Securing the mobile enterprise means thinking outside the VPN box
By 2020 mobile workers will account for nearly three-quarters (72.3%) of the US workforce, according to technology research and consulting firm, IDC.
This trend is good for business. It enables employees in sales and service to position themselves closer to their customer bases. It enables software developers to work from home. And it enables companies to deploy IoT at remote plants and in the field in order to monitor operations.
However, facilitating mobile computing also presents security challenges for network managers who have historically relied on virtual private networks (VPN) to secure user access to internal enterprise IT resources.
SEE: Information security policy template download (Tech Pro Research)
When a VPN isn't enough
Not long ago it was sufficient to meet corporate security and external audit requirements by implementing a VPN constructed with firewalls and network access control (NAC) protocols, which secured access to network nodes when devices attempted to access them.
But in today's world, users increasingly sign in to applications and off-premise clouds and cloud-based systems directly. They don't necessarily go through a VPN tied to an internal network-resident IT to gain access. This creates many more points of access to enterprise IT resources that might be in-house or off premises. It can also multiply the number of ways that an enterprise's in-house and cloud-based resources can be breached or compromised.
The message is clear for IT network managers: New ways of creating secure perimeters around corporate IT resources must be found and establishing perimeters must go beyond what was historically defined as a physical network.
"Business leaders face a digital imperative to boost user productivity, while also mitigating the risk of data breaches that are growing in size and frequency," said Sudhakar Ramakrishna, CEO of Pulse Secure, which provides software-defined secure access.
SEE: Phishing attacks: A guide for IT pros (TechRepublic download)
New security architectures
Ramakrishna joins technology researchers like Gartner in recommending that organizations consider adding software-defined perimeter security (SDP) to VPN so that it can broaden their overall security architecture for mobile, direct-to-application access that might not come through the company's internal network.
"Companies have always viewed access from outside of their four walls as potentially untrustworthy, and internal access as trustworthy," said Ramakrishna.
But now that companies have employees, sensors, and machines that access clouds and apps untethered to the corporate network and that are technically outside of the VPN perimeter, network managers must create new security architectures that are more user-centric than network-centric.
"What you need is an overall IT security architecture that can preserve existing VPN deployment while also adding new security platforms that can secure access to IT assets outside of the network from mobile access that comes from outside of the network," said Ramakrishna.
Zero trust network
One cornerstone to this strategy is to build networks around a zero trust security approach that leaves identifying user access and privileges solely to IT. In the zero trust network environment, end users-even if they are directly responsible for managing IT resources like robots-don't have to worry about administering system security because IT with zero trust networks sets up all of the security and access rules for them.
This zero trust concept can be built into both VPN and SDP networks.
SEE: BYOD (bring-your-own-device) policy (Tech Pro Research)
Guidelines for securing assets
The second stage of security implementation must then address the totality of IT assets to secure-and how to accomplish it.
For this, there are three guidelines:
Work to simplify the user experience: For end users, security authorization and access to IT resources should be straightforward and seamless, with IT setting and controlling security policies. This way, all the user needs to worry about is accessing the application he wants to access. The security administration experience for IT can be simplified as well, by providing a single pane of glass on a computer console through which an administrator can monitor and control all security activity, whether it is coming from a VPN or from an SDP-secured access point.
Assume that everyone will be mobile at all times: This way, both your VPN and SDP security is always set for all users, no matter how they choose to access IT resources.
Protect your existing technology investments: VPN works well, and most organizations have sizable investments in it, but VPN does not provide secure access to on-cloud apps from mobile devices. This makes the adoption of a "hybrid" network architecture a necessary approach that can also scale with your budget.
"By adding SDP security to VPN security, enterprises can acquire the security flexibility now needed to manage mobile devices, IoT and cloud access, and it can also preserve their existing VPN technology investments," said Ramakrishna.