The COVID-19 pandemic was a forcing function for organizations to improve the security of their distributed workforce. Examples of security enhancements include the increased adoption of two-factor authentication and remote access tools like VPNs.
These improvements can strengthen an organization’s security posture, but they alone do not add up to a remote workforce strategy. Amidst pandemic pressures and resources, IT and security teams often lacked the necessary time or budget to build long-term strategies for connecting remote workers to self-hosted applications across hybrid cloud environments, SaaS applications, and the Internet. Therefore, organizations made the investments and changes that they could.
Unfortunately, short-term fixes can result in visibility and security gaps that make remote workers’ computers and cloud solutions an enticing and vulnerable target for cyberattackers.
Here are the five most common band-aid solutions organizations implemented during COVID-19 and the long-term issues related to them. Later, we discuss ways to move past these solutions and adopt a workforce security strategy that will be more effective for the long-term.
When the Covid-19 pandemic began, many organizations used virtual private network (VPN) connections to let remote employees securely access the corporate network.
VPNs can be an effective remote access solution, but they are designed for a particular use case: periodic, short-term connections by a small number of systems. They have several limitations that make them ill-suited for constant use by an entirely remote workforce, including:
Poor performance: VPN infrastructure is typically designed for a fraction of an organization’s workforce, and their overhead grows linearly with the number of VPN users. This means remote workers’ access needs can overwhelm an organization’s VPN and security infrastructure, causing degraded performance or crashes.
Session timeouts: VPN session timeouts are a necessary security feature. However, they are inconvenient for remote workers who use the VPN as a primary source of enterprise network access.
Access controls: VPNs have no built-in access controls, giving users full access to the enterprise network regardless of their role. Firewalls can help — but many use IP-based rules, which don’t work well with high levels of device mobility or with cloud apps that constantly change IPs. Next-gen firewalls may offer user-based access controls, but typically lack the flexibility to work with many different identity providers concurrently — and can be difficult to integrate with cloud-based identity providers.
Lack of identity controls: VPNs are solely intended to provide an encrypted connection between two points. Additional solutions such as public key infrastructure are required to ensure the VPN connection is from an approved device.
Lack of visibility: Many organizations’ VPNs are not terminated at a layer 7 proxy. This means that the organizations lack visibility into specific user interactions within these connections — a significant gap.
VPNs are, at best, a temporary solution for supporting a remote workforce. Organizations investing in additional VPN appliance capacity and redundancy for extended telework will need to take steps to mitigate the limitations and security challenges.
As noted, a sudden surge in VPN usage can overburden VPN servers and create network latency for end-users. As a result, some organizations have adopted a split-tunnelling approach, in which network-bound traffic is routed securely over the VPN, while Internet-bound traffic is sent directly to its destination.
While split-tunnel VPNs can reduce latency, they do so at the cost of security — specifically by making the organization lose visibility into Internet-bound traffic from remote workers’ computers. This creates the potential for these devices to be infected with malware without detection or for sensitive data on remote user’s computers to be stolen.
In addition, split-tunnelling VPN traffic means remote devices are no longer protected by perimeter-based defenses, increasing their risk of compromise via phishing attacks and exploitation of unpatched software. If a remote device is compromised, and its VPN connection is enabled, an attacker can pivot and gain access to systems within the enterprise network. And when the user logs directly into a SaaS application, the compromised remote device can attempt to exfiltrate data cached within the web browser.
In the past, all of an organization’s infrastructure was located on-premises, so security was deployed there as well. The growth of cloud computing, SaaS applications, and remote work has changed this model.
To improve remote access and security, some organizations have worked to shift applications and data to cloud deployments. However, these moves often happen out of sync. Two common mistakes include:
Shifting secure web gateway proxy controls to the cloud — sometimes focusing just on sanctioned apps via a cloud application security broker (CASB) solution — but keeping remote access VPNs
Shifting remote access to the cloud (with or without a VPN-like client) without concurrently shifting the secure web gateway — or full firewall — to the cloud
By separating remote access and security functionality, an organization harms either network performance or security. Traffic via the remote access client may not undergo security inspection, leaving remote workers vulnerable to phishing and malicious websites. Alternatively, traffic may be backhauled to the location of the organization’s security stack, which provides security at the expense of employee productivity and application performance.
Allowing remote employees to work from personal devices — a common practice at the beginning of the pandemic — creates several potential privacy and security issues. Enforcing corporate security policies and the use of endpoint security solutions is more challenging with personal devices. For this reason, many organizations chose to provide remote workers with corporate computers — which already have required security software installed, and may be configured to comply with corporate policy.
However, providing laptops to remote workers only solves a portion of the security challenges of telework. The organization also needs infrastructure and policies for distributing policy and software updates to these remote devices. Companies are slow to apply software updates in general, and, historically, remote devices receive patches more slowly than ones located on-site. Without infrastructure in place to push software updates to remote workers, this creates potential attack vectors against remote workers.
The shift to remote work introduces new security and monitoring challenges for an organization. In response, security teams sought out and deployed security tools capable of addressing specific use cases, often from various best-in-class providers. For example, Zero Trust Network Access (ZTNA) to secure remote access, CASB to secure SaaS access, and cloud secure web gateway (with DNS and firewall functionality) to secure Internet access.
As a result, these security teams are left with an array of standalone, separate, and overlapping security tools. This only contributes to the alert overload most security teams experience and results in security and visibility gaps where different tools’ capabilities end. These visibility gaps allow attackers to slip through and gain access to enterprise systems.
If an organization is still reliant on one or more of the short-term solutions outlined above, filling the resulting security and visibility gaps will make their strategy more sustainable and effective for the long-term.
To start, consider these five recommendations:
A secure remote access service ensures that all business traffic is encrypted in-transit, remains visible, and that the business can perform security inspection and policy enforcement. But, as applications move to the cloud, on-premises remote access solutions like hardware VPNs and firewalls can degrade application performance.
When remote access solutions operate in the cloud along with the application, the need to backhaul traffic to the enterprise LAN for inspection is eliminated. This improves the performance and latency of remote users’ traffic, and, since the solution is cloud-based, offers greater flexibility and scalability than traditional, appliance-based solutions.
VPNs are remote access technologies designed for an outdated, perimeter-based security model. They provide authenticated users with complete access to corporate resources, which violates the principles of least privilege and Zero Trust security. Under a Zero Trust policy, users are granted access to specific resources on a case-by-case basis.
Some attempts have been made to modernize VPNs by moving them to the cloud, which does fix the problem of centralization of VPN infrastructure on the corporate LAN. However, this approach does not fix the larger problem that VPNs are not designed for the distributed modern enterprise and should be replaced with solutions that natively support Zero Trust security models.
As the use of the cloud to host internal applications becomes more widespread, the attack surface has expanded in tandem. Each application that is exposed to remote workers — and the Internet as a whole — is another potential attack vector.
Minimizing risk requires applying a Zero Trust policy for application access. Instead of allowing an authenticated user full access to an organization’s environment and applications, access should be granted on a case-by-case basis, determined by access control policies.
Accomplishing this requires the ability to enforce access controls across an organization’s entire network. This requires the use of a large global network and the ability to enforce access controls for both self-hosted and SaaS cloud applications.
Remote workers’ devices are likely less secure than their on-premises counterparts. Historically, remote devices are slower to apply patches, and remote workers using personal devices may only be protected by corporate security solutions for connections made over the enterprise VPN. As a result, remote workers are at higher risk of browser exploits and other cyber threats.
Zero Trust browsing reduces cyber risk by implementing cloud-based browser isolation. Instead of allowing the scripts embedded within webpages to run on the user’s device, they are executed on single-use, disposable browser instances.
The cloud-based solution browses sites for the user and delivers a replica of the page to them. This replica should be built in such a way that it provides both high performance and security (i.e. not adding latency, breaking sites, or allowing potentially malicious code to slip through). Zero Trust browsing provides an organization with the visibility and control required to identify and block attempted data breaches and other cyberattacks.
As organizations’ network complexity and attack surface increases, security teams need solutions that enable them to protect their organization. Stop data loss, malware, and phishing with the most performant Zero Trust application access and Internet browsing solution, Cloudflare Zero Trust, a long-term remote workforce security solution that includes:
Zero Trust Application Access: Cloudflare Access provides Zero Trust application access for SaaS and self-hosted applications, and routes all inbound traffic through Cloudflare’s global edge network for security inspection and policy enforcement.
Secure Web Browsing: Cloudflare Gateway and Cloudflare Browser Isolation provide secure browsing for teams with the ability to detect and block phishing, malware, and other browser-based attacks — and enforce Zero Trust rules for all browsing activity.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
After reading this article you will be able to understand:
The 5 most common short-term solutions implemented during COVID-19
The long-term issues resulting from these band-aid fixes
5 recommendations for building secure remote work infrastructure