Securing remote work: Seven requirements for choosing a work-from-anywhere approach

Prioritize secure access, identity access management, fast user experience, rapid deployment, visibility, cyber threat protection, and data protection

This week marks the release of Zscaler's new book, "Securing Remote Work - Safeguarding Business Continuity with Zscaler". The book outlines seven considerations for enabling an enterprise work-from-anywhere (WFA) model. In this article, I apply those criteria to WFA architectures.

Before the coronavirus outbreak, few IT leaders could have anticipated a contingency for enabling an entirely-remote workforce. Most enterprises provide remote-access capabilities based on business rationale, and to only some 20% of employees: traveling sales leads, on-site consultants, and other road warriors.

Now, IT leaders must pivot to enable secure remote access for the other 80%. Those that prioritize seven considerations -- secure access to applications, identity access management, fast user experience, rapid deployment, visibility and troubleshooting, cyber threat protection, and data protection -- can preserve business continuity without (greater) impact to operations.

The legacy challenge: Scale the unscalable

That pivot to 100% remote access -- an operational mandate -- has illuminated the security limitations and operational inflexibility of legacy hub-and-spoke network architectures. Perimeter-enforced security follows a basic mantra: inside the network = safe, outside the network = untrusted. Remote access is an exception, manageable in small volume via VPNs and hardware gateways.

But what happens when the status-quo model must accommodate five times more remote traffic? Connectivity breaks down. VPNs are an effective control mechanism, designed to narrow access, not broaden it. Add remote users, and new network traffic competes for bandwidth, producing contention and latency. Traffic backs up behind the corporate security stack: Picture ten lanes of rush-hour traffic filtering through a single tollbooth, or rather, seven or eight sequential tollbooths, with traffic alternating in two directions.

It’s difficult enough to secure connectivity for a network of subsidiaries. Now every employee potentially represents a “branch office of one.” Legacy connectivity designed to accommodate some can’t easily scale to accommodate all. It's not an option to NOT secure traffic -- The last thing enterprises need is employees bypassing corporate security to connect directly to the internet.

WFA: Virtual hardware or cloud?

Trying to add VPN hardware to meet the demands of a 100% suddenly-remote workforce is a non-starter: It weakens threat posture, isn’t cost-effective, is slow to deploy, and is difficult to manage. To expand and secure work-from-anywhere (WFA) access, IT leaders can buy “instances” of virtual hardware in the cloud or adopt a cloud-based secure access service edge (SASE) model.

In the first example, legacy firewall/VPN hardware is deployed as virtual machines in the cloud. An enterprise can purchase “virtualized-hardware” instances, sending user traffic to a specific cloud or data-center destination for security processing. This is an indirect, “destination-based” model: In this architecture, user traffic travels to a VPN deployed in the public cloud first before being allowed to head to its intended destination — either in the data center or in the cloud. 

In a SASE environment, an enterprise’s remote users connect via local internet breakouts. Like the virtual instance example, security is in the cloud, but the enterprise doesn’t manage the destination: The SASE service is highly-distributed at the cloud edge, near to each individual user. (Compare connecting to Salesforce vs. a single self-managed VM.)

To choose one of these WFA approaches, IT leaders must consider seven criteria: secure access to applications, identity access management, fast user experience, rapid deployment, visibility and troubleshooting, cyber threat protection, and data protection.

1. Secure Access to Applications: Does the solution secure remote traffic? Minimize threat exposure?

Remote employees must be able to access the applications (internal or external) required to get their jobs done.

Doing this in a virtualized-hardware environment can introduce risk by extending threat surface. Virtual hardware without VPN means data traffic is protected only after it has passed beyond security processing, and is vulnerable on the way there: the greater the distance, the greater the interception risk.

In a SASE environment, a remote user connects via local internet breakout directly to the destination, wherever it may be. Security-processing is inline and proximate, data routing is optimized, and data travel is minimized. Unlike with physical and virtual hardware, SASE places cybersecurity readiness in the hands of a provider with global reach, instant response capability, world-class NOC, and dedicated security researchers.

2. Identity Access Management: On the device? Or in the cloud?

On-premise or remote, employee access must still be governed: Only authorized employees should be able to access corporate resources.

Virtual-hardware security models typically rely on endpoint security managed at a device level: Client software validates the device (and notably, not the user) for access. This is a “thick-client” model, with endpoint software requiring administration, patching, and constant monitoring. Though such “heavy-endpoint” approaches can be supplemented with secondary security, they are generally less secure, since they tie authorization to device or IP address, and not the user. They also require considerable administration: more endpoints = more overhead.

A SASE architecture employs “federated” identity management, with authorization performed inline, but dissociated from hardware. Typically delivered by a centralized, cloud-based identity and access management (IAM) solution, federated identity authorization is tied exclusively to user, with little-to-no endpoint impact. That lets IT track which users access which applications, and when.

3. Fast User Experience: How important is productivity? (Very.)

Working from home is still working, and remote access shouldn’t come with performance tradeoffs.

Scaling remote access with virtual hardware reinforces an inconvenient truth: Destination-based security delivers a poor user experience. Data travels from remote client to far-away security gateway, through a single-file-processing security stack, then finally out to destination. (The convoluted journey is reversed when data returns.) Performance can never be as fast as direct connectivity. That’s especially an issue with SaaS applications: Microsoft recommends direct connectivity for Office 365. Even the U.S. Department of Homeland Security has weighed in on the matter.

In a cloud-distributed SASE environment, performance is faster because data travel is minimized. For example, a remote user in Florida would connect directly to the internet via a nearby onramp after local security-processing. In a legacy environment, that same remote user’s data would first travel to HQ (say, New York) for security-processing before then egressing the corporate network to the internet or cloud.

4. Rapid Deployment: How fast to 100% WFA?

Downtime costs a company money. When on-premise network access isn’t an option, IT teams must be able to deploy work-from-anywhere access fast.

With virtualized hardware, moving from 20% to 100% remote access requires a fivefold increase in virtual instances of security stacks. (In that way, its capacity management model mirrors the complexity of a hardware-based VPN approach. But at least it doesn’t require procurement through a pinched supply chain, with all the subsequent difficulties that can bring.)

The SASE model can be deployed more rapidly: There’s no physical hardware to order, configure, or maintain. Access is simpler (and direct), administrative oversight is easier (with centralized policy management), and a thin-client endpoint means no time-consuming device configuration.

5. Visibility and Troubleshooting

Securing access to corporate resources -- whether that access is delivered remotely or on-premise -- requires comprehensive transparency. (That’s about more than just real-time monitoring: IT must have visibility to troubleshoot.)

Virtual hardware solutions offer some transparency. Like their physical counterparts, virtual security appliances can inspect data, but not necessarily at a scale to include high-bandwidth traffic (like video) or encrypted data. And there can be blind spots for IT oversight: Data traffic that travels unsecured over the open internet (say, going to a distant security destination) isn’t visible to monitoring.

SASE offers comprehensive visibility, with dynamic, transparent monitoring of data, users, and applications. Since users connect directly to inline proxies before going on the open internet, every user cloud or internet activity can be monitored in real time.

6. Cyber Threat Protection

In legacy firewall/VPN-deployed-as-a-virtual-machine security models, work is performed outside security visibility. When users must send their data to a far-away virtual-hardware security location, their data is unprotected until it gets there. And that data remains unsecured as it travels numerous hops across open, unsecured internet networks.

Contrast that with an inline-proxy-based security model. Security is proximate, eliminating interception risk, and effectively closing the metaphorical drawbridge. With security delivered as a service, threat response is centralized and communal: Protection for one user is replicated across all users. That both improves security and reduces endpoint-protection administration.

7. Data Protection

Corporate data lives in multiple locations: on client devices, in corporate-controlled data centers, in the cloud. 

In a virtual-hardware example, data in a corporate data center is within the secured perimeter, and is arguably safe...at least until someone breaches the network. Data on a client is technically secure...as long as the user never exposes it to the open internet by connecting to say, a public wi-fi signal. As for data stored in the cloud, well, it may be secured by a combination of passwords and authentication, but it can’t be protected if it’s in transit to a client device outside corporate-controlled connectivity. But with most of the network-traffic distance traveled before data is processed for security, corporate data is vulnerable to interception.

A SASE-compliant architecture minimizes unsecured data travel: Security-processing is performed before anything else, with data secured before it moves across the open internet. Just as importantly, that data traffic is visible to IT oversight, illuminating (and with remediation, ultimately eliminating) risky shadow-IT activities.

For WFA agility, go with the cloud.

The COVID-19 outbreak has challenged enterprises’ ability to pivot to fully-remote access. Perseverance through a crisis takes agility, scalability, flexibility, and an enterprise mindset to look beyond legacy systems. 

Both legacy firewall/VPN-deployed-as-virtual-machines and SASE models can secure remote access and (eventually) get an enterprise to 100% WFA. There are pros and cons to weigh for each -- including control, familiarity, and change dynamics. But to choose, IT enterprise leaders must prioritize secure access to applications, identity access management, fast user experience, rapid deployment, visibility and troubleshooting, cyber threat protection, and data protection.

When it comes to securing a work-from-anywhere workforce, a destination-based, virtualized hardware approach replicates the performance limitations, security vulnerabilities, and cost-inefficiencies of physical VPN hardware. The SASE model is agile, secure, and efficient. Cloud-native SASE is the model for progressive enterprises to safeguard remote workers and businesses.

In a crisis, it’s often time to implement that must take precedence: How long can your enterprise remain offline, anyway?

To learn more about enterprise WFA agility and how organizations like NOV, Takeda Pharmaceuticals, National Australia Bank, and DB Schenker are accelerating digital transformation to achieve it, read "Securing Remote Work - Safeguarding Business Continuity with Zscaler". In addition, check out the book’s accompanying infographic for insight on the state of enterprise WFA agility.