The shift to remote work has driven companies to redesign their network and security architectures. The distributed enterprise has unique business needs, and many organizations are exploring cloud-based services and Secure Access Service Edge (SASE) as options to meet these needs.
Over 80% of respondents in the report have seen an increase in remote work since Covid-19 and 66% are using cloud-based security services to scale up remote access. Thanks to a broad network of cloud Points of Presence (POP) and the ubiquity of cloud applications and services, enterprises have many options to choose from for connecting remote users to enterprise applications and the Internet.
Earlier models of backhauling branch-office and remote user connections to security stacks residing in corporate offices and then to the cloud add significant latency and result in a poor user Quality of Experience. With the advent of software-defined WAN (SD-WAN), enterprises are able to optimize remote site and user connections to the cloud or on-premises resources by selecting the best network path for the application. This may be a virtual private network (VPN) or multiprotocol label switching (MPLS) link back to a corporate network or a direct-to-Internet broadband or wireless connection over a local Internet breakout on the local SD-WAN device.
SD-WAN is an optimal solution for branch office connectivity, but many users work from home where they typically do not have a company-owned SD-WAN device. One of the top remote work challenges reported in the survey was support for BYOD devices. 40% cited BYOD as a top administration challenge, along with scaling performance (46%) and privacy and compliance (42%). In the Forrester Zero Trust Edge (ZTE) model, which complements the Gartner SASE model, they see first adopters applying zero trust network access (ZTNA) principles to securely connect remote users and offices to the Internet and to corporate applications. ZTNA improves performance by moving the security stack closer to the user and the application when delivered as a cloud service.
In addition to improving performance, a clientless ZTNA solution also solves the BYOD issue. Access to corporate applications is available from a browser by first strongly authenticating the user with Multi-factor Authentication (MFA). Then access is granted only as needed to Remote Desktop, SSH, web-based apps, and database applications.
A VPN is another way to connect remote users, but in the report, issues with the VPN were one of the top user complaints reported (62%). Another issue with VPNs is that they provide an authenticated user with total network access, which in turn increases the company’s attack surface and exposes it to cyber threats. Implemented alongside an SD-WAN or SASE solution, ZTNA offers the ability to integrate zero trust into a remote access solution, which reduces remote workers’ network access to only what they absolutely need for their jobs.
In the report, nearly half (45%) of IT and security professionals report an uptick in cyberattacks since the shift to remote work. Top concerns were data loss (55%), phishing (51%), and account takeover (44%). Enterprise IT security professionals are familiar with advanced on-premises security solutions such as secure web gateways (SWGs) or next-generation firewalls (NGFWs) with sandboxing capabilities that counter phishing and zero-day threats. Prevention is arguably even more necessary to secure a remote workforce than it is to secure on-premises staff.
Consider a security solution that detects a threat but does not prevent it. If a user is on-premises, the enterprise likely has a segmented network and is able to quickly isolate the infected host, which may be only a short walk away from the helpdesk. When a worker is remote, access from the infected host can be blocked, but the time to remediate the infected host and get the worker back online increases substantially. Having the same level of threat prevention for remote and in-office workers is a key benefit of a secure SASE solution.
In the zero trust security model, data is the new perimeter, and this is also reflected in the report. 55% of the respondents said data exfiltration and leakage was one of the top breach and attack vectors since Covid-19 forced a shift to remote work. In the section above, we discussed how ZTNA provides secure, scalable network access to corporate applications. Equally important is having a security policy that unifies ZTNA with data loss prevention, safe web use, and advanced threat prevention in a single web console managed from the cloud.
Along with providing strong security that is consistent with known enterprise threat prevention technologies (and closer to the user and application), SASE unifies security policy management for multiple security technologies under one umbrella. This includes URL filtering (via a SWG), application control (via an NGFW), data loss prevention (DLP), an intrusion prevention system (IPS), advanced threat prevention (through sandboxing), and secure access to corporate applications (through ZTNA).
In the section above, we discussed how unifying security management improves security for remote sites and users. SASE also unifies or consolidates multiple security services and network services under one umbrella.
SD-WAN improves the delivery of Wide Area Networks (WAN) by defining business intent in software, enabling optimized path selection for the various applications’ traffic that flow over the network paths available on the WAN. Network service policies are managed centrally by cloud orchestrators which also manage the delivery of network equipment with zero touch. With zero-touch deployment, there is no need for on-site technical staff. Boxes are simply connected and powered on and then receive their configuration and policy from the cloud orchestrator.
This flexible, agile, and efficient delivery of network services also applies to security when delivered from a cloud security service edge. The remote branch device is simply configured to connect securely to a local cloud security service edge using a VPN tunnel. In the network policy, traffic heading to the Internet that needs to be secured can be routed through the VPN to the cloud security service. The same can be done using apps installed on remote user laptops and mobile devices.
Managing network and security policy centrally does not only decrease the cost of managing the network and security policy. It also saves the time it takes to deliver network and security services to remote sites and users. Any changes needed are made in the cloud and pushed out to remote sites and users without needing on-site technical support.
Since network and security are centrally managed and orchestrated, the health of the network and threats to remote sites and users are also visible to network and security administrators monitoring the organization’s WAN and security. This enables them to more quickly respond to threats and problems in the network as they happen. 61% of respondents in the Remote and Hybrid Work Security Report who moved to cloud-based security consider it highly strategic in scaling remote access.
The advantages of securely connecting remote sites and remote users to the cloud with Harmony Connect, Check Point’s SASE solution, include:
To learn more about adopting SASE, we invite you to read the full Remote and Hybrid Work Security Report, check out the summary infographic, or read ESG’s A Guide to Adopting Secure Access Service Edge Network Security.
Cloud Secure Web Gateway (SWG) from Harmony Connect
Remote work security Infographic