Business requirements, distributed operations and cloud deployments are forcing organizations to rethink remote access requirements including how resources and applications are delivered and managed. Virtual private networks (VPNs) have traditionally been used to meet these needs, but many organizations are facing 21st-century real-world problems using a 20-year-old technology. The question is: Can traditional approaches to providing remote access match the current landscape of today’s workforce model?
Simply stated, with a move to a more distributed and mobile workforce, as well as more dependency on cloud-based platforms, we now face a growing need to provide secure access to these internal resources from beyond the traditional corporate borders. The time has come to take a look at how access should be provided in this new paradigm.
The outside-In enterprise
The network perimeter was conceived and designed long ago when network architectures were simpler than today’s complex designs. Back then, the majority of network users were “inside” the enterprise, both physically and logically. Network access was straightforward since everyone had to be on the local area networks (LAN). Remote VPN users were a small minority. In this environment, firewalls and the early security appliances did an adequate job of policing the modest amount of inbound traffic coming through the perimeter.
But today, things are different. Organizations are opening up their network and computing resources to partners, contractors and other third parties at unprecedented rates. The result is most users access enterprises networks from the ”outside.” This new normal, the outside-in enterprise, is driven by globalization, mobility and collaboration requirements brought on by the rise of the cloud and increase in third-party (contractors and suppliers) users.
A new access model
As business and operating models evolve, a new method to provide access is paramount. But how do we define that? Here are three ideas for a new model.
1. Least-privilege access
This model translates to providing users with the lowest level of user rights they can have and still do their jobs. Today’s VPN solutions are typically configured to grant network access provided when only a subset of resources is required, due to the increased amount of effort needed for providing one-to-one access. As pivoting to a loftier resource is part of every attacker’s plan, it seems reasonable to mitigate that risk by effectively removing the ability to access the network as a whole.
As an added bonus, if network access is no longer required to serve resources, the need to manage inbound network connections should also be eliminated, ultimately saving time and reducing complexity.
This new model should extend the concept of “least privilege” beyond application or server components and now include the underlying network itself. Delivering access to internal resources can no longer include broader access to the networks (or subnets) where these resources lie; rather, it should be able to effectively broker the appropriate access to only what is required, while removing the overall risk of exposure to external threats.
2. Device management
Today’s enterprises are no longer made up of devices that are 1) fully known and 2) fully controlled. With bring your own device (BYOD), working from home (WFH) and other mobility programs, we’re left with a diverse blend of device platforms in various states of configuration and security. To try and manage the security posture of these devices on a continual basis becomes difficult and extremely time-consuming.
Mobile device management (MDM), device certificates (X.509), device profiling and other network-access control (NAC)-type validations can provide some assurances to a certain degree. But considering these efforts largely gauge correct posture at a point in time, there’s no guarantee that it will remain so on an ongoing basis.
In a new model, the concept of “never trust” should be applied to any and all enterprise resources, including devices, for accessing internal resources. Differing from some of the more recent zero-trust or software-defined perimeter concepts, where posture is evaluated at multiple junctures throughout, never trust is based upon the strategy to reduce risk by eliminating the exposure of lower-level device operations altogether. This results in effectively isolating potential threats to the device itself while providing access in a secure sandbox and supporting a more device-agnostic approach.
3. Service-based access control
Operating environments are becoming more and more distributed; whether the architecture consists of multiple data centers or cloud implementations, a fair amount of effort is required to achieve some sense of commonality between these distributed locations to operate effectively. While it is technically possible to singularly locate these traditional access methods, provided you have interconnectivity between these locations, the more common approach is to deploy solutions on a site-by-site basis to prevent latency, as well as part of an overall disaster recovery and business continuity strategy.
When you factor in the proprietary operating parameters of today’s cloud implementations (i.e., AWS, Azure, GCP, etc.), the level of complexity and uniqueness for access implementations drastically increases. Having to manage disparate configurations can potentially lead to oversights in access provisioning (and equally as important, de-provisioning), introducing unnecessary risk to the organization.
In a new model, access solutions should be flexible enough to not only operate ubiquitously across all platforms but also maintain governance, standardization and reporting from a single management pane. This ensures centralized policy enforcement and better visibility across the entire enterprise.
Moving these processes to a service-based (or cloud) model allows for a simplified, yet standardized mechanism to ensure access can be provided anywhere and at the moment it is needed, while maintaining the necessary level of security required to protect enterprise resources regardless of where they may be located.
New distributed workforce models are quickly becoming the norm. Programs such as telecommuting, BYOD, and other mobility efforts are forcing IT to re-evaluate how they provide access to internal resources to ensure business operations continue to function effectively. Considering these workforce changes and en masse migrations to cloud models, trying to apply traditional methods of access is proving to be more costly, complex and generally carries more risk. To effectively provide secure access in this new paradigm, we must move away from what is known and explore new concepts that factor in the “new normal” for how access is provided in the outside-in enterprise.
Mark Carrizosa is VP security and CISO at Soha Systems. Before joining Soha in 2015, he was principal security architect at Walmart, where he developed and implemented the company’s global e-commerce security architecture framework. Prior to Walmart, he was operational risk consultant at Wells Fargo, where he analyzed the company’s infrastructure and application compliance to improve the security risk posture of both customer-facing and internal systems. He can be reached via email at Mark@soha.io.