Key Challenge

Security teams are faced with a whole new mindset when thinking about distributed work at enterprise scale. The sharp rise of remote working has shattered long-held assumptions by security teams that remote access is a secondary concern compared to on-premises security.

Remote work security often relies on employees using managed devices connected through a full-tunnel VPN to access internal and external hosted applications. This one-size-fits-all model is not suited to cloud-first or work-from-home environments.

Security teams first look to address performance bottlenecks by increasing capacity when scaling remote work. But what's good as first aid isn't always good when designing long-term distributed work.

As distributed working is becoming the new norm, remote access infrastructure becomes a critical service, implying stricter availability service level agreements that cannot be achieved with a single VPN gateway.

Recommendations

Security and risk managers, including CISOs, should:

• Establish security profiles based on the impacts of remote work practices on traffic patterns to fine-tune prevention, detection, and response capabilities.
• Build security architectures for remote work by analyzing today's and tomorrow's employee types, including cross-functional business workflows, technical concerns such as endpoints and network limitations, application architectures, and data concerns such as classification and management.
• Build inclusive security profiles: Conduct a security posture assessment for all remote work use cases, even when an employee's role is not suited to remote work, or when compliance requirements mandate strict security controls
• Review the security technology options available for each component of remote work traffic patterns, from end-point clients to data security, and review security analysis options for a mostly off-site enterprise communication.

The diversity of remote work scenarios in a typical organization implies the need for multiple security profiles.
Security teams must:

• Gather enough information to understand the remote work strategy based on the user's role and team.
• Inventory the key applications and computing models for each user category.
• Identify data privacy requirements.
• Map these remote work profiles to existing risk assessments based on the employee's role.

Traffic pattern analysis for telecommuting use cases

The most frequent traffic patterns to review are:

Remote VPN: Employees who work from an unmanaged home network and connect to a corporate office via a VPN tunnel to access internal applications and sometimes the Internet and SaaS applications.

No VPN: Mobile users connecting only to the public-facing applications (e.g. SaaS) required for their work.

Bastion Host: Users connecting to a managed workstation, such as a jump box, or to their own local workstation. The remote connection can go over an IPsec or TLS VPN. The employee's endpoint can be a corporate or personal device.

Developing a list of traffic patterns helps to delineate the range of security controls needed. Once this is done, the second step is to inventory the main categories of application flows to start defining a security policy.

To determine the best remote access solution, security managers must first answer four questions:

• Which users and applications need VPN access and which don't?
• What traffic (e.g. VoIP) and security requirements does an agent at the customer's endpoint demand?
• Is the VPN gateway on the same network as the target applications?
• When do we need a remote access gateway and what are the key requirements for it (location, scalability, agent and agentless VPN management features)?

Final recommendations:

Work with all stakeholders to ensure you gather a comprehensive list of employee role and application access requirements.
Use a push & pull strategy when working with IT and application teams:

• Gather information about inevitable changes to infrastructure and applications, and be aware of the impact of security on the user experience ("pull").
• Enforce stronger security approaches for the highest security use cases, and ensure that security is part of IT automation frameworks ("push").
• Use a broad framework when reviewing security solutions, as controls for the same threat vector can be deployed at multiple points in the end-to-end remote connection.