Adapting Security to Work Anywhere
"Working from home 2021" was the title of my talk at The Cyber Security Summit in January, and the strikethrough is important. After a massive shift away from common workspaces in response to the global pandemic, there is no more working remotely or working from home, there is just working. The axiom, "work is what you do, not where you go" has never before been so true.
The possibility for the workforce to be location independent is now reality. We will never go back to an environment in which a preponderance of people toil away in office buildings five days a week, from nine to five, nor will we carry on the quasi-cottage industries of 2020 with everyone at home trying to be productive. For every executive looking to trim the real estate budget while enjoying less commute and more family time, there are several employees staring at laptops on the edge of their beds sharing spotty Wi-Fi with flatmates who can't wait to get back in the office. As a result, we'll end up with a hybrid work environment moving forward, which is a good thing.
The immediate need to support a surge in remote work, triggered by COVID-19, created a huge dilemma for technical teams across the globe. Virtual private network (VPN) access was intended for 5% of the workforce, not 100%, and security was designed around everyone being in the office. Organizations were not prepared for this sudden inversion. As a security strategist here at Akamai, I've seen organizations respond in three phases to the challenges of enabling and securing a remote workforce.
Going remote in phases
The first phase was panic: moving 5,000 people out of the office and getting them working from home, by the weekend! In this phase, whatever remote access method existed previously, usually VPN, was scaled quickly out of pure necessity.
The next phase was the realization that the secure network patched together now resembled a colander, with gaps that could be exploited as entry points for cyberthreats. Remote access, which was originally designed for occasional email checks or system administration server reboots, was now being used by everyone, and these users don't have the same security orientation as the IT team. Securing all these remote connections became a priority, adding better endpoint protection, more distributed denial-of-service (DDoS) defenses for VPN gateways (which suddenly became the linchpin of the entire company), and updating anti-phishing tools.
The final phase was the recognition that there must be a smarter way. An entire organization using VPN to work was not sustainable from a performance or security perspective. Many IT transformation initiatives were already underway or accelerated in 2020, but were now faced with the concept of connecting data and users from anywhere and everywhere. They were still, however, locked into sending traffic down virtual tunnels, fixed locations, and bottlenecks. As the world reopens, a hybrid work environment will become the standard, but how can organizations allow for flexibility without compromising security?
A smarter way to work
The new approach must improve the user experience and security at the same time. It must offer the ability to work effectively, without juggling multiple VPN connections as applications migrate from data centers to the cloud. It must also eliminate the additional latency of having to "trombone" or "hairpin" traffic -- routing it through a central security system only to go back out to the cloud again, rather than go directly to the cloud.
Employees are accessing the corporate network alongside multiple devices -- school laptops, televisions, smart washing machines, and more -- which might have questionable levels of security, leading to a greater chance of exploitation. In addition, exposed Remote Desktop Protocol (RDP) ports and VPN portals introduce more risk. In fact, RDP cyberattacks grew by 768% in 2020. Many breaches result from compromised endpoints or credentials, then attackers move laterally through the network, finding unpatched servers, exploiting systems, and elevating access privileges until reaching valuable data for exfiltration. This risk existed in a traditional office environment, but is greater now as organizations open their networks.
The smarter solution is clear: Instead of connecting machines directly to networks, we should focus on connecting users to applications. By leveraging the internet as a conduit, we can drastically reduce risk and improve performance.
Connecting users to applications
In a traditional scenario, once users connect over VPN, they essentially have the same level of access as those in the office, except the network the remote users are actually on -- the one with potentially insecure endpoints or poor password management -- might be unsafe. For example, an engineer on a VPN might be able to navigate to accounting servers even if that user doesn't have the login credentials -- and if the connection is compromised, a threat actor now has network-level access to identify targets for attack, such as IP address, open ports, or unresolved vulnerabilities.
Zero Trust is a network security model based on strict identity verification that has been applied to many different tools, but it is also a perfect solution to remote access. First, authentication takes place before the user is actually connected to the application. Multi-factor authentication (MFA) is a requirement for most organizations, but can still be susceptible to man-in-the-middle attacks -- when an attacker intercepts or modifies traffic between two parties -- such as what famously happened at Twitter. The use of a FIDO2 token generator linked to the user's laptop provides additional security. Without proper authentication, the request is dropped and there is no connectivity at all between the client and the application.
Next, authorization allows least-privilege access, a principle adopted by Zero Trust that further reduces risk by only providing users with the access needed to do their jobs. Requiring authorization for an application before connecting to it reduces the attack surface, sometimes considerably given the number of applications in an organization.
Finally, and perhaps most significantly, we don't actually need to connect the device to the server the application is running on at all. Instead, since Zero Trust Network Access delivers applications to users through a cloud-based service; we proxy the connection and allow the device to talk directly to the application without physical network access. Then, if the user's device is compromised, all that's exposed is the IP address of the cloud proxy, not the server. This approach allows for more device flexibility, such as when an employee who usually works on a desktop in the office wants to use a personal laptop at home.
Secure cloud-based application access in the public sector
Secure remote work is critical across all industries, especially those on the front lines. Part of the National Health Service (NHS) in the United Kingdom, NHS Forth Valley provides healthcare to one of 14 regions in NHS Scotland. At the outset of the COVID-19 crisis, many staff members needed to work remotely, and the existing VPN infrastructure was not able to scale and provide access to all the necessary applications.
To quickly enable secure access to its application estate during COVID-19, NHS Forth Valley worked with our team at Akamai to deploy a simple, cloud-based solution that could use MFA to ensure secure access and allow full control and visibility over the users and applications. As a result, NHS Forth Valley eliminated its VPN challenges, created a reliable user experience, and protected sensitive applications. To hear more about how NHS Forth Valley secured remote access in the midst of a global health crisis, watch the webcast.
Embracing work in 2021 and beyond
Leveraging the cloud, we can better define the edge of the network, ensuring that authentication, authorization, and access are not constrained by legacy models and network architecture no longer relevant to the work of today and the future. With the cloud, users can access applications that have been checked, validated, secured, and optimized far more quickly than over VPN alone.
The on-premises security stack of old now exists in the cloud, close to users, so the user experience is not hampered by unnecessary latency, and valuable assets are protected from lateral movement with users accessing the application through a proxy, not the network. When users are not actually connected to the server the application is running on, there's no opportunity for further exploits.
Now that the workforce is no longer location-dependent, there is no better time to use the cloud to enable the future of work. Akamai can help you create a flexible, secure workplace with Enterprise Application Access, a unique cloud architecture that ensures authorized users and devices have access to only the internal applications they need, not the entire network. By leveraging the Akamai Intelligent Edge Platform, organizations can safely allow users to do their work, wherever they go.
About the author
Richard Meeus is Akamai's EMEA Director of Security Technology and Strategy. With more than 20 years of experience, Richard is responsible for designing and building secure solutions for some of the world's most influential organizations. Starting out as a hardware engineer, his career has progressed alongside the technology industry, transitioning from hardware to software focus.
Richard is an industry expert in cloud computing, enterprise software, and network security. During his time at Akamai, Mirapoint, and Prolexic, he has had a strategic role across a broad range of projects, including the deployment of DDoS solutions for multinational organizations to protect critical infrastructure and sensitive data. He is a chartered member of the BCS and a CISSP, and considered a thought leader in the industry.