In another installment in our series on the top things to watch in cybersecurity for 2022, the distributed or hybrid workforce has evolved from a phenomenon of the early pandemic to an enduring trend that shows no signs of subsiding. While COVID initially made remote working essential, employers and workers alike discovered a number of benefits – though more often now it has morphed to a hybrid model, with some proportion of both on-site and off-site working.
Two major factors impact the ability to work remotely, though: Connectivity and security. Reliable high-speed internet is available in many areas of the world, though lacking in certain areas. But because the remote worker and their connection essentially becomes an extension of the network edge, security is of paramount importance.
Old vs. New
VPN has long been the standard for supporting remote workers, essentially setting up a secure pipeline from the user’s device to the office. It’s been the dominant technology in this area for years, but it does have limitations. Since user support is typically license-based, it can quickly become expensive; further, scaling to meet the needs of an expanding distributed workforce can be difficult and costly.
Finally, VPN’s one-time authentication for full, unfiltered access to all of a company’s sensitive resources has attackers steepling their hands in anticipation like Mr. Burns of The Simpsons. As recently as last year, VPN technology was exploited during the Pulse Secure (now Ivanti) breach of last year, for example.
However, there are obstacles to transitioning completely away from VPN in terms of worker training, the cost of uprooting long-held infrastructures, and other challenges. In light of this, vendors like Hillstone are actively working to improve upon VPN capabilities to better support the distributed workforce. In addition, two-factor and multi-factor authentication (MFA) are widely used in conjunction with VPNs, though they add licensing costs and complexity to logins.
Newer technology concepts like zero-trust network architecture (ZTNA) are sometimes overlaid upon existing VPN infrastructures to augment security. Each method holds promise for tightening security gaps that currently exist; however, legacy VPN architectures usually make it difficult, expensive and even problematic to make an abrupt shift to new security concepts.
An interim step that many are looking into is SD-WAN, which is widely used to secure branch offices. Essentially, the remote worker is treated as a ‘branch of one,’ gaining the ability to prioritize business applications and access cloud services, all with enhanced security. SD-WAN has its own set of drawbacks, though – including per-user cost, deployment at scale, and other challenges.
Looking to the Future: SD-WAN, ZTNA and SASE
By all accounts the remote or hybrid workforce is here to stay, and security must evolve to support it. Looking ahead at 2022, we see developments in ZTNA that will not only make it a viable option to support the distributed workforce, but a steppingstone toward the secure access service edge (SASE) as envisioned by Gartner. Cloud-based architectures in particular are currently prime targets for ZTNA since they are typically greenfield deployments without heavy investment in legacy security infrastructures.
Before contemplating ZTNA, though, enterprises should consider SD-WAN as the first step in the progression to SASE. SD-WAN emphasizes the connectivity needed to support remote workers, while improving resilience, QoS, application optimization and administration – as well as securing traffic via IPsec VPN. Adopting SD-WAN for greenfield or expansion deployments, or to replace end-of-life technologies, can help pave the way for SASE in the future.
In our view, ultimately SASE is the end goal for securing the distributed workforce. It incorporates several technologies under its umbrella, including SD-WAN, secure web gateway, NGFW-as-a-service, cloud access security broker, and ZTNA. SASE overcomes the complexities of securing remote workers by creating a ‘new’ network edge with strong security for home offices, branch offices, IoT and BYOD devices, applications, and other internal and external connections.
By leveraging the cloud, SASE gains agility and nearly infinite scalability. Importantly, external agents are assigned a digital identity, and real-time contexts as well as compliance policies are utilized to further refine and secure the edge. We perceive a great deal of potential in SASE and its ability to secure the distributed workforce as well as other existing and upcoming developments in the expanding network edge.
