Q: Cyber Security for Remote Workers? A: SASE with Zero Trust Network Access
Secure access service edge (SASE)and zero-trust network access (ZTNA) give enterprises powerful new tools to provide secure connectivity anywhere, for all kinds of users accessing any type of application. And if there’s one thing we’ve learned recently, it’s that people may need to connect to anything, anywhere, at any time, for a variety of reasons.
Solving Complex Connectivity Problems with SASE and ZTNA
For modern enterprises, work is no longer something that just happens in an office. Users may be working from home, on the road, at airports or in coffee shops over public Internet connections, and more. Enterprises have been adjusting to these trends for years, but the huge numbers of people working from home in the wake of
COVID-19 have dramatically accelerated the rate of change (and maybe the sales of comfortable-yet-still-presentable clothing).
As businesses try to adapt to this new normal, they’re finding that the network and security models they’ve relied on for years are too complex, clunky, and inefficient to keep up with changing needs. Businesses have to contend with the following concerns.
An expanded threat surface
As more users work from more locations — often using their own devices, connecting over the public Internet — enterprises face a higher risk of breaches, malware, and other Internet threats.
The problem only grows as more enterprise data moves to software-as- a-service (SaaS) and cloud applications, where businesses face elevated risk of data loss or users failing to comply with corporate security policy due to poor data-handling practices.
Poor application performance
No matter how users connect — from a branch or home office, or remotely via virtual private network (VPN) — most of their traffic gets routed through the centralised data centre for security inspection. This need to funnel all traffic through the data centre, even when it’s destined for the cloud or Internet, adds latency that can significantly degrade the user experience.
Complex access experience
Today, employees use different access methods depending on where and
how they work. In the branch, they typically access all applications through the branch’s edge gateway. When using a mobile device, though, they have to do things differently. Typically, working outside the branch means establishing a connection with a VPN concentrator (again, routing all traffic through the data centre) or using specialised remote access web pages. These disparate experiences make access more complex and confusing, diminishing productivity and leading to more calls to the help desk.
Long, complicated setup for new services
The need to connect users in more ways, from more places, gets complex and expensive. For home offices and remote users, setting up the right networking and security often requires extensive IT assistance. This process can become a huge burden, especially in circumstances like COVID-19, when businesses need to connect hundreds or thousands of users under tight timelines. Even in traditional branches, expensive private line circuits such as Multi-Protocol Label Switching (MPLS) take a long time to provision and can be expensive to operate and scale.
Put simply, you’re dealing with long timelines, extremely complex solutions, and an ever-expanding budget.
With VMware SD-WAN Zero Trust Service, users can access cloud resources without added latency and hair-pinning, leveraging the security and benefits of a cloud-hosted solution, while easing IT deployment and maintenance of costly remote access services.
Secure Connectivity no matter where
Reimagining Access with SASE and ZTNA
SASE and ZTNA provide a framework to make connectivity simpler, more consistent, and more secure — even as the ways and places people work evolve. A SASE/ZTNA framework provides the following benefits:
• Simpler cloud-based security: SASE points of presence (PoPs) include a number of security services that help inspect traffic and centrally enforce security policy, no matter where people work or where applications
are hosted. SASE PoPs are also typically collocated with cloud exchanges, providing a natural control point to apply additional cloud-based security. Ultimately, businesses can apply the full security stack from the cloud, including the following:
- Next-generation firewalls (NGFWs)
- URL filtering
- Secure web gateways (SWGs)
- Data loss prevention (DLP)
- Cloud access security brokers (CASBs)
Unlike today’s security stack, which relies on siloed solutions that are deployed and managed separately, SASE pre-integrates diverse security services into a single control point and management interface. This solution automatically applies the right protection to every connection, based on policy, expanding the “intrinsic” security built into every network connection.
• More flexible remote access: ZTNA eliminates the need to use VPN concentrators or specialised remote access portals. Instead, a ZTNA agent installed on the user’s device automatically establishes a secure Internet Protocol Security (IPSec) tunnel to the nearest SASE PoP.
Hosted in any of hundreds of PoPs around the world, these gateways act as a broker between users and the resources they want to access, providing an application-specific VPN tunnel directly to the resource — and only that resource. Enter- prises can now enforce security policy on a per-application basis, with access based on the user’s identity and real-time context (such as location or device type), instead of just IP addresses. All of a sudden, the security perimeter no longer ends at the data centre or branch edge network. It extends all the way from the individual application, no matter where it’s hosted, to the individual user. The world just got a little smaller.
In VMware’s SASE solution, this ZTNA agent is integrated with VMware Workspace ONE.
More efficient, better-performing connectivity: SASE solutions
use software-defined wide-area network (SD-WAN) technology to provide an intelligent software overlay across all branches and home offices. This feature automatically routes traffic over the best available path and connection. Think of it like your maps app helpfully rerouting you to avoid a traffic jam. Application traffic gets routed to a gateway in a nearby cloud PoP — instead of getting backhauled through the data centre — eliminating delays and bottlenecks. The SD-WAN steers traffic on a per-packet basis to account for real-time network conditions such as delay, jitter, or packet loss, and automatically remediates problems detected over a given link.
In the following sections, we take a closer look at how these capabilities change the game for different enterprise use cases.
Extending the Branch Experience to Remote and Mobile Users
With SASE and ZTNA, businesses can extend the same business-class network and application experience that they’d get in a branch to remote and mobile users. At the same time, they can bring the complete enterprise security stack to all users, no matter where or how they connect. Remote and mobile users now get the following benefits:
• A consistent, unified experience: Network and application access looks and acts the same whether users are working remotely or in a branch.
• Granular access control: ZTNA provides a stronger security footing for remote users than conventional VPN connections. Internet transport is treated as inherently untrusted. And with per-application IPSec tunnels, users can only access the specific resources they’re authorised to use, based on policy. This feature is just like a virtual ID badge for certain doors in the office.
• Enhanced security: With SASE, the business can apply a full security stack to remote and mobile users’ traffic. For example, when remote users are accessing sensitive data from an unmanaged device, the business can automatically apply CASB services to ensure that SaaS and infrastructure-as-a-service (IaaS) application usage complies with corporate policy, and DLP to guard against data leakage.
• Business-quality performance: SASE SD-WAN intelligence
automatically routes traffic over the best available path and connection, based on real-time network conditions. By reducing the need to backhaul traffic through the central data centre, latency and bottlenecks are eliminated, and you have a more consistent, better-performing application experience.
Transforming a Home Office into a Branch Office
As working from home becomes the new normal, enterprises need to provide scalable business-class networking and security services for multiple types of home-based users. For example, a home-based radiologist who needs to securely access large diagnostic imaging files requires different considerations than an office worker who needs access to a subset of business applications with basic bandwidth requirements.
Businesses also need to protect against brownouts. During the COVID crisis, brownout rates increased dramatically as millions of workers shifted to home offices. From pixelated Zoom video calls to voice glitches, these issues severely degrade user experience (and inspire a million YouTube parodies).
Additionally, businesses need to make sure that the home office doesn’t become an entry point for malicious websites or other threats. This possibility is a real risk when users rely on their broadband Internet service provider (ISP) to provide connectivity and
Domain Name System (DNS) services.
Within a SASE framework, home offices act like any other branch office, with users connecting to a nearby SASE cloud PoP via a simple edge appliance. The edge appliance and connection can vary for different types of users. “Light” or “standard” users can do fine without top-tier connectivity, while power users (like that home-based radiologist) get high-capacity, low-latency connections that are basically indistinguishable from what they’d have at the office.
As in the branch, home edge devices connect to a nearby cloud PoP, which provides a direct on-ramp to the diverse public cloud applications and IaaS resources the enterprise uses. Home users get better network and application performance, while the enterprise can use the SWG services in the SASE PoP to apply anti-malware and other cloud-based security to their traffic, based on policy.
What kind of results should you expect? Have a look:
• Simpler IT operations: By providing intelligent WAN connectivity and traffic handling as a service, enterprises benefit from zero-touch deployment; centralised policy-based management; and end-to-end visibility, trouble- shooting, and reporting. Home offices become much quicker to enable and easier to manage.
• Improved performance: The cloud-based networking intelligence of SASE monitors applications continuously. The result is improved application performance for both data centre–hosted and cloud-based applications, even under brownout conditions.
• Stronger intrinsic security:
Home users get the same strong protection they’d get working in a branch, with a full security stack inspecting their traffic, filtering out bad URLs, and applying anti-mal- ware protection automatically in the cloud. They won’t get a security guard or receptionist, but that’s really the only difference. The combination of ZTNA for secure access and SWG for Internet applications protects the business, even when home users work over Wi-Fi or public Internet connections.
Connecting, Securing, and Optimising the Branch
Today’s “branch” can include a wide range of corporate sites, from small-footprint retail stores to large regional and national corporate offices.
Historically, branches relied on inefficient legacy WAN architectures, where most traffic gets backhauled through the central data centre.
Today, enterprises can make branch connectivity simpler and more efficient with SASE SD-WAN intelligence. Like home office users, branches connect via an SD-WAN edge appliance that provides software-defined traffic handling for all applications. The edge appliance connects to a nearby SASE PoP in the cloud, where it can apply cloud-based security services to public cloud and SaaS traffic, even as it improves their performance. In cases where additional local security functions are needed (such as advanced intrusion prevention and intrusion detection services [IPS/IDS] or unified threat management), branches can also integrate virtualised network functions (VNFs) from third-party solution providers into the branch stack.
Branches ultimately benefit from these outcomes:
• Simpler operations: SASE and ZTNA use a dynamic SD-WAN connectivity model, where much of the effort of bringing up new sites is fully automated via zero-touch provisioning. The branch network can now be managed from the cloud, as a service. IT can stand up sites and provision services much more quickly and easily, without needing expert staff on-site.
• Reduced capital and operational expenses: Businesses reduce their capital investments by replacing expensive routers and security and WAN acceleration devices at every branch with simpler SASE edge appliances. And, with the ability to use broadband instead of MPLS circuits — without sacrificing performance or security — they lower operational expenses as well.
• Improved performance: Moving to an SD-WAN model for branch connectivity eliminates the delays and performance issues that come with backhauling traffic through the data centre. SASE also intro- duces a cloud-based control point to monitor and inspect all application traffic and, in many cases, automatically remediate issues.
• More comprehensive security: SASE makes it easy for branch employees to securely access cloud applications and the Internet, whether they’re working on-site
or remotely. Enterprises can apply security roles, enforce security policy, and apply services like ZTNA, NGFW, and SWG entirely from cloud. IT can now manage access for both branch and remote users with a single set of policies and enforce security based on each user’s identity and context.
Setting Up Temporary or Seasonal Sites
There are many scenarios in which enter- prises may need to set up temporary or seasonal sites. In the wake of COVID-19, for example, health-care providers rapidly set up mobile clinics, field hospitals, and testing sites. Each location had to adhere to the same data security and privacy requirements as primary care offices. These and other temporary implementations need secure, reliable network connectivity — even when they’re in remote locations where the traditional WAN doesn’t reach.
SASE and ZTNA make it easier to quickly bring up temporary sites, without compromising security. Enterprises can deploy SD-WAN edge devices wherever they’re needed. They connect to a nearby SASE PoP, where they can apply a full stack of cloud-based security services, based on policy, to protect users, applications, and the network against Internet and cloud threats. The results may sound familiar at this point, but here’s a review:
• Improved performance: SASE provides an intelligent SD-WAN overlay for any kind of remote site link (broadband Internet, satellite, or wireless connection). The solution monitors real-time link conditions and can steer traffic to the optimal path, based on policy. With the SASE PoP providing an on-ramp to cloud and SaaS applications, users also get a more consistent application experience.
• Simpler setup and operations: Businesses can set up temporary sites much more quickly using simplified edge appliances. These devices use zero-touch provisioning to automatically configure themselves, minimising the need for on-site IT or network engineering personnel.
• Comprehensive security: Instead of having to route everything back through the central data centre, SASE allows businesses to apply SWG, CASB, DLP, anti-malware, and the rest of the security stack at any location from the cloud. And with ZTNA, users have the same access experience, regardless of how they connect.
Inviting Everybody to the Party
Non-employee workers — contractors, partners, contingent workers, and others — are playing an increasingly important role in many enterprises. Like employees, these workers also need access to corporate resources and applications. Today, they often have to use specialised web and application portals, increasing complexity for both users and IT.
With SASE and ZTNA, bringing these workers securely into the business is much easier. ZTNA provides a seamless, automated access experience, while protecting business applications and resources. Take a look at these advantages:
• Simplified operations: A SASE and ZTNA framework makes connecting non-employee workers just as simple as it is for branch users and remote employees, making your IT department’s job a lot easier.
• Improved security: ZTNA-based services authenticate non- employee users and grant secure access based on their identity and context, such as, location, time, and device type and security posture. With ZTNA, these users can’t even see, much less access, network resources they aren’t explicitly authorised to use. The SASE framework also protects these users, and the applications they access, by using cloud-based security services like CASB and DLP to automatically enforce consistent, corporate-wide policy.
All of these solutions point toward some common outcomes: increased security, simpler operations, more granular control, and reduced costs.
Find out more or speak to one of the Next Telecom SASE Specialists on 1300 722 320