The Complex New Normal of Network Access
In both their personal and professional lives, people are working out how to cope with the “new normal.” The novel coronavirus has disrupted established routines and upended norms, and even with a vaccine on the horizon, it’s going to be a long while before life gets “normal” again. Of course, that is not to say that it will return to the “old normal.” The way many professionals get their work done is just one among many things that are likely to be forever changed as a result of the pandemic and the accommodations that have enabled work to continue getting done – for those lucky enough to keep working.
Corporate responses to COVID-19 related restrictions have accelerated many IT trends that had been taking shape gradually, over the past years, and brought them into sharp focus. These include two big changes that have great impact on organizations’ cybersecurity posture and processes: 1) Migration to cloud computing; and 2) Increasing volumes of work done by remote and home-based workers.
The Ins and Outs of Secure Access
In a recent article in Forbes, I described a new secure access model, structured in terms of where the data, apps and other resources are located, and where each user is. In this post, I’d like to expand on that model, and take a deeper dive into how organizations should be thinking about access in each situation.
Users can be either “in” (in the office, on the internal network) or “out” (at home or another remote location). The data, applications and other resources they need can also be either “in” (on the corporate network) or “out” (in the cloud). As illustrated in the matrix below, this creates four different scenarios, each with different access and security challenges and requirements. Let’s dig in just a bit to the challenges particular to each scenario.
The classic in-to-in scenario is the obvious place to begin. Once upon a time, in hard-to-recall pre-internet times, computer users primarily worked from inside the office, using data and programs (nobody talked about “apps” in those days) on the corporate network. Security mostly meant physical security. Users had logins, and that seemed like enough.
Only it wasn’t enough then, and it’s certainly not enough now.
According to Forrester Research, 25% of data breaches are traced to insiders. Shopify was recently hit with a security incident that affected about 200 merchants. Two “rogue members” of their support team were responsible for the breach.
The principle of “least-privilege” microsegmentation can help limit the damage a rogue employee can do. With least-privilege access, users can only access the specific data and applications they need to do their job. Least-privilege access can be implemented a number of ways; the most common is “role-based access control” (RBAC), which allows anyone in a particular role within the company to access a specific set of apps and data. However, RBAC is not perfect – individuals with the same job title may need access to different resources. In order to enable access to ANYONE in the role, access must be enabled for EVERYONE, resulting in over-privileged access for at least some members. This is far from the ideal of tailoring access for each individual user.
Setting up true, per-user least-privilege access is very labor intensive, particularly for large organizations. That’s why Ericom Application Isolator (EAI) includes an innovative tool that automates the process of allocating least-privilege down to the user level.
EAI goes beyond restricting access by restricting visibility as well, so malicious insiders can’t even know which apps and data are “available” to attack, aside from those they are permitted to access for their work.
The next scenario we consider is Out-to-In: A user who is in a location other than the office – at home, on the road, at a remote worksite – and needs access to corporate resources.
The first challenge is to make sure that the user accessing the network is properly identified. It’s not enough to rely on passwords alone: Many users are sloppy about password hygiene, brute force attacks are becoming increasingly powerful, and there’s a brisk market for stolen credentials on the dark web. Multifactor authorization is strongly recommended for logon, especially for particularly sensitive data and apps.
The still-dominant model of securing Out-to-In access is to depend on VPNs and firewalls. A “castle and moat” model, if you will, with strong defenses to keep bad guys out. Once you – a presumed “good guy” were granted access and allowed inside, you could wander freely wherever you wanted. Unfortunately, as we saw in the In-to-In scenario, this assumption is flawed.
Microsegmentation is even more essential in an Out-to-In scenario than in an In-to-In. In addition to protecting against possible rogue insiders, if a cybercriminal manages to breach your defenses and get on your network, you want to limit their “East-West” access to minimize any harm they can do.
It’s essential to use secure technology when granting users remote access. Once coronavirus hit and millions of employees moved to working from home, there was a tremendous spike in attacks on one of the common protocols for remote access, Microsoft’s Remote Desktop Protocol (RDP). (Read more about making remote access more secure here.)
The In-to-Out configuration describes the case of a user who is inside the network and needs to access resources that are off the network – either websites or corporate cloud applications.
The danger here is that a user might surf to an infected site, click on a phishing email while on the office network, or download and open an infected file, enabling malware to be installed on the corporate network.
Many businesses rely on a cloud access security broker (CASB) to address this case. A CASB sits between the users and cloud applications, and is designed to prevent dangerous actions, enforce compliance with security procedures, and automatically stop malware.
CASB and other techniques such endpoint agents, reverse proxies, and others are not fully effective at securing this channel. There are too many “unknown unknowns” to be stopped with conventional anti-virus and anti-malware software. Remote Browser Isolation (RBI) is a better solution. With RBI, each website is opened in a single-use container that is isolated in the cloud. If a user clicks on a malicious link, malware cannot infect either the corporate network or the user device – it remains within the container until the end of the session, when both are destroyed. RBI works on a “Zero Trust” basis: all websites and everything in them is treated as potentially dangerous.
Of course, in addition to implementing protective technologies, it’s important to keep users educated about staying safe online. Periodic refresher training for users on how to identify suspicious websites and emails is a cybersecurity best practice.
With most medium and large corporations now operating in a hybrid cloud environment, users working from home or other remote locations need secure access to corporate resources in the cloud – and those same secure applications and resources need to be kept safe from malware that many be lurking on users’ unmanaged devices.
Out-to-Out access scenarios are particularly challenging since users often use personal, unmanaged and unsecured – and therefore vulnerable -- devices to access a business’s cloud or web applications. If devices are infected, malware can penetrate the enterprise apps to steal data, disrupt operations, and more.
Web Application Isolation, a remote browser isolation technology, protects enterprise apps from attacks via entry points like web page code and exposed APIs by isolating all remote contact with the app. Only a safe stream of rendering information interacts with the app: All content from user devices remains contained in remote browsers in the cloud – including any malware or threats.
The “new normal” for everyone – regardless of if, and when a vaccine is available, and when the coronavirus pandemic abates – is likely to include more work from home and more corporate resources in the cloud. The matrix model presented here can help IT and info security managers understand how best to cope with the challenges presented in a world where users, apps, and data can be – and are -- located anywhere.
Implementing a Zero Trust philosophy, based on not trusting any users, applications or data, inside or outside the network, or any websites or apps, since any might be suspicious, is simply good hygiene in a world where “out” may very well be the new “in.”