-WAN combines advanced connectivity with enterprise-grade security on a purpose-built security platform and enables management from a single console that enables unified policy creation, deployment and enforcement. In addition, ZTNA provides user-specific access to specific applications, far exceeding implicit trust in terms of security. Every device, user and application can be seen and controlled, regardless of where the connection is made from. Together, solutions like Secure SD-WAN and ZTNA help organisations overcome the challenges and seize the opportunities that EFC offers.