Rethinking IT security in a remote and mobile-working world

by Sean Kopelke, ANZ Country Manager, Zscaler

Today’s employees have high expectations when it comes to business technology. Conditioned by the easy-to-use consumer devices in their private lives, they’re looking for a similar experience in the workplace.

They also don’t want to have to make any concessions when away from their desks.  Whether working from home, an airport lounge, or a hotel on the other side of the world, they want no-fuss access to the data and applications they require to get their work done.

To meet these demands, growing numbers of organisations are  making increasing use of cloud-based services and platforms. Properly deployed, they can provide employees with reliable access to their firm’s IT infrastructure from any location and on almost any type of device.

The security challenge

While this trend delivers clear benefits for both a business and its staff, it also poses some challenges. The traditional tools and approaches designed to securely connect users with their applications and data stores are ineffective in the cloud - in fact, they become practically irrelevant.

Consider how most businesses provide remote access for staff. Whether the applications and data are located in the company’s data centre or in the cloud, staff are likely to gain access by using a virtual private network (VPN).

The problem is that VPNs were never designed to connect users to applications. Rather, they were designed to connect networks to other networks. For this reason, bringing users from a remote network via the Internet and onto a trusted or secure private network so they can access an application or data is inefficient at best, and risky at worst.

Any firm that offers users access to its network by way of a VPN is significantly broadening its potential attack surface and elevating the risk of security issues. For example, a staff member whose device has been compromised can infect the network with malware that then moves laterally as it scans for other resources and vulnerabilities to exploit.

Consider what would happen if a mobile or remote employee was compromised and they then connected back to a network that had lateral access to a credit card payment processing environment. A breach of this type can make a company big news and cost it a considerable amount of money.

Also, many companies tend to use a VPN to secure access to applications that are not even in their datacentre but reside on a cloud platform such as AWS or Azure. To achieve access, traditional VPNs require painful, hairpin-type traffic routing. This involves transferring data from the user to the corporate datacentre, and then out via another VPN to the cloud provider before making its return trip back to the user. This becomes a slow experience for the staff member, a challenge for IT administrators, and a technology that raises security concerns of its own.

As a result, traditional VPNs are laborious and painful and require users to take different actions depending on where they are and what applications they are accessing.

For example, when away from the office a user must connect to a VPN before accessing applications, but when inside the office this is not required. Perhaps a user may attempt to access an application from a tablet, but is denied because there is no VPN client configured on the device.

There might also be issues when the network that they are using simply doesn’t support the communication requirements for a corporate VPN, or can’t deliver the bandwidth required for effective access.

Redefining the perimeter 

In this era of flexible working, it's no longer enough to simply create a secure perimeter around a business’s IT assets. Indeed, the security model needs to be flipped so that it’s based not on a user’s location but on the policies tied to them and the applications they want to use.

This approach lets an organisation provide fast, secure and efficient access that connects the right user to the right application, thereby not exposing the network and internal users to any risk. When direct, secure access is provided to applications in this way, it’s also possible to deliver a much better user experience.

It’s no longer good enough to risk the security of an organisation’s IT infrastructure by using outdated, inefficient and ineffective security methods. Software-defined perimeters (SDP) offer a way of keeping applications and data secure and accessible while also ensuring staff are happy and productive wherever they happen to be working.