Why Remote Workforce and Legacy Security Architectures Don’t Mix

Last week, we announced the results of our fifth annual IT survey, The Future of Enterprise Networking and Security: Are You Ready for the Next Leap. It was a massive undertaking that saw 2,376 participants from across the globe provide detailed insights into how their organizations responded to the COVID-19 crisis, their plans for next year, and what they think about secure access service edge (SASE).

When the dust settled and the results tallied, we found an optimistic group of IT leaders, confident in their networks but concerned about securing and managing their remote workforce.

Make no mistake about it, work-from-home (WFH) and the remote workforce aren’t going away any time soon. Only 7%of respondents indicated that everyone will move back to the office. More than half (80%) indicated their companies will continue with a remote workforce in whole or in part.

With users working remotely, IT organizations still need the same level of security controls and visibility. But delivering those capabilities can’t be done by compromising application performance. And that’s a problem for legacy security architectures as they add latency, crippling application performance, and lack the optimization techniques for improving the remote experience.

It’s no surprise then that boosting remote access performance was the most popular primary focus for IT leaders over the next 12 months (47% of respondents). At the same time, when asked to cite the primary security challenges facing their IT organizations, 58% of respondents pointed to “enforcing corporate security policies on remote users” making it second to only “Defending against emerging threats like malware/ransomware” (66% of respondents).

But the problems of securing the remote workforce don’t stand on their own. They’re compounded by all of the legacy security challenges facing IT teams. More than half (57% of respondents) indicated that they lacked sufficient time and resources to implement security best practices. And those best practices can be as mundane as patching software and systems shortly after vendors release patches (32% of respondents).

Astounding. In the 21st century with networks that have seen throughput jump ten thousand-fold over the past 30 years and we still have patching problems?

IT managers shouldn’t blame themselves, though. It’s clear where the problem lies — in the architecture. As Cato security engineer, Peter Lee, noted in this blog when documenting the vulnerability and subsequent patches issued for VPN servers:

Eliminating appliances will not only eliminate patching problems, it will also eliminate the performance and visibility challenges introduced by legacy security architectures. Of course, this assumes enterprises can replace legacy security architectures with an approach that will:

• Simplify today’s security stack
• Eliminate the patching headaches
• Deliver secure access everywhere, at scale, without compromising performance
• Give visibility and control into all traffics flows

What architecture will do that? According to respondents — SASE.

More than 91% of respondents expect SASE to simplify management and security. Of those who’ve already adopted SASE, 86% of respondents experienced increased security, 70% indicated time savings in management and maintenance, 55% indicated overall cost saving and greater agility, 36% saw fewer complaints from remote users, and 36% realized all these benefits. No wonder that more than half of the respondents indicated that SASE would be very or extremely important to their business post COVID-19.

Forrás: CATO Networks

The disadvantages of VPNs for Enterprises

The COVID-19 outbreak led to a surge in business VPN usage in an extremely short timeframe. In fact, multiple regions saw VPN usage rise over 200% in a matter of weeks. In many cases, remote access VPNs enabled enterprises to get work from home initiatives off the ground quickly and keep their business running, despite offices being closed.

However, as they settle into the new normal, many enterprises are also learning that there are several VPN disadvantages as well. Scalability, performance, and security can all become challenges with remote access VPN. SDP (software-defined perimeter) provides enterprises with a solution to the disadvantages of VPN. By taking a software-defined approach to remote access and network security, SDP (sometimes referred to as ZTNA or Zero Trust Network Access) helps address these challenges in a way that is more sustainable long-term.

But what exactly sets SDP apart from traditional remote access VPN? Let’s find out.

Of course, VPN isn’t without its upside

Remote access VPNs provide enterprises with a means to enable remote work. A virtual or physical appliance within the WAN, the public Internet, and client software on employee PCs is often sufficient to support work from home initiatives. In many cases, this exact sort of remote access VPN configuration helped businesses keep the lights on when the pandemic hit.

VPN disadvantages

While it is true remote access VPN saved the day for some businesses, it’s also true that the increased usage has further magnified some of the biggest VPN disadvantages.

#1: Not designed for continuous use

The use case for remote access VPN was never to connect an entire enterprise to the WAN. Traditionally, enterprises purchased VPN solutions to connect a small percentage of the workforce for short periods of time. With a shift to large-scale work from home, existing VPN infrastructure is forced to support a continuous workload it wasn’t intended for. This creates an environment where VPN servers are subject to excessive loads that can negatively affect performance and user experience.

#2: Complexity impedes scalability

Enterprises may try to address the issue of VPN overload with additional VPN appliances or VPN concentrators, but this adds cost and complexity to the network. Similarly, configuring VPN appliances for HA (high availability) adds more cost and requires more complex configuration.
Further, because VPN servers provide remote access, but not enterprise-grade security and monitoring, they must be complemented by management solutions and security tools. These additional appliances and applications lead to even more configuration and maintenance. As each additional solution is layered in, the network becomes more complex and more difficult to scale.

#3: Lack of granular security

VPN appliances are a textbook example of castle-and-moat security. Once a user connects via VPN, they have effectively unrestricted access to the rest of the subnet. For some enterprises, this means non-admin users have network access to critical infrastructure when they shouldn’t. Further, this castle-and-moat approach increases the risk of malware spread and data breaches.
To add granular security controls to remote access VPN, enterprises often have to deploy additional security point-solutions, but this adds additional cost and complexity while leaving plenty of room for misconfiguration and human error.

#4: Unpredictable performance

VPN connections occur over the public Internet, which means network performance is directly tied to public Internet performance. The jitter and packet loss common to the Internet can wreak havoc on mission critical apps and user experience. Additionally, enterprises with a global footprint know that there are significant latency challenges when attempting to send Internet traffic across the globe, before we even take into account the additional overhead VPN tunneling adds.

#5: Unreliable availability

Beyond unpredictable performance, enterprises that depend on the public Internet for remote access get no availability guarantees. When public Internet outages mean lost productivity for your entire organization, the risk of depending solely on the public Internet can outweigh the rewards significantly.

How SDP addresses remote access VPN disadvantages

SDP, when used as part of a holistic Secure Access Service Edge (or SASE)platform, directly addresses VPN’s disadvantages and provides enterprises with a scalable and reliable remote network access solution.

SASE is a category of enterprise networking that converges network and security functionality into a unified cloud-native service. SDP, which is an important part of the SASE framework, is a modern approach to remote application access that has global performance optimization, threat protection, and granular access controls built in.

The idea behind SDP is simple:

√ Users securely authenticate (e.g. using MFA and encrypted network protocols)

√ Access rights are assigned based on profiles and specific applications

√ Risk assessment occurs continuously during each user session

Using Cato’s SASE platform as an example, with SASE and SDP, enterprises gain a remote access solution that:

• Is built for continuous access. Cato’s globally distributed cloud-native platform is purpose built for continuous access. Enterprises don’t have to worry about overloading a single VPN appliance with cloud-native infrastructure. Additionally, performance optimization and HA are built into Cato’s global private backbone, eliminating many of the performance issues that created VPN’s dependence on the public Internet.
• Delivers hyper-scalability. Enterprises don’t need to add more appliances to scale. SDP and SASE bring the hyper-scalability of the cloud to remote access.
• Provides granular access control. SDP allows enterprises to design access controls at the application-level and based on user profiles. This leads to a significant reduction in risk compared to VPN’s network-level approach.
• Proactively protects against threats. With SDP, network traffic goes through end-to-end packet inspection using a robust cloud-based security stack designed to detect and prevent malicious behavior. This occurs without the need to deploy and maintain additional security solutions.
• Is backed by a 99.999% uptime SLA. Cato’s global private backbone consists of more than 50 PoPs interconnected by Tier-1 Internet Service Providers and backed by a 99.999% uptime SLA. In a time where entire workforces are remote, this guarantee of availability can make a world of difference.

All this comes together to make SASE and SDP an ideal remote access VPN alternative.

Forrás: CATO Networks

The Hybrid Workforce: Planning for The New Working Reality Post COVID-19

It may be difficult to remember, but not so long ago we used to work mainly from an office. The unprecedented global pandemic that took the world by storm, changed our personal and professional life patterns. We moved to work from home, then returned to the office, and back home, with the ebbs and flows of the pandemic. This work model is here to stay reflecting a transition into a “Hybrid Workforce.”

The transition into a Hybrid Workforce caught many IT teams by surprise. Most organizations were not prepared for a prolonged work from home by the vast majority of the workforce. The infrastructure needed to support these remote users, virtual private network (VPN) solutions, was built for the brave few and not for the masses. During the first wave of COVID-19, IT had to throw money and hardware at the problem, stacking up legacy VPN servers all over the world to catch up with the demand.

This is a key lesson learned from the pandemic: enterprises must support work from anywhere, all the time, by everyone. It is now the time to think more strategically about the Hybrid Workforce and the key requirements to enable it.

Seamless transition between home and office

Today, networking and security infrastructure investments in MPLS, SD-WAN, and NGFW/UTM are focused on the office. These investments do not extend to employees’ homes, which means that working from home doesn’t have the resiliency, security, and optimization of working from the office. The more “remote” the user is, the more difficult it is to ensure the proper work environment.

Our take: Look for cloud-first architectures, such as Zero Trust Network Access (ZTNA) and the Secure Access Service Edge (SASE) to deliver most networking and security capabilities from the cloud. By decoupling these capabilities from physical appliances hosted in a fixed location, and moving them to the cloud, they become available to users everywhere. This is an opportunity to converge the infrastructure used for office and remote users into a single, coherent platform that enforces a unified policy on all users regardless of their locations.

Scalable and globally distributed remote access

The current appliance-centric VPN infrastructure requires significant investment to scale (for capacity) and distribute globally (near users in all geographical regions). Beyond the initial deployment, on-going maintenance overloads busy IT teams.

Our take: Look for remote access to be delivered as a scalable, global cloud-service that is proven to serve a significant user base and the applications they require. Consuming remote access as a service will free up IT resources from sizing, deploying, and maintaining the remote access infrastructure required to support a Hybrid Workforce.

Optimization and security for all traffic

Today’s remote access infrastructure provides just that, remote access. IT relies on the integration of multiple technologies to optimize and secure remote access traffic. As discussed above, most are not available to work from home.

Our take: Look for remote access solutions that incorporate optimization and protection for all types of traffic including wide area network (WAN), Internet, and cloud traffic. This is particularly important in the remote-user-to-cloud path, where legacy technology has no visibility or control. By embedding WAN optimization, cloud acceleration and threat prevention into the remote access platform itself, all traffic, regardless of source and destination, is optimized and protected.

Conclusion

Even if your enterprise IT survived the initial transition to working from home, it is now the time to think about the creation of networking and security architecture that can natively support the Hybrid Workforce. Global, elastic, and agile infrastructure is key to fending off the next crisis, or whatever comes next.

Forrás: CATO Networks