Securing the Hybrid Workforce in 2021 and Beyond

The year 2021 will see most enterprises rethink their network and security architectures. While COVID-19 forced enterprises to deploy ‘quick-fix’ solutions for remote work, enterprises now have the opportunity to look back at their decisions and decide the path forward that best aligns with their long-term strategy.

COVID-19 gave bad actors an opportunity to step up their activity. In August 2020, the INTERPOL shared their assessment:

Cybercriminals are developing and boosting their attacks at an alarming pace, exploiting the fear and uncertainty caused by the unstable social and economic situation created by COVID-19.”

– Jürgen Stock, INTERPOL Secretary General¹

The lack of updated cyber defenses left major corporations, healthcare infrastructure and governments especially vulnerable to targeted attacks. As employees began to work from home almost ubiquitously, attack surfaces expanded. Breaks in supply chain and complexity in installation of appliance-based security stacks slowed efforts to scale traditional remote access solutions, putting enterprise intellectual property at risk.

Enterprises that continued to use and were able to scale their traditional remote access solutions – VPNs – realized that backhaul of traffic to the data center added latency to application performance. This forced employees to disconnect from VPNs for direct-to-Internet/direct-to-SaaS connectivity for faster access. Unfortunately, this rendered employees and hence the enterprise vulnerable.

Under the ‘new normal’ where permanently remote job descriptions, the ‘3-2-2 work week’, ‘digital nomads’, and employee mobility become commonplace, frictionless cyber security for all their employees, regardless of their physical location and regardless of the application being accessed will be critical. For the reasons discussed above, VPNs are unfortunately not the answer. Gartner has provided insights into designing an agile architecture that solves today’s challenges in cybersecurity, employee experience and operational agility. This new architecture will be discussed in the following paper.

Getting Started with Zero Trust Network Access (ZTNA)

ZTNA, in contrast to VPN solutions, eliminates ‘excessive trust’ granted to users. A user requesting access must first be authenticated for identity and context in real-time. Once authenticated, the user is granted encrypted access to specific internally managed applications, and continuously monitored for all user activity. Access is granted only to a particular application and not the entire network. This ensures that users do not get access to services they’re not entitled to and eliminates possibility of lateral movement of malware within the network. Also, ZTNA architectures are designed to protect applications from direct exposure to the Internet, thus securing applications against Denial of Service attacks.

Clearly, ZTNA is an evolution over traditional VPN technologies. However, ZTNA must be supplemented with a broader security and networking services to empower a consistently productive employee experience, regardless of their physical location, endpoint device they’re using, application being accessed or network performance.

Supplementary Use-Case #1: Access to Internet and SaaS applications must be secured for all employees, regardless of their location. For instance, enterprise security architectures must be able to protect a work-from-home employee from inadvertently downloading malware on their endpoint device through a personal file sharing account hosted on SaaS.

Solution: Almost all employees will access Internet and SaaS applications from their corporate-owned endpoint devices. This includes work-related access such as salesforce.com and Microsoft Office 365 and personal applications such as Gmail accounts or recreational sites on the web. For faster access, VPNs are usually disconnected at this time, leaving employees vulnerable to attack. These workers must be secured by an architecture that provides consistent security regardless of worker location, protecting against the latest and most intelligent threats, while still offering a frictionless user experience (no added latency). Also, cyber protection must be provided in both directions – against incoming threats and against data exfiltration. For instance, an enterprise security solution must be able to block a home-based worker from posting, say, an Excel file with confidential customer data onto their personal Dropbox accounts.

Supplementary Use-Case #2: ZTNA secures access to internal applications but does not protect against confidential information loss. For example, consider a disgruntled employee that decides to take screen captures of Intellectual Property that forms the competitive advantage of his/her employer. Typical ZTNA solutions cannot enforce data protection in such situations.

Solution: Capabilities such as anti-screen capture, disabling of cut-copy-paste and printing, anti-keylogging and watermarking, enforced on business-critical applications can ensures that enterprise secrets remain within the organization. This functionality must supplement Data Loss Prevention functionality for SaaS applications.

Supplementary Use-Case #3 Solution: While ZTNA is a security-centric solution and it can help improve user experience by delivering VPN-less access, there’s more that must be done to streamline experience for the home-based worker. For instance, home-based workers can be expected to use multiple devices – some corporate owned and others personal – via their home network. To be productive, their experience must remain consistent devices and independent of variations in network (ISP) performance.

Delivering endpoint agnostic employee experience: As employees increasingly work-from-home, work will be conducted across multiple devices – some personal and some managed by IT. These devices could be desktop computers, laptops, tablets and mobile phones, with an array of operating systems. However, to maximize productivity, employees must have access to all business-critical applications within the same streamlined digital workspace, regardless of the endpoint device. This also eliminates dependency on the performance – memory and compute – of the endpoint device itself.
Delivering network agnostic employee experience: On the network side, Internet performance can be an inhibitor to employee experience, affecting collaboration and productivity. With home-offices increasingly becoming permanent places of work, enterprises can empower employees with LTE- and Wi-Fi enabled SD-WAN appliances that can prioritize business-critical applications over recreational applications such as Netflix and YouTube. Ideally, these technologies must also bundle in WAN optimization functionality to improve application response times.

Expanding to Secure Access Service Edge (SASE) Architectures

As enterprises replace traditional VPN solutions with ZTNA and add complementary functionality to meet the above-mentioned use-cases, they should consider reducing the number of vendors involved, instead focusing on a few, trusted ones. This reduces dependency on multiple vendors to maintain business continuity, identify and troubleshoot technical issues, train IT professionals etc. This idea of convergence of vendors and technologies in alignment with Gartner’s Secure Access Service Edge approach:

“SASE converges networking (for example, SD-WAN and firewall) and network security services (such as SWG, CASB and ZTNA) into single vendor product sold as an integrated service, rather than as separate products.”

– Forecast Analysis: Gartner’s Initial Secure Access Service Edge Forecast, August 2020

Key services within a SASE architecture include:

Core functions – SD-WAN, SWG, CASB, ZTNA and FWaaS, malware identification and protection in encrypted and unencrypted traffic at line speed.

Recommended functions – Web application and API protection, remote browser isolation, network sandbox, API-based access to SaaS for data context, and support for broad range of devices.

In addition to converging the above-mentioned functionality, a SASE architecture must have the following characteristics:

‘Thin branch, heavy cloud’ model – ‘Thin branch, heavy cloud’ means that all security functionality that was traditionally delivered through hardware appliances based in the data center should be delivered as a cloud service. SD-WAN appliances at the ‘thin branch’ automate connectivity between office and/or home-based workers to the security cloud. Intelligent traffic steering within SD-WAN eliminates variation in employee experience due to unpredictability of Internet connections. LTE and Wi-Fi enabled SD-WAN appliances are especially suitable options for modern office locations and home-based workers.

Figure 5. From Traditional Heavy Branch to Cloud-Centric Thin Branch/SASE Models²

Source: Gartner

Globally distributed points of presence – The cloud-delivered security service must be orchestrated through globally distributed points of presence (PoP), with each PoP offering the full set of security services listed as part of the SASE architecture. Global distribution ensures that employee traffic does not have to be backhauled thus minimizing application latency. Consistency of security services across each PoP ensures that workers receive consistent security, regardless of their physical location.

Single-pass architectures – An encrypted packet is decrypted and inspected just once by multiple policy engines in parallel. This is different from service chaining of multiple security services wherein each encrypted packet would be decrypted and inspected multiple times. Single-pass architectures minimize latency in application performance.

SSL/TLS inspection as default functionality – With increasing levels of SSL/TLS traffic, full inspection of encrypted traffic must be offered as default functionality without imposing add-on costs.

IP address persistence – Enterprises need a unique, persistent set of IP addresses for upstream integrations with certain cloud providers and web services. In addition, some countries may only allow access to services if the IP addresses are based in that country. Hence, retention and persistence of IP addresses is important. However, this should not require additional configurations or service subscriptions.

Support for all popular endpoint operating systems – Today, many employees have specific preferences for endpoint devices when they join an organization. On the other hand, some enterprises prefer to standardize on ‘lightweight’ endpoint devices (save on endpoint infrastructure costs) while delivering virtualized desktops. In either case, enterprises should pick solutions that do not impose restrictions based on endpoint operating systems. In other words, it’s important for SASE to secure a broad array for operating systems, including operating systems that may not be the ‘standard issue’ endpoint devices for the enterprise.

A key principle for SASE is to deliver operational agility in enterprise IT. This is only possible by leveraging the breadth of functionality, but as part of a truly unified, single-vendor solution. Multi-vendor solutions do not offer the level of unification needed, eventually rendering technical integrations, technical support and scale too cumbersome for most enterprises.

The Road to SASE

As SASE converges multiple services, enterprises should begin by addressing their most immediate use-cases and eventually expand to the full SASE architecture. It’s critical to leverage a solution that offers all components of a full SASE architecture, in a manner that each component can be added at a different time to finally create a service that’s unified in both the management and data plane. Most commonly, enterprises are approaching their SASE transformation via one of the following paths:

Enhanced ZTNA solution for internal applications, virtual desktops and digital workspaces – Enterprises currently leveraging traditional VPN services should explore digital workspace solutions built on the principles of ZTNA. This would provide them key functionality like SSO with multi-factor authentication, zero-trust access, a streamlined experience across devices through the digital workspace and critical functionality to protect sensitive corporate information, such as watermarking, anti-screen capture, anti-keylogging, disabling of cut-copy-paste and printing.
Replacement of traditional routing functionality with SD-WAN – Traditionally, enterprises adopting SD-WAN either deployed security appliances at the branch or backhauled traffic to the data center. This mitigates the cost and performance benefits expected from an SD-WAN solution. Instead, by implementing a SASE architecture that unifies both SD-WAN and cloud-delivered security, enterprises can expect to maximize benefits around cost reduction, application performance, and operational agility.
Replacement of data center-based security stacks with a cloud-delivered security service – Traditional security architectures are often too complex to manage – appliance sprawl, too many vendors, impact on application performance, and the need for frequent software updates and hardware upgrades have forced enterprises to consider cloud-delivered security. Enterprises would achieve greater operational simplicity and consistency in application performance by combining their security transformation with SD-WAN, as part of a comprehensive SASE architecture.

Enterprise SASE transformations will bolster broader initiatives such as cloud migration, global hiring practices, employee mobility, mergers and acquisitions, and realignment of costs to introduce new digital services. A SASE architecture that meets the requirements mentioned in this paper is the platform needed for fast, consistent and secure access to web and hybrid multicloud applications by users everywhere.

Citrix’s Unified Approach to SASE

Citrix offers a fully unified SASE solution that integrates a comprehensive, cloud-delivered security stack with SD-WAN and zero-trust access to securely empower the workforce with the best experience for any application, anywhere, on any device.

Source: Citrix

Identity-aware, Zero-trust Network Access – Citrix Secure Workspace delivers SSO and zero trust access. Unlike traditional VPN solutions that require end user devices to be managed, provide access at network level and enforce static access control policies, Secure Workspace Access provides users with a choice to access their intranet apps on any device, regardless of it being managed or BYO. It provides access at application layer to prevent network level attacks while enforcing contextual access control policies that are driven by continuous assessment and verification of both identity and device posture of the end user. In addition, Secure Workspace Access is the only solution in the market that helps consolidate SSO to SaaS apps within the same solution, provide protection of user sessions from malicious content like keylogger and screen capturing malware, and protect endpoints and the network from any malicious content from the Internet, with browser isolation policies.

Cloud-delivered, Comprehensive Security – Citrix Secure Internet Access offers comprehensive, cloud-delivered security services. These include Secure Web Gateway, Next Generation Firewall, Cloud Access Security Broker, Data Loss Prevention, Malware Protection that’s powered by 10+ threat engines, Sandboxing, and advanced analytics, all converged into a high performance single-pass architecture. Globally distributed across 100+ security points of presence, with each point of presence consistently offering all services, Secure Internet Access protects employees with a full security stack, regardless of the employee’s physical location.

Consistent Application Experience with SD-WAN – Citrix SD-WAN delivers consistent and reliable connectivity to improve application performance and employee experience. Functionality such as packet-level prioritization with sub-second failovers between WAN links helps ensure business-critical applications are prioritized, regardless of network performance variations. LTE and Wi-Fi enabled SD-WAN appliances are especially suited for home-based workers.

Unified Management – Citrix offers deep integrations, automations and single-pane-of-glass administration across all its services for simplified, full lifecycle operations – from initial setup to continual management and troubleshooting.

Automated ‘dual resilient’ connectivity between Citrix SD-WAN locations and Citrix Secure Internet Access
Granular control on traffic steering and allocation of bandwidth across networking and security architecture
Singular view and unified management across networking and security through Citrix Cloud

Citrix’s approach to SASE forms the connectivity fabric between digital workspaces on endpoint devices, and SaaS, internal or virtualized applications in the hybrid cloud. The components ‘build on’ on another, creating a ‘whole that is greater than the sum of the parts’.

Next Steps for Enterprises

2021 presents an opportunity to break silos in IT and define a comprehensive strategy across endpoint management, application delivery, networking, security and analytics. Based on their IT strategies for 2021 and beyond, enterprises should evaluate vendors keeping in mind the requirements mentioned in this paper. To achieve greater agility, employee experience and security, enterprises should consider converging vendors with each vendor delivering a broad array of truly unified services, while also offering native integrations with other industry leaders of complementary services.

Citrix is currently trusted by over 400,000 organizations to deliver a work-from-anywhere experience and can help accelerate your networking and security transformation too. For more information, please check https://www.citrix.com/solutions/secure-access/.

¹https://www.interpol.int/en/News-and-Events/News/2020/INTERPOL-report-shows-alarming-rate-of-cyberattacks-during-COVID-19
²"The Future of Network Security Is in the Cloud", Published 30 August 2019 - ID G00441737

Source: Gartner Research Note G00725124, Neil MacDonald, Steve Riley, 16 April 2020

Return to Home