Remote Access: Network Architecture & Security Considerations
The global pandemic spurred a massive work-from-home (WFH) wave quite literally overnight. Hundreds of millions of people worldwide were told to stay home to stay safe, but they needed to keep working as best as possible. Enterprises responded to this sudden need for extensive remote network access by focusing on getting people connected—but connectivity often came at the expense of security.
As WFH (or telework) becomes a long-term model for many organizations, it’s time to rethink the remote access network architecture with security as a priority, not just a “nice to have” consideration. Zero Trust Network Access (ZTNA) must be part of the long-term solution, and Secure Access Service Edge (SASE) can deliver ZTNA with ease.
Long-term Telework Is Becoming the Norm
The pandemic forced people out of their office and onto the dining room table with barely any notice to the IT teams who had to enable and support remote access. The immediate priority was to give people access to their work environment by any means available so they could maintain productivity. VPNs were the connectivity solution of choice for most harried IT teams.
A year into the pandemic, many workers are still connecting to corporate resources from remote locations. What’s more, several large organizations have announced that WFH will be a permanent option for employees at least some of the time. Capital One, Facebook, Amazon, Gartner, Mastercard, Microsoft, Salesforce, PayPal, Siemens—these are just some of the companies that have adopted long-term remote work as the norm.
VPNs are Giving Way to Zero Trust Security
While VPNs provide traffic encryption and user authentication, they still present a security risk because they grant access to the entire network without the option of controlling granular user access to specific resources. There is no scrutiny of the security posture of the connecting device, which could allow malware to enter the network. To maintain proper security, traffic must be routed through a security stack at the VPN’s terminus on the network. In addition to inefficient routing and increased network latency, this can result in having to purchase, deploy, monitor, and maintain security stacks at multiple sites to decentralize the security load. Simply put, VPNs are a challenge – an expensive one at that – when it comes to remote access security.
Enterprises are turning to a much more secure user access model known as Zero Trust Network Access (ZTNA). The premise of ZTNA is simple: deny everyone and everything access to a resource unless it is explicitly allowed. This approach enables tighter overall network security and micro-segmentation that can limit lateral movement in the event a breach occurs.
The main advantage of ZTNA is its granular control over who gains and maintains network access, to which specific resources, and from which end user devices. Access is granted on a least-privilege basis according to security policies.
But Zero Trust is only one part of a remote access solution. There are performance and ongoing security issues that aren’t addressed by ZTNA standalone offerings. For example, all traffic still needs to undergo security inspection en route to its destination. This is where having ZTNA fully integrated into a SASE solution is most beneficial.
SASE is a Secure Remote Access Solution Designed for the Modern Enterprise
SASE converges Zero Trust Network Access, NextGen firewall (NGFW), and other security services along with network services such as SD-WAN, WAN optimization, and bandwidth aggregation into a cloud-native platform. Enterprises that leverage a SASE networking architecture receive the benefits of ZTNA, plus a full suite of converged network and security solutions that is both simple to manage and highly-scalable. SASE provides all this in a cloud-native platform.
A key component of SASE is a series of global Points of Presence (PoPs) located in virtually every region of the world. These PoPs house integrated security stacks comprised of Next-generation firewalls, secure web gateways, anti-malware, intrusion prevention systems, and of course, the ZTNA technologies.
The PoPs are where all traffic from an organization’s corporate offices, branch offices, and remote and mobile users connect to their network. Thus, security is conveniently applied to all traffic at the PoP before going to its final destination—whether it’s to another branch, remote user, SaaS application, cloud platform, or the Internet.
The PoPs themselves are interconnected by a private, high performance network. This network utilizes routing algorithms that factor in latency, packet loss, and jitter to get traffic to and from its destination optimally, favoring performance over the cost of transmission. To further enhance security, the connections between PoPs are completely encrypted.
SASE Simplifies Secure Remote Access for WFH
What does this mean for the remote access worker? SASE makes it very quick and easy to give optimized and highly secure access to any and all workers. For users in the office, access can be limited only to designated resources, complying with zero-trust principles.
For remote and mobile users, SASE provides the flexibility to choose how best to securely connect them to resources and applications. SASE Client is a lightweight application that can be set up in minutes and which automatically connects the remote user to the SASE Cloud. Clientless access allows optimized and secure access to select applications through a browser. Users simply navigate to an application portal, which is globally available from all PoPs, authenticates with the configured SSO, and are instantly presented with a portal of their approved applications. Both client-based and clientless approaches also use comply ZTNA to secure access to specific network resources.
Contact us to upgrade your MPLS / SD WAN to a secure, cost-effective SASE.
Originally published by Cato Networks.