The World Turned Upside Down
Historically, corporate networks were designed for employees seated in physical offices. Vendors like Cisco and Juniper built large companies around these “campus networks”. Employees physically connected their desktops to the network and accessed applications run in on-premise data centers. With WiFi-enabled laptops users got a taste of freedom; so enterprises deployed Virtual Private Networks (VPNs) for access back to on-premise applications from homes and coffee shops. And then many of those applications moved to the cloud. Yet most organizations still have security architectures from the time of tower computers attached to physical ethernet ports.
Cisco’s recent earnings provide the best empirical evidence that network architectures are being inverted by the COVID-19 pandemic. Sales of networking infrastructure is down, while products like VPNs are up significantly. With the world sheltering at home, suddenly remote workers are the rule, not the exception. This shift outside the traditional network perimeter, which began long before COVID-19, presents an opportunity for organizations to finally upgrade their network and security architectures for the way people work today, rather than 20 years ago, and protect themselves against the most common threats.
The New Rules
The new rules for user and network security must assume that the network is temporal, that users are as likely to be on the office network as their WiFi at home. And the devices they use to do work – whether it’s checking a sales forecast or reviewing the financial model for an acquisition – happen across a heterogeneous mix of operating systems and form factors. Why focus on end user security? The vast majority of attacks now prey on the weakest link in IT security: people. A spear phishing email lands, a user clicks through a link, a threat is persisted, ransomware and IP theft proliferate, followed by pandemonium. To make matters worse, these attacks are seeing a dramatic increase during the COVID-19 seeded confusion.
Rule 1: Users access resources (mostly) in the cloud. Enterprise applications now live in the cloud, but the implications need to be operationalized. There’s no need to send SaaS traffic through the VPN back to a corporate network; it reduces performance and increases bandwidth costs. Intelligently route the traffic to where it needs to go, don’t bludgeon it into a VPN.
Rule 2: Users leverage a diverse collection of devices. Employees expect a corporate device (laptop) and the ability to add their own devices, such as smartphones and tablets. IT departments must assume this is standard behavior and deploy solutions and policies that support this expectation.
Rule 3: The network perimeter shrinks to the end user. You aren’t going to ship Salesforce a firewall and ask them to install it in front of your CRM instance, so your protections need to be rooted in the end user’s experience. Threats need to be detected and mitigated at the end user level, especially in a post-COVID world where family members are likely sharing devices to accomplish distance learning, remote interactions, and the like.
Rule 4: Consider the implications of Bring Your Own Pipe (BYOP). With everyone working from home, the attack surface has been skewed. Home routers, unpatched inkjet printers, security cameras, and smart televisions all represent vectors by which an attacker can compromise valuable intellectual property. Only three months ago Netgear announced a number of critical vulnerabilities affecting popular consumer routers. It’s critical that organizations understand the environmental threats that exist surrounding their end users.
Some of these rules began to emerge well before COVID-19 became a pandemic, first with Google’s BeyondCorp project and then the larger security industry trend towards Zero Trust (which is currently trapped in marketing buzzword purgatory). But their adoption has been slow relative to the expansion of traditional enterprise networking, especially in organizations that were not born in the cloud, and that must change.
Check Your Posture
To succeed in this new world, organizations must embrace simplified user and device posture-centric security. There are two domains of focus: the end user and the resource they are interacting with. Rather than binary decisions, solutions should consider key variables to decide if access is granted, and access can be allowed on a granular level (e.g. a user on a personal device on a guest network can access their own HR data, but not company intellectual property).
- User authentication: leveraging a Identity as a Service offering, make sure the user is who they claim to be – including multi-factor authentication (MFA), passwordless authentication, etc.
- Device posture: is the device a corporate managed device? Does it have the latest software updates and patches installed? Has a recent anti-malware scan completed with a clean bill of health?
- Normal user behavior patterns: does this user normally access these resources, at these times, from these locations? Did the user just appear to access other resources from a geographical location that is impossible to reconcile?
- Target: what is the enterprise value of the asset the user is attempting to access? Does it contain proprietary information, personally identifiable information? Is it a known attack vector that is unpatched and vulnerable?
By leveraging the above items, policies can be dramatically simplified away from complex and antiquated network-centric policies.
New World Order
By deploying solutions that answer these questions, organizations can build protective moats around their end users and minimize the damage done by an attack. Organizations can also begin to treat all users as equals, regardless of the device or network they’re operating from. COVID-19 has led to new working norms, and we must embrace the new rules for end user-centric security to keep information and employees safe.