Neil Thacker, CISO EMEA at the cloud security product company Netskope describes how 2020 brought an unprecedented test for organisations.
With the shortest of notice, employers had to transform entire organisations to enable remote working. Cloud-based applications seemed the saviour for remote access needs, but soon it became apparent that critical security and privacy guards were either causing bottlenecks, or leaving data dangerously exposed. With the majority of IT teams still supporting a hybrid infrastructure of both cloud and on-premise systems, they were left puzzling over the best way to balance access and security without duplicating systems.
When they were designed, VPNs were an intelligent method of tunnelling and securing traffic between employees and applications that were hosted within an organisation’s technology perimeter. But in 2020, 94pc of organisations now report using cloud services and applications, and traditional remote access solutions are failing because they were not designed for cloud. Worryingly, because the logical workflow of a VPN doesn’t handle cloud well, technology teams are using workarounds and ad hoc routing to enable remote access.
New research from Cybersecurity Insiders (CSI) found that 39pc of organisations were completely unable to deploy their preferred remote VPN appliance in public cloud environments. Because of this, the most common workaround mentioned by survey participants was ‘hairpinning’ remote workers through data centres to access public clouds (47pc). This has a serious impact on employee experience, but perhaps even more alarmingly 31pc of respondents said that they publicly expose cloud apps in order to enable remote worker access.
In order to get close to these shortcomings, organisations are relying on the traditional approaches, and that’s where further issues have arisen during the global lockdowns. Organisations reported delays of around 12 weeks from the order of a new VPN appliance – due to the shut down of global supply chains and manufacturing delays. Appliance-based infrastructure simply lacked the agility to scale during lockdown.
A perennial trade off…
There is always a tension between the need for security and the requirement for ease of access to enable high productivity. But right now, with almost all businesses operating with dispersed remote employees, security diligence is often losing out in the negotiations in favour of fast adoption. If nearly a third of organisations are knowingly publicly exposing cloud applications on the internet, it introduces additional risk to the organisation that may come back to impact them.
… or a new approach
If you cast your mind back to a time when we all used to commute to an office to work… did you grant someone access to every floor, office, meeting room and broom cupboard just because they got past the reception desk checks? You didn’t. The more intelligent office buildings only allowed people physical access to the areas that they needed to go to, and Zero Trust Network Access (ZTNA) works the same way. Essentially you grant conditional access to data and systems, on the basis of ‘least privilege’. This is a hugely appealing approach for most organisations. In the CSI research, almost 90pc of organisations acknowledged that employees currently have access privileges beyond what they require, and over-privileged access is the top concern relating to security access for 62pc of organisations.
Data security is the primary motivation for IT and security teams looking to implement a Zero Trust programme. ZTNA lowers the risk that malicious insiders or cybercriminals with stolen credentials will gain remote access to an organisation’s networks, applications and data – whether in public or private clouds, or even private data centres. When delivered in the cloud using a high-capacity global network infrastructure, ZTNA can also enable remote access that scales to meet the needs of any dramatic increase in remote working requirements, without slowing access times or routing traffic unnecessarily.
ZTNA becomes increasingly logical for organisations making use of either the public or private cloud. Almost half (45pc) of respondents to the CSI survey said that ensuring remote access to private applications hosted in public cloud (such as AWS, Azure or GCP) was a security priority, and even more (65pc) said that accessing applications deployed in public cloud environments was their biggest headache.
In the age of cloud, private networks have become the exception not the norm, so it stands to reason that a VPN is not the logical approach to take when enabling remote workers. CSI’s research – published before the pandemic ramped up the pressure – revealed that 72pc of organisations plan to assess or implement Zero Trust capabilities in 2020. It will be very interesting to see what the actual number is at the end of this year.
