Where it all started
For decades the traditional security model called for sending all traffic to a corporate site where the requisite security functionality was located. At the turn of the century, that model made sense in part because the vast majority of employees worked in a corporate location and in part because cloud computing didn’t yet exist, backhauling a small amount of Internet traffic was tolerable.
A lot has changed. 70% of people currently work remotely for at least one day a week and 92% of companies are using public cloud services with the average company accessing just under 5 different providers.
The problem with remote access today
For users who need remote access to corporate data centers, it is common to provide connectivity using a VPN. There are several limitations to this approach. For example, the use of VPNs creates significant new attack vectors in part because once users are authenticated they are considered trusted and are granted unduly broad access. VPNs can also be difficult to manage and often result in poor user experience.
For users who need to access the Internet, IT could either haul traffic from remote users back to a central site before handing it off to the Internet, or they could hand that traffic off directly to the Internet. The first approach increases cost and degrades the user’s experience. The second approach leaves the company highly exposed to security breaches.
The advantage of a Software Defined Perimeter
The logical alternative to the site-centric approach to network security is a simple holistic solution in which remote users don’t connect to a site, but to a global Network as a Service (NaaS) solution that provides continuously available secure connectivity. From an architectural perspective, one of the biggest differences between the traditional approach to security and the NaaS is that it leverages the huge technological advances associated with the megatrend of providing all forms of IT functionality as a service.
The cloud-native NaaS approach recognizes that enterprises no longer have a well-defined perimeter and so the solution relies on a Software Defined Perimeter (SDP). According to Gartner, an SDP defines a logical set of disparate, network-connected participants within a secure computing enclave. The resources are typically hidden from public discovery, and access is restricted via a trust broker to the specified participants of the enclave, removing the assets from public visibility and reducing the surface area for attack.
The NaaS solution must be based on a network that has a sufficient number of Points of Presence (PoPs) so that every endpoint is within a few milliseconds of a POP. To truly be holistic, the solution must support all types of endpoints including remote users, branch offices, corporate facilities, and data centers as well as public cloud data centers. It must also support all users, whether or not they are using a managed device and it must capture complete logs from all devices and those logs must be accessible and available for a range of analytics tools.
A zero-trust security model
Given the intensity and sophistication of current security attacks, a security model that considers authenticated users to be trusted and grants them broad access is no longer acceptable. What is needed is a zero-trust security model in which users have a unique, fixed identity and one-to-one connections are created dynamically between a user and the resources that he/she needs to access. All access is denied unless it is explicitly granted and the right to have access is continuously verified.
Call to action
The way people work, and the way people acquire IT services has changed significantly over the last ten to fifteen years. While those changes were occurring, the sophistication of security breaches has increased dramatically in both frequency and intensity. Because of these factors, the old model of securing the perimeter of the enterprise is no longer valid.
IT organizations have no alternative – they must adopt a new security paradigm based on the principles of zero-trust security and a software-defined perimeter.