According to a recent Forbes survey, nearly 20 percent of companies now operate fully remote, and 98 percent of all workers want to work from home, at least some of the time. When employees leave the office and work from anywhere, what do you think is THE most important network capability for executives surveyed? (hint: it’s not security) Last week, Zayo and Cloudbrink co-hosted a webinar that presented how best to tackle the security and performance hazards when employees work from everywhere.
Speakers: Shawn Edwards, CSO, Zayo | Prakash Mana, CEO, Cloudbrink | Karl Gouverneur, CTO, Struxtion
The Historical Trade-Off
Companies have always needed to balance top-notch security with network performance – and it feels like a zero-sum game. More security usually meant poorer performance. Blazing fast, always-on performance usually meant compromised security.
Prakash Mana, CEO of Cloubrink, concurs that this mindset is well ingrained: “The security team was where you went to have requests denied.” And cyber security executives weren’t in the habit of placing user experience top of mind when making security decisions. But when most executives cite performance over security as the most important element of remote work, security staff needs to rebalance.
The choice of secure remote access solutions and the policies for remote work have a direct impact on the business. So let’s look at the challenges of remote security, what the security stack needs to look like, and, in the new work from anywhere normal, where the user experience fits in.
The Challenges of Securing a Remote Workforce
Karl Gouverneur, CTO: I see three main challenges to remote work in general. The first is innovation. To me, innovation is a contact sport. The magic happens when people get together around a table, so we still need to provide that experience. The second has to do with the performance of the application stack. We all use hundreds of applications at work.
These applications were designed to work nicely with your offices, in your corporate headquarters, and in central locations connected via very high-speed links to your data centers. Otherwise, the experience isn’t ideal. A third challenge is obviously security. Before work-from-home, CISOs had scores of endpoints to secure. They now face thousands. For those (like me) whose primary role is to manage risk, the attack surface suddenly increased exponentially.
Multi-factor authentication, managing access controls, dealing with the regulators, and educating employees – all those things contribute to having a better cybersecurity posture. But at the end of the day, the biggest challenge, the weakest link, is the network infrastructure. CISOs need to provide the best, most inclusive digital experience to home workers, and that means they need to prioritize network insufficiency at home.
Shawn Edwards, CSO: And specific to security, one challenge is making a cultural shift within the CISO. We used to be the “office of no,” or the CIS-“NO!” division. Today, we have a kinder, gentler security approach. Call it “defense in depth” or “security by design,” it provides a multi-layered approach to security that enables the business and empowers the organization.
As strange as it seems for a security guy to talk about user experience, we need to champion it. This means abandoning the “one-trick pony” approach to security. Instead, we’re putting depth of strategy into our security so that we build out our infrastructure, our controls, and our capabilities to offer a multilayered defense model that, at the same time, actually enhances the user experience.
Finally, the challenge of simplicity for the user. The user should have a frictionless experience accessing the corporate cloud, the public cloud, or a SaaS application. Using SD-WAN, our high-speed fiber connections, and the right partner (such as Cloudbrink), we have accomplished this for our own at-home workforce.
Security From the Inside Out: VPNs Just Don’t Cut It Anymore
Shawn Edwards, CSO: Ah VPNs – once in, always in. Every user comes in, they’re dropped off into the network in the same model, and you rely on the network and its accounts to manage it.
A VPN was a sound model for a centralized, office-based workforce, but inflexible in our new work-from-everywhere environment.
Prakash Mana, CEO: Working from everywhere presents a dual challenge: it’s as much a security challenge as it is a productivity challenge. When companies decided that they needed a “perimeter-less” security posture – they didn’t define it properly. They thought that moving security from the data center to the cloud achieved it. But since the end user is where most of the data is curated and consumed, the shift to perimeter-less security means a shift all the way to that end user’s workflows.
And it has to adapt quickly. People and applications are moving at an unprecedented pace. Security needs to move right along with them, at least at the same pace. We all thought that IPSec and SSL were unbreakable; trust would not change for one, three, or five years.
We need, as Gartner coined it, a “moving target defense,” a security model that has such a high level of entropy that even before a hacker gets anywhere close to breaking your security, the entire process of your organization morphs and changes, and it keeps changing. It keeps updating itself much faster than a hacker can ever imagine, or even approach penetrating.
Work from home is a board level conversation – the stakes are that high. A simple increase in VPN bandwidth falls far short of the user experience goals of CIOs.
So What Does That “Zero Trust” User Experience Look Like?
Karl Gouverneur, CTO: An airport analogy: when you travel outside the U.S., your boarding pass, your passport, and your ID are checked multiple times – initially to pass security, again in a holding room, again when you’re boarding the flight, and again upon transfer. Zero trust security is like this – multiple checks for each application access request. The difference is that the user never knows they’re being checked. The checkpoints, the gating, the verifying – it all happens transparently to the user. The result? The user isn’t stymied by multiple authentication requests – and work continues productively.
Shawn Edwards, CSO: The more you can compartmentalize, or assign “prescriptive” access – and the more you authenticate behind the scenes – the more you reduce your attack surface. Zero trust does this. Zero trust can be difficult to implement, but we tend to over-engineer zero trust solutions. When technology and security teams partner, they can implement simple, basic security measures that provide the requisite preliminary level of security. Leveraging zero-trust models is an easy win. Zero trust provides just-in-time, and just the right level of access per individual.
Zero trust is personalized. My employees have a different level of access to applications during different time windows than my contractors, partners, or agents. This level of security granularity creates a much simpler environment for the end users. It also allows me to contain and control a security incident’s “blast radius” should one occur.
Zero trust has the advantage of being less expensive as well. Cloudbrink’s model is a software-only model. In the past, reducing risk meant bringing all user traffic back to “the castle” before allowing it to continue to the Internet. This required banks of VPN concentrators on site. Now zero trust models allow traffic to go from the remote user to the Internet directly with all safeguards in place.
Prakash Mana, CEO: The zero trust environment, when paired with the ultra-fast network connections provided by Zayo, really makes a huge difference to the performance and security of remote work.
We’re integrating with Zayo. This means that when remote users try to access a cloud, SaaS, or a data center-based application for example, the Cloudbrink app on the user’s device will quickly identify the nearest Zayo ultra-low-latency (ULL) link ingress point. Instead of users going through the clouded, “dirty” public Internet all the way to the storage of their resources, they’re routed along Zayo’s ultra-fast network highway, improving speed, overall stability of the connection, and security as well.
Our customers have told me that this Cloudbrink/Zayo combination has improved their speed by over 30,000%!
What About Mobility? Can my Employees use Public Wi-Fi?
Karl Gouverneur, CTO:
NO!
Don’t do it! That Starbucks or United terminal free Wi-Fi can be a dangerous, insecure environment! I always advise my users against it. When you see “free” Wi-Fi, steer clear.
Prakash Mana, CEO:
YES!
The new generation of protocols allows us to do two things. First, we can bring a much higher level of reliability to these inherently less reliable networks. Second, these open networks are, by design, less secure. But now, for the first time in history, you don’t have to worry about tunneling every packet and slowing down the experience when applying security measures. You can bring security into the transport layer itself. So you can provide an ultra-reliable and secure network to your mobile workforce too.
Shawn Edwards, CSO:
MAYBE!
Use your brain. This is the crux of the annual security training we put our employees through – be smart about what you do, and where and when you do it. I always assume the network is dirty and not secured, so I make sure I have the right security in place to mitigate that risk. That said, if I connect to an unsecured network and get a weird security pop-up? I’m gone.
The Last Mile – Is it Still an Issue?
Prakash Mana, CEO: The good news is that cloud-native edge has become so prevalent that according to the latest stats, 84% of the workforce now lives no more than 7 to 20 milliseconds from the closest edge location. So the “last mile” has been reduced to the last few hundred feet. And while these last few hundred feet are 100% still a problem, newer machine learning models mean that we’re now able to dynamically provision these fast edges, wherever the users are, and vastly improve their experience.
How Do I Ask for a Budget to Build Out Zero Trust?
Shawn Edwards, CSO: If you’re asking your C-Suite for support and budget to implement just-in-time authentication and access security, explain to them the “triple win” of zero trust.
Win #1: user experience Zero trust provides personalized access directly from the user to their resources. When you take all traffic across big pipes into a centralized resource, only then to swing it right back out through a proxy to the Internet – latency increases, so the performance of latency-sensitive applications suffers.
Win #2: improved securitySpeak in the universal language of risk. Zero trust solutions mitigate risk by shrinking the attack surface and reducing points of exposure for the organization. Your C-level executives will understand this intuitively.
Win #3: lower cost
We no longer need the banks of VPN concentrators we have in the office… and those big pipes we talked about earlier? They’re expensive! Overall, this software-only solution can save lots of money.
Transporting Yourself 4 Years Into the Future
Karl Gouverneur, CTO: The “Brady Bunch” heads-in-tiles remote meeting will be replaced with a much more immersive experience. Imagine when a single gesture will result in a digital response within the meeting (this happens today!). Imagine a remote meeting that feels so real you think you’re sitting at the same table with your colleagues.
And imagine the additional bandwidth that kind of enriched experience will chew up.
Indeed.