Considerations for Securing a Work-from-Anywhere World

During the pandemic, transitioning to a work-from-home model required organizations to move critical resources to the cloud, ensure employees had access to essential business applications, and secure communications between the home office and corporate network. And now, instead of moving everyone back into the corporate office, many organizations are transitioning to a work-from-anywhere (WFA) approach, with some employees working from home, others on-site, and others spending part of their time in each location.

This new approach provides much-desired flexibility and improved work-life balance for workers, increasing productivity and work satisfaction. Companies also realize several logistical and financial advantages that come with reducing corporate office overhead. But accommodating this hybrid workforce also requires networks to become hybrid while still being able to balance security with user experience. 

Quality of Experience and WFA

Quality of Experience (QoE) measures how satisfied workers are with their entire work experience. It includes things like ease and speed of access to essential resources, consistent availability of business-critical applications, and quality of service for things like voice and video conferencing.

But maintaining QoE for a WFA workforce is a challenge. It requires seamless access to business-critical applications and data both on-premises and in the cloud, regardless of where the user accesses them from. Further, this must all happen without compromising network security, which is particularly challenging considering that home networks and remote devices are notoriously under-secured.

Three Key IT Pain Points in WFA Models

Ideally, accessing corporate applications and data from anywhere should be seamless, but remote connectivity often impacts the user experience and security posture. Resolving these issues requires addressing three key IT pain points.

1. Unpredictable Experience

A common approach to maintaining security while handling remote traffic is to backhaul all application and internet traffic through the corporate data center for verification before reaching its destination. However, this increases latency and wastes bandwidth compared to a direct connection. Such architectures can also be complex and expensive to operate because IT must individually configure and manage branch routers and stitch firewall policies. 

QoE becomes inconsistent for branch end-users because backhauling application traffic can impact application reliability. Home users are forced to access applications through a VPN tunnel to the corporate network, leading to even more unpredictability due to variations in home bandwidth capabilities.

Challenges remain even when organizations allow direct access to cloud applications because improved application experience comes at the cost of security. Home users must also still use a VPN to access internal resources, making their overall experience inconsistent.

2. Inconsistent Policies

IT teams find it challenging to ensure consistent policy enforcement across the network when different sets of security are deployed on-site, at the branch office, in the cloud, and at home locations. This is because an overall lack of visibility and control creates a landscape ripe for threats to leak through. In fact, threat researchers have recently detected a shift in threat actor behavior aimed at exploiting policy inconsistencies by targeting home or smaller branch offices rather than attacking traditional network devices. These bad actors can access a device deployed in an under-secured network and use it to hijack a VPN connection back to corporate resources, rather than having to force their way past commercial-grade security.

3. Implicit Trust

Many organizations use an implicit trust model when providing access to applications. Those using a VPN connection are usually authenticated with a generic process that provides access to the entire network, with the assumption being that any device connecting through a secure VPN tunnel is to be trusted. But all it takes is for a remote user’s machine, identity, or credentials to become compromised for an attacker to ride that trusted VPN connection to gain access to the entire network.

Meeting WFA Challenges with SD-WAN and ZTNA

When implementing a WFA model, organizations must adapt their existing infrastructures and security models –traditional security and connectivity solutions are simply not up to the task. The good news is that the challenges described above can be met with the deployment of Secure SD-WAN and Zero Trust Network Access (ZTNA) solutions.

While SD-WAN is great at providing reliable connections to cloud-based applications, most SD-WAN solutions lack integrated security. In contrast, Secure SD-WAN on a purpose-built security platform blends advanced connectivity with enterprise-grade security and allows for single-console management, enabling consistent policy creation, deployment, and enforcement. Further, ZTNA provides per-user access to specific applications, far surpassing implicit trust when it comes to security. Every device, user, and application can be seen and controlled regardless of where they are connecting from. Together, solutions like Secure SD-WAN and ZTNA help businesses meet the challenges and realize the opportunities that WFA provides. 

Source: https://www.fortinet.com/blog/industry-trends/considerations-for-securing-a-work-from-anywhere-world