BrandPost: Extending Security to Remote Users Requires a Blended Fabric Strategy
Living in an untethered digital world is now the new normal, where millions of people now work, shop, and socialize remotely, from any location on any device. And they expect to be able to do so long after the Covid-19 pandemic is over. According to one survey, ninety-six percent of remote workers want to either continue working remotely full-time or want to return to a hybrid remote/office work environment post-pandemic. In fact, a recent online survey reported that twenty-nine percent of working professionals say they would quit their jobs if they are required to return to the office.
And it’s not just remote workers who feel this way. According to research conducted by Gartner, eighty percent of company leaders plan to allow employees to work remotely at least part of the time after the pandemic. This sentiment was confirmed in a separate PwC survey, which reported that seventy-eight percent of CEOs believe that remote collaboration is here to stay.
While this may be good news for most workers, it has been a nightmare for IT teams. Of course, the move to a remote workforce had been underway since the Great Recession of 2008, so this trend seemed inevitable. But the Covid-19 pandemic accelerated the transition, forcing organizations to rapidly and radically transform their networks so the majority of employees who used to work inside the network could now connect to critical resources from outside the traditional perimeter.
Security lags behind network transformation
However, even more impacted than infrastructure has been security. Currently, millions of workers—all of whom used to do their jobs safely tucked behind high-end, enterprise-class security systems—are now tethered to the corporate network and cloud applications with little more than a VPN connection. And cybercriminals have been quick to respond. According to a recent global threat report, the top cyber targets beginning in March of 2020 were no longer corporate devices and applications but things like consumer-grade routers and DVRs usually attached to home networks that are notoriously unpatched and under xsecured. Cybercriminals targeting vulnerable home devices have been able to successfully use them to hitch a ride on VPN connections back to the corporate network, which has played a significant role in the seven-fold increase in ransomware we have seen
As a result, organizations have been scrambling to find ways to extend better security to their remote workers. The challenge is that they need a security solution that can work consistently across the wide variety of endpoint devices used by remote workers—across a growing number of network edges, such as data centers and branch offices and cloud-based platforms and services.
The traditional point products relied on in the past simply do not provide the visibility, control, and simplified management needed to protect today’s dynamic and highly distributed environments. They are either prohibitively expensive or too complex to roll out across thousands of remote workers. They also add multiple layers of complexity—including deployment, management, enforcement, orchestration, and configuration—that can quickly overwhelm an IT team. And the lack of interoperability between solutions can create security gaps that cyber adversaries can exploit.
SASE is an excellent first step
Instead, organizations are looking to the cloud to provide a solution. New secure access service edge (SASE) solutions offer a way for organizations to seamlessly connect users, devices, and network edges regardless of where they are located while delivering consistent, centralized security. However, SASE alone does not necessarily solve all of the challenges today’s organizations face.
The first step is to ensure that the security being provided by a SASE vendor meets enterprise-grade levels of protection. There are many ways to do this. First, check to see if the vendor has experience as a security developer. Next, check to see if their solution has been evaluated by third-party testing organizations. And finally, look for independent reviews by actual customers, especially those in your same industry or with a similar use case.
Next, it is essential to realize that very few organizations have an end-to-end cloud environment. Because SASE solutions only provide protection up to the edge of the network, data and policies will need to be handed off to whatever security solutions the rest of the network. This point is crucial because even slight differences in things like policy enforcement can create a gap or vulnerability that can be exploited.
Connecting SASE to the network
There are three things to consider for mitigating the risks of any exchange between a cloud-based SASE service and the network.
The first is to ensure that the security solution protecting the destination network—whether a physical, virtual, or cloud platform, and/or endpoint device—is identical to those used by the SASE vendor. Creating a common, integrated security fabric will ensure a seamless handoff of protocols, enabling security to follow the data wherever it needs to go.
Next, an effective SASE solution should also seamlessly interoperate with whatever networking technology is at the network edge, whether a wireless controller, switch, or SD-WAN device. A combined approach that weaves security and networking into a unified solution, otherwise known as security-driven networking, ensures that things like user experience and security are maintained even when connections are swapped out or become unstable. Where possible, combining SASE with a Secure SD-WAN solution provides advanced connectivity with end-to-end security for optimal user experience.
Finally, there should be an additional layer of security implemented at the network edge. Implementing zero-trustand zero-trust network access policies help set the right policies for network and application access. A zero trust strategy restricts users, devices, and applications to only those resources that they have been assigned by policy and nothing else. And a zero-trust network access strategy should work with a SASE solution to ensure that users can quickly and securely connect to any application, whether on-premises or in the cloud.
Don’t forget endpoint devices
While connecting users directly to applications using SASE is an excellent solution, those endpoint devices should also have advanced security installed, such as endpoint detection and response (EDR). And that endpoint security should be able to detect and mitigate threats on the device and interoperate as part of the larger enterprise security fabric, regardless of where a user is connecting from and without any additional management overhead. This means that the security deployed in the SASE solution and at your network edges should also recognize and work with your endpoint security solutions. Such an integrated fabric-based approach ensures maximum visibility and consistent policy distribution, orchestration, and enforcement across the network.
SASE should be part of a unified security strategy
The goal should be to replace a traditional piecemeal approach with a unified, holistic solution that blends cloud-based solutions such as SASE with a more extensive security fabric. Such a strategy enables critical functions, such as application identification, encrypted traffic inspection, and multi-path steering across hybrid connected systems, to ensure that security can follow data, workflows, transactions, and applications from end to end. This way, no matter how much your network expands, changes, or evolves, security is always along for the ride.
Learn more about how SASE is the future of security and networking. From SD-WAN, ZTNA, CASB, and NGFW, the Fortinet platform provides complete readiness for embracing SASE.