Securing Data for Remote Access Users
Business requirements, distributed operations, and cloud deployments are forcing organizations to rethink remote access requirements, including how to secure the data and applications they access.
Virtual Private Networks (VPNs) have traditionally been used to meet these needs, but many organizations are facing 21st Century real-world problems using a technology that is more than 20 years old. With a move to a more distributed mobile workforce and dependency on cloud-based platforms, we face a growing need to provide secure access to these internal resources from beyond the traditional corporate borders.
It’s time to look at how accessing data securely should be approached in this new paradigm.
Contractors, Suppliers driving the Outside-In Enterprise
Data networks were designed long ago when the majority of users were “inside” an enterprise building and using the local area network (LAN). Today, organizations are opening up their infrastructure resources to suppliers and contractors at unprecedented rates.
According to a study conducted by software company Intuit, by 2020 more than 40 percent of the U.S. workforce will be contractors and contingent workers; that’s more than 60 million people. Why so? Because of the almost ubiquitous needs for organizations to share data in such a way that it speeds the flow of business transactions.
The result is that most users are outside the enterprises, accessing data and applications as credentialed guests. And hence, the ‘outside-in’ network is the new normal.
A New Data Access Model
As businesses operate within this new normal, a new access model is paramount. But how do we define that? Here are some ideas:
Least Privilege Access
Provide users with the lowest level of data user rights they can have and still do their jobs. Today’s VPN solutions are typically configured to grant network access, when only a minimal of resources are required.
Since targeting a loftier resource is part of every attacker’s plan, mitigate that risk by effectively removing the ability to access the network as a whole. As an added bonus, if network access is no longer required to serve resources, the need to manage inbound network connections should also be eliminated.
A new model should extend the concept of “least privilege” to include the underlying network itself. Delivering access to internal resources can no longer include broader network access. Rather, it should be able to effectively broker the appropriate access to only what is required, while removing the overall risk of exposure to external threats.
Today’s enterprises are no longer made up of devices that are fully known, and controlled. With “bring your own device” (BYOD), working from home, and crowdsourcing, to name a few, what we’re left with is a diverse blend of device platforms, in various states of data configuration and security.
Management in today’s environment has become difficult and time-consuming. Mobile device management (MDM), device certificates (X.509), device profiling, and other network access control (NAC) type validations can provide some assurances.
But these efforts largely gauge correct posture at a point-in-time. There’s no guarantee that it will remain so on an ongoing basis.
In a new model, the concept of “never trust” should be applied to any and all resources with the ability to access data. Never trust is based upon the strategy to reduce risk by eliminating the exposure of lower-level device operations altogether, effectively isolating potential threats, while providing access in a secure sandbox and supporting a more device-agnostic approach.
Service-Based Access Control
Operating environments are becoming more distributed with multiple data centers or cloud implementations. Effort is required to achieve commonality between these distributed locations to operate effectively.
While it is technically possible to singularly locate these traditional access methods, the more common approach is to deploy solutions on a site-by-site basis as part of a disaster recovery and business continuity strategy.
When you factor in the proprietary operating parameters of today’s cloud implementations, the level of complexity and uniqueness for access implementations drastically increases. Having to manage disparate configurations can potentially lead to oversights in provisioning and deprovisioning, introducing unnecessary risk to the organization.
In a new model, access solutions should be flexible enough to not only operate ubiquitously across all platforms, but also maintain governance, standardization and reporting from a single management pane.
This approach ensures centralized policy enforcement and better visibility across the entire enterprise. Moving these processes to a service-based (or cloud) model would allow for a simplified, yet standardized mechanism to ensure access anywhere, anytime.
New distributed workforce models are quickly becoming the norm. Mobility efforts are forcing IT to re-evaluate how access is provided to internal resources and data to ensure business operations continue to function effectively. Considering these workforce changes and en-masse migrations to cloud models, trying to apply traditional methods of access are proving to be more costly, complex, and generally carry more risk.
To effectively implement this new paradigm, we must move away from what is known and explore new concepts that factor in the “new normal” for access to application and data resources in the outside-in enterprise.
(About the author: Mark Carrizosa is vice president, security at Soha Systems.He joined Soha in 2015 from Walmart where, as principal security architect, he developed and implemented the company’s global e-commerce security architecture framework. Prior to Walmart, Carrizosa was operational risk consultant at Wells Fargo. Before Wells Fargo, Carrizosa managed a team of engineers responsible for security at natural resource company Freeport-McMoran Copper & Gold. He also held several information security management roles at PetSmart).