Secure the Remote Workforce: Deploying Zero Trust Access

Deploying Zero Trust Access

The global pandemic has forced knowledge workers to move out of their offices en masse to the isolated environment of their homes. Most will return to the office at some point, even if only part-time, as companies adjust to social distancing measures meant to keep employees safe. Global Workplace Analytics estimates that 25-30% of the workforce will be working from home multiple days a week by the end of 2021. Others may never return to an official office, opting to remain a work-from-home (WFH) employee for good.

The suddenness of having to turn so many people into remote workers has put a real strain on network security. There was little, if any, time to develop and execute a secure remote access strategy that provides the same level of security protections that workers have in the office. This has introduced a range of cybersecurity risks and challenges, and a need for real Zero Trust Access solutions regardless of where people work.

Security Is Often a Weak Link of Remote Access

In April 2020, just as millions of office workers began their foray into WFH practices, Cato conducted the “Enterprise Readiness to Support Widespread Work-from-Anywhere” survey pertaining to enterprise readiness to facilitate remote work. In sampling nearly 700 organizations, Cato found that nearly two-thirds of respondents (62%) have seen remote access traffic at least double since the outbreak, and more than a quarter (27%) have seen remote access traffic triple.

Of critical concern is how enterprises enforce security policies on their expanded remote workforces. The survey found that most respondents fail to employ at least one key measure needed for enterprise-grade security:

• Multi-factor authentication (MFA) for validating user identity,
• Intrusion Prevention for identifying network-based attacks, or
• Antimalware for preventing threats posed by malicious content.

Used by 64% of the survey respondents, VPN servers are the dominant point solution to enable remote access. While VPNs provide traffic encryption and user authentication, they are a security risk because they grant access to the entire network without the option of controlling granular user access to specific resources. There is no scrutiny of the security posture of the connecting device, which could allow malware to enter the network. What’s more, stolen VPN credentials have been implicated in several high-profile data breaches. By using legitimate credentials and connecting through a VPN, attackers were able to infiltrate and move freely through targeted company networks.

VPNs Are Giving Way to Zero Trust Security

The tech industry is moving toward a much more secure user access model known as Zero Trust Network Access (ZTNA), also called the software-defined perimeter (SDP). How ZTNA works is simple: deny everyone and everything access to a resource unless it is explicitly allowed. This approach enables tighter overall network security and micro-segmentation that can limit lateral movement in the event a breach occurs. This is the basic tenant underlying ZTNA architectures.

Gartner’s Market Guide for Zero Trust Network Access (ZTNA) projected that by 2023, 60% of enterprises will phase out VPN and use ZTNA instead. The main advantage of ZTNA is its granular control over who gains and maintains network access, to which specific resources, and from which end user device. Access is granted on a least-privilege basis according to security policies.

This granular-level control is also why Zero Trust Network Access complements the identity-driven approach to network access that SASE (Secure Access Service Edge) demands. With ZTNA built-in to a cloud-native network platform, SASE is capable of connecting the resources of the modern enterprises — sites, cloud applications, cloud datacenters, and yes, mobile and remote users — with just the right degree of access.

Security Integration Is Key to Effectively Enforcing Zero Trust Security Policies

Like VPNs, firewalls, and Intrusion Prevention solutions, there are point solutions for ZTNA on the market. In fact, many networks today are configured with an array of standalone security and remote access solutions. This lack of product integration is a real drawback for a number of reasons. First, it increases the probability of misconfigurations and inconsistent security policies. Second, it increases network latency as traffic must be inspected separately by each device. And finally, the lack of integration makes holistic threat detection all but impossible, as each appliance has its own data in its own format. Even if that data is aggregated by a SIEM, there is considerable work to normalize data and correlate events in time to stop threats before they can do their damage.

In addition, Zero Trust is only one part of a remote access solution. There are performance and ongoing security issues that aren’t addressed by ZTNA standalone offerings. This is where having ZTNA fully integrated into a SASE solution is most beneficial.

SASE converges Zero Trust Network Access, NGFW, and other security services along with network services such as SD-WAN, WAN optimization, and bandwidth aggregation into a cloud-native platform. This means that enterprises that leverage SASE architecture receive the benefits of Zero Trust Network Access, plus a full suite of converged network and security solutions that is both simple to manage and highly-scalable. The Cato SASE solution provides all this in a cloud-native platform.