The technology world has evolved faster in the last few years than I can ever remember. Just look at the impact of the pandemic. It has not only sparked a massive shift in our workforce, but it’s also left IT and security teams looking at users, devices, and data that are now everywhere. How are they supposed to keep employees and businesses safe from attacks? Good question.
The journey begins with the legacy systems many companies have in place today. You know, the ones that were designed to protect everyone within a castle and moat (i.e., the corporate office). Now, these same systems are being counted on to protect teams working at home, where they are connected to the internet from their corporate devices and require access to applications that now reside in the cloud and on-premises.
For IT and security teams, configuring this access and enabling teams to work and collaborate smoothly and securely is complex. And the tools we have historically used within our castle walls are no longer fit for purpose. We need to look at a new way of doing things. Here are three ways businesses can give people access to applications today.
The three approaches to business access
- Hub and spoke – While this is the old way of doing things, many still use this approach. I see this as the first evolution of the castle and moat design, which focuses on having on-premise security even though users and data have started moving to the cloud. With Hub and Spoke, there is still a heavy reliance on legacy connection mechanisms like MPLS, and you still have some internal data centers. This model is also complex to configure and difficult to administer. Some businesses will have many different systems, all needing feeding and watering. They will also need to go through regular hardware renewal cycles, which adds additional cost and risk.
- Cloud firewalls – Some people who left the castle went directly to cloud firewalls. In contrast, for others, it was an evolution from the hub and spoke design that came about as people went through their digital transformations and moved more services to the cloud. Along the way, they started moving some legacy-based security systems that ran on hardware to cloud-based solutions. This often meant backhauling internet traffic to the corporate network and data center. In this design, there is still heavy reliance on legacy physical equipment, which means you still have to feed and water while going through those hardware renewal cycles. This design was supposed to make things simpler to manage, but in most instances, it created further complexity and cost.
- Secure Service Edge (SSE) – For me, this is the architecture of the future, which explains why we see people moving to it now. SSE is all about delivering connectivity and security tools from the cloud with no feed, water, or hardware renewal cycles required. This means you can significantly reduce the complexity, risk, and cost.
SSE and Zero Trust
There are many reasons why I consider SSE to be the architecture of the future. One is the focus on zero trust. That’s important for two reasons.
- Eliminate Compromise: Unlike past security approaches, zero-trust does not require teams to choose between access and security. In a world where applications and workforces are distributed, compromising cannot be an option.
SSE allows you the best of both worlds by supporting the new portfolio of cloud-based applications while enabling adaptive trust for challenging protocols like SSH, RDP, Git, VOIP, AS400, ICMP, and others. The result is harmonized access across any region. Think globally but act locally.
- Work in Harmony: While we all want to work in harmony, the desire often goes unfulfilled. This change begins with enabling zero trust or, as I like to say, “never trust, always verify.” The key here is four core functions, ZTNA, CASB, SWG, and DEM.
With these four capabilities in place, an SSE solution can grant access to the internet, SaaS applications, the public cloud, or applications hosted in a business’s data center. These systems automatically verify against access policy based on user, device, and application contexts and prevent unauthorized access, which, as you know, is the key to zero trust. There are no passthrough connections, and unlike legacy VPNs, users do not get an IP address on the network and cannot go wherever they want, whenever they want.
Users only get access to the applications they need and not the whole network, which prevents any lateral movement while minimizing the attack surface.
SSE keeps it simple
Simple is always best, and SSE offerings bring simplicity in key areas:
- Compliance and Reporting: By configuring everything in a single, simple policy on top of a data lake, teams can block access from risky destinations. For example, if data is restricted for export control or ITAR purposes, you can allow users to only connect from places you decide.
- Define Access: SSE allows teams to define access to the internet, SAS applications, or external applications all in a single policy and set different levels of access based on whether you connect with an agent or agentless.
- Posture Checks: More specifically, the ability to leverage a vast range of posture checks. For example, some SSE solutions can check key posture areas before granting access. For instance, it can determine if the individual is using Windows or Mac, whether they have enabled their virus checker, if the machine’s hard disk is encrypted, if the latest patches have been installed, and if it is in the domain.
- Application Tags: Configuring access using application tags makes things simple. It allows teams to configure granular access without having to worry about segmentation and the difficulties that come with it. As a result, there is no need to have application segments that need to be split every time you need to change access.
Where to start?
We get asked this quite often. During an interview with John Kindervag for the SSE Forum, I asked him this exact question. He said it’s not important where to start, it’s important that you start.
So, with this in mind, we recommend beginning with the low-hanging fruit—the areas with big-risk users. For example, we can all agree that giving contractors and 3rd parties access to applications by putting them on to the network is not a good practice, so this is a great place to start. That’s precisely what Legacy VPNs do. They give employees full network access and are on machines you do not own or manage.
Instead, give them access to just the applications they need to use instead of the whole network. And go the agentless route, as installing agents on their devices often proves extremely difficult.
Next, replace your legacy enterprise VPN. We all know that IPSEC isn’t the most secure protocol. Moving to this model takes the employee off your network by delivering users to only the applications. This significantly reduces risks as well as complexity. Start to decommission that old legacy hardware.
Then layer on additional services such as SWG, CASB, and DLP. This is our recommended approach, and it’s a multi-phase project that will take time and involve not only your technology but people, process, and those tech silos we all deal with daily.’
Lastly, go all in on zero trust. Treat all users as if they are in internet cafes. Reduce that complexity and decommission those legacy hardware assets.
When you complete this journey, what you will discover at the end is something all businesses seek, but many fail to find—harmony. More specifically, harmony to the current chaos that is networking and security.
