Article by Bitglass CTO Anurag Kahol.
In our highly digitised world, the idea of commuting daily to a central office, to sit and work on a computer, has long felt like an outdated approach. Yet most businesses resisted the move to remote-based working models, usually citing productivity as the primary concern.
Of course, circumstances over the past few months have caused a rapid shift to having a remote workforce.
While many businesses now admit to being pleasantly surprised about the continued high levels of productivity following this shift, their former reluctance about doing so means they weren’t prepared for such a monumental and long-term change in working habits.
Consequently, they are scrambling to put infrastructure in place that enables productivity without compromising on security. With so many question marks over the road ahead, enterprises need a solution that allows flexibility to work in any environment, as they try to acclimatise to the ‘new normal.’
Since the beginning of the pandemic, IT teams have been revisiting their infrastructure and likely finding they need meaningful changes. Enabling zero trust remote work is an excellent way to bolster business security without significantly impeding worker productivity or system flexibility.
To work effectively, remote employees need unobstructed access to public cloud apps, the web, and internal applications from both company managed devices and unmanaged personal devices. At the same time, top security considerations for remote working include:
Identity and multi-factor authentication (MFA)
Robust identity management via single-sign-on and MFA is essential. Remote workers are subject to more significant risks from phishing attacks, and MFA is a critical second line of defence.
Robust access control & data loss prevention (DLP)
Access to corporate data must be controlled with respect to the context of the access, depending on the user, location, type of device, sensitivity of the data and compliance requirements. IT teams must enforce DLP policies contextually on content flowing into and out of applications.
Zero-day threat protection
Remote workers operate off the corporate network and are therefore subject to greater risks of hacking and malware. Protection from such threats is essential across all devices, networks, and applications.
All regulated businesses must acquire and maintain access logs for remote workers to satisfy compliance requirements.
The question is, how do organisations balance effectively the needs of employees with the measures required to keep sensitive data secure? Too stringent, and this will stifle productivity and flexibility – too lax, and the business risks attack.
Let’s consider security requirements in the context of the three key areas: public cloud apps, web access, and internal applications.
Access to public cloud applications
A typical business uses dozens of different public cloud applications such as Office 365, Salesforce, and Dropbox. While the application providers secure their infrastructure, the applications themselves are freely accessible to any user, on any device, from anywhere in the world. As such, it’s the responsibility of the organisation itself to secure any data it has within each app.
Many rely on the vendor to provide application controls. However, because each vendor optimises security differently, this approach creates disjointed security across applications which result in security gaps and major management headaches.
The nature of public cloud applications means teams should always enforce single sign-on (SSO) and MFA.
Access to applications must also be controlled by context (user group, location etc), with DLP policies used to manage the type of data that can be downloaded. Elsewhere, sensitive data should be identified and either blocked, masked, or encrypted upon upload–while all sessions should timeout when devices are left unattended.
From a threat perspective, reputable third-party end-point protection software must be installed on all managed devices, while uploads into cloud applications from unmanaged devices must be scanned for malware before transmission to the application.
Finally, all activity, whether from managed or unmanaged devices, should be logged for visibility, with logs retained as required for ongoing compliance.
Remote workers accessing the web from managed devices are exposed to all manner of threats and data leakage risks.
The traditional VPN approach is sufficient for a few users but becomes problematic as the number of users rises. This is due to the increased load on the VPN firewall, throttling performance and creating a significant bottleneck.
The best way to overcome this is by pushing processes to the edge and using direct-to-cloud connectivity with an elastic secure web gateway (SWG), capable of handling shifting load.
From an identity and MFA perspective, access to the SWG from managed devices must require authentication via corporate SSO. When it comes to access control and DLP, web browsing should be restricted to appropriate content, and policies should scan all uploads for sensitive data to enforce appropriate controls and blocking or logging all web transactions.
For effective zero-day threat protection, risky URLs should be blocked entirely, while downloads must be scanned for malware and blocked in real-time. Finally, as before, all activity should be logged and retained as required.
Every remote worker also needs access to applications within the corporate network. As mentioned, the traditional VPN approach is not a scalable or cost-effective approach that is becoming increasingly untenable with the rise of remote work.
Furthermore, VPN access from unmanaged devices is not feasible, presenting significant issues amongst workforces where bring your own device (BYOD) programmes are popular.
One of the best ways to overcome these limitations is through the use of Zero Trust Network Access (ZTNA).
After authentication via corporate SSO and MFA is acquired, access to corporate resources must be contextually granted based on user, group, application, location, type of device etc.
Additionally, to protect against zero-day threats, access should also be restricted to devices with up-to-date and reputable third-party endpoint protection software to scan file uploads and downloads. This will enable organisations to have real-time protection and stop zero-day threats.
With millions of workers around the world now getting used to the reality of full-time remote working, security teams must implement new solutions that provide the appropriate level of protection needed without stifling productivity or scalability in such an uncertain environment.