Today, enterprises are providing employees and third parties with remote access to their applications in much the same way they did 15 years ago – through VPNs, proxies, and remote desktops. These technologies require enterprises to establish trust with each user and device, then provide access through a network security perimeter to the resources the user needs. Traditionally, the asset you are protecting is inside a trusted zone, and any access to it would be from an outside, untrusted zone. This outside-to-inside access requires passing through the enterprise perimeter. The enterprise perimeter needs to move beyond moats and castles and become effective in todays threat landscape and cloud and mobile first world.
Given the mounting number of high-profile security breaches resulting from third-party access, it is clear a new methodology for providing third-party access is needed, and shedding light on what a new access methodology is requires us to explore the key changes in the enterprise landscape.
1. Growing Partner/Third-Party Ecosystems
Increasingly, we rely on partners, contractors, suppliers, franchisees, and others to drive business forward. From occasional access for a third-party contractor to the complete outsourcing of services, enterprises are opening up access to their entire networks. Last year, a prominent hotel chain with over 250 properties was attacked by hackers via the hotels' payment processing system, which typically involved an external vendor.
Enterprises have been coping with the permeability of the perimeter firewalls by adding more layers of security to catch the bad stuff that gets through: IDS/IPS, DLP, WAF, and others. Every new layer comes with its own complexity and overhead to manage the new policies, and despite the complexity — or perhaps because of it — the perimeter remains permeable.
2. Taming the Mobility Explosion
The number of mobile devices is multiplying at five times the rate of the world population. Over the last 15 years, enterprises have tried to deal with the issues of mobility growth and BYOD by extending trust to mobile devices. All types of organizations, from private companies to government bureaus, are struggling with this so much that the Hong Kong Privacy Commissioner for Personal Data issued guidance for employers who operate a BYOD scheme in the workplace.
Technologies like NAC (Network Access Control), and more recently Mobile Device Management (MDM) or Enterprise Mobility Management (EMM), have sought to bring users and devices back into a trusted zone by installing certificates on each device. Instead of bringing the users inside the existing security perimeters, these controls are essentially extending the enterprise perimeter to encompass all external users. But these technologies are complicated to implement and manage. Further, malware such as Stagefright can silently take over a device, nullifying any notion of trust.
3. Challenges of “Cloudification”
There is no doubt cloud computing has gone mainstream with most enterprises adopting a hybrid cloud strategy. Many Hong Kong enterprises, especially banks, are using the cloud to boost its business performance. Last year, HSBC adopted cloud infrastructure to deliver its forecast customer data from its core banking systems. DBS Bank also expected to shift up to 50% of its compute workload to the cloud in two years.
However, moving to a hybrid cloud model comes with two major challenges: First, most enterprises don’t have the budget or appetite to replicate perimeters or demilitarized zones (DMZ) in each cloud provider and on-premises location. Second, your users cannot physically be “in the cloud” and everyone has to come in from the outside. Due to “cloudification”, enterprises need a better solution for users to reach applications and IT departments need to better manage access policy and security in a way that is agnostic to the location of the application.
4. Adopting a Zero-Trust Model
Identity is essential to establishing trust, but even if trust is established initially, we can never be sure that trust has not been compromised. Earlier news reported that Hong Kong police uncovered more than HK$126 million in unauthorized share trading in the first three quarters of 2016, which is double of the 2015 full-year total, with hackers employing new tactics designed to distract victims while taking control of their accounts.
With a zero-trust approach, all users are have least privilege both inside and outside the enterprise perimeter. Giving internal network access to most users is a huge security risk. New access architectures must assume no user is trusted from the outset, and when trust is established, it is transient, of minimum duration and scope, and only applied to the relevant applications and resources required.
5. “SaaSification” of IT Applications
“SaaSification” is reshaping enterprise user expectations. While SaaS adoption in enterprises is growing quickly, the sheer number of private and specialized applications running in enterprises today precludes the idea that all apps will move to SaaS anytime soon. The trouble is, users want the same experience accessing all of these non-SaaS, private applications: Access from anywhere, on any device, no VPN required, and no client software required.
The New Access Architecture
To address these five fundamental changes, enterprises need a new architecture for providing access to their private applications. Whether running inside a private data center or in a public cloud-computing environment, private applications need to be delivered to partners, contractors, and customers with greater security and simplicity than existing access methods provide.
Lorenz Jakober, Director at Akamai Technologies, Inc