Over the past few months, driven by government mandates, working remotely has been made a top priority within organisations around the world, so it is a safe bet that you are reading this article in your home, where you have been living and working for many weeks now. We are all together in this as millions (perhaps even billions) of workers around the world became full-time remote workers overnight when country after country implemented lock-down.
Unfortunately, this has meant that organisations both large and small (and their employees) have experienced the limitations of “traditional” remote access solutions which are being exposed when put under the pressure of a growing “new normal” remote workforce.
What is wrong with VPNs for remote access?
When they were designed, VPNs were an intelligent method of tunnelling and securing traffic between employees and applications that were hosted within an organisation’s technology perimeter. But in 2020, 94 per cent of organisations now report using cloud services and applications, and traditional remote access solutions are failing because they were not designed for cloud. Worryingly, because the logical workflow of a VPN doesn’t handle cloud well, technology teams are using workarounds and ad hoc routing to enable remote access.
New research from Cybersecurity Insiders (CSI) found that 39 per cent of organisations were completely unable to deploy their preferred remote VPN appliance in public cloud environments. Because of this, the most common workaround mentioned by survey participants was “hairpinning” remote workers through data centres to access public clouds (47 per cent). This has a serious impact on employee experience, but perhaps even more alarmingly 31 per cent of respondents said that they publicly expose cloud apps in order to enable remote worker access.
There is always a tension between the need for security and the requirement for ease of access to enable high productivity. But right now, with almost all businesses operating with dispersed remote employees, security diligence is often losing out in the negotiations in favour of fast adoption. If nearly a third of organisations are knowingly publicly exposing cloud applications on the internet, it introduces additional risk to the organisation that may come back to impact them.
Be untrusting but supportive
Zero Trust is the principle of not trusting anything, either within or without the organisation’s perimeter, without first verifying anything and everything trying to connect. If you cast your mind back to a time when we all used to commute to an office to work… did you grant someone access to every floor, office, meeting room and broom cupboard just because they got past the reception desk checks? You didn’t. The more intelligent office buildings only allowed people physical access to the areas that they needed to go to, and Zero Trust Network Access (ZTNA) works the same way.
With ZTNA, essentially you grant conditional access to data and systems, on the basis of “least privilege”. This is a hugely appealing approach for most organisations. In the CSI research, almost 90 per cent of organisations acknowledged that employees currently have access privileges beyond what they require, and over-privileged access is the top concern relating to security access for 62 per cent of organisations.
Data security is the primary motivation for IT and security teams looking to implement a Zero Trust programme. ZTNA lowers the risk that malicious insiders or cybercriminals with stolen credentials will gain remote access to an organisation’s networks, applications and data – whether in public or private clouds, or even private data centres. When delivered in the cloud using a high-capacity global network infrastructure, ZTNA can also enable remote access that scales to meet the needs of any dramatic increase in remote working requirements, without slowing access times or routing traffic unnecessarily.
ZTNA becomes increasingly logical for organisations making use of either the public or private cloud. Almost half (45 per cent) of respondents to the CSI survey said that ensuring remote access to private applications hosted in public cloud (such as AWS, Azure or GCP) was a security priority, and even more (65 per cent) said that accessing applications deployed in public cloud environments was their biggest headache.
In the age of cloud, private networks have become the exception not the norm, so it stands to reason that a Virtual Private Network is not the logical approach to take when enabling remote workers. CSI’s research - published before the pandemic ramped up the pressure - revealed that 72 per cent of organisations plan to assess or implement Zero Trust capabilities in 2020. It will be very interesting to see what the actual number is at the end of this year.
ZTNA overcomes the challenges of traditional remote access VPNs, and can be consolidated with other cloud-based security capabilities such as Secure Web Gateway (SWG) and Cloud Access Security Broker (CASB) for those organisations on a journey towards the Secure Access Service Edge (SASE) infrastructure recommended by Gartner. Hearteningly, 77 per cent of CSI survey respondents understood the value of consolidating ZTNA with other cloud-based security services and 78 per cent have plans to adopt cloud-based ZTNA over the next 18 months. It will be interesting to see how actual adoption rates compare to these intention figures, in light of the rigorous test that traditional remote access technologies are currently being subjected to.
The CSI research revealed that 72 per cent of organisations plan to assess or implement Zero Trust capabilities in 2020. The data was undoubtedly gathered before all our priorities shifted due to the global outbreak of Covid-19, but there is little doubt that one application of Zero Trust will stay high on the agenda of IT and security departments during and after the current international crisis, and that’s Zero Trust Network Access (ZTNA).
Post-pandemic, organisations will continue to offer their workforces the freedoms and flexibility in how they work and remote working will outweigh the number of office-based workers for many organisations. This tipping point will be a catalyst for the era of Zero Trust Network Access (ZTNA) whereby we move away from a network IP connectivity model to be more focused on connecting our employees directly and securely to applications and infrastructure (cloud and on-prem legacy).
Neil Thacker, CISO EMEA, Netskope