VPNs aren't enough: a zero-trust networking approach to securing home workers and the organisation
Access should depend on who they are, what they're doing and also what device they're using, says Proofpoint
VPNs are perfectly fine for protecting traffic between users' devices and the corporate network, but that's only one scenario in use today. More common is a mixed environment with managed and unmanaged devices running a variety of software (possibly unpatched) and accessing data and applications in the data centre, in the public cloud or hosted elsewhere. In this case, relying on point solutions like VPNs and AV will likely leave holes in protection.
The sudden mass move to homeworking means that users are frequently using their own devices for work, unprotected by corporate security. Knowing this, cybercriminals have upped their game, emailing virus-themed phishing lures in an attempt to plant malware or steal credentials, through which they can get onto the network, execute ransomware, gather intelligence or exfiltrate data over time.
Source: Proofpoint
During Computing's Deskflix event last week, Ed Rowley, senior technical manager EMEA, and Mark Edge cloud security specialist EMEA at Proofpoint made the case for zero-trust networking.
Zero-trust networking is an approach that uses controlled access and security approaches that are tailored to the user while recognising that a light touch is generally more secure than forcing people to jump through restrictive hoops - which leads to shortcuts and shadow IT.
"User experience is key," explained Edge.
As an example of the individualised approach, a user on his or her own laptop might access applications through a browser via a cloud-based gateway proxy which will automatically take care of the connection to authorised apps in the cloud - crucially away from the corporate network. Meanwhile, someone using a company-provided device protected by agent-based software and hence a lower security risk can connect to the application within the secure corporate perimeter.
This software-defined approach allows for micro-segmentation of users so their activities can be restricted depending on what they need and the device they are using. Access to individual apps and data is granted on the basis of role-based policy or templates, with single sign-on and authentication taken care of by the gateway too.
Prior to any connection, a device is automatically checked for the required security credentials and access rights, and thereafter monitoring can be carried out to capture suspicions events, such as AV being turned off, and also to monitor identity across the network.
One of the main advantages of this approach is that it can be quick to deploy, said Edge, as it plugs into existing tools like Active Directory, an important consideration under the current circumstances and beyond.
It doesn't look like people are going to be returning to work in normal work environments for quite some time, said Rowley. "This is going to remain relevant way beyond the current crisis as we look to secure individuals because now, we're not looking so much at these perimeter-focused security paradigms, we need to be looking at securing people according to how they work and the data that they work with."
Watch the Deskflix Proofpoint presentation