Can zero trust principles shape the future of remote access in the fulminant digital economy? Here is one expert’s worldview …
What kind of precautions should organizations take in allowing remote access for office networks amid lockdowns and other pandemic control measures?
With a Remote Access Policy in place, organizations can keep everyone on the same page regarding proper protocols when using remote access tools. Properly imbibed into the IT infrastructure, these policies and regulations can be adhered to at all times.
However, things are never so simple, as demonstrated by numerous cyberattacks in the past year that leveraged the enlarged attack surface consisting of Work-from-Home users and their personal computers and smart devices.
Using Zero Trust in remote access
Given the rising influence of zero trust networking at the corporate network level, can the same principle be applied to remote access?
One expert, the CEO of EverestIMS Technologies of India, Satish Kumar V, affirmed the practicality of this concept. On being asked whether zero-trust remote access is similar to zero-trust security and networks, and whether zero-trust systems are 100% secure, Kumar explained: “Zero Trust is centered on the concept that organizations should not automatically trust anything inside or outside its perimeters. Any system reaching out to gain access should be permitted with proper policies and least privileges.”
Kumar said that zero-trust security and networks, along with implementation for remote-access in WFH, “are the best approaches to current demands of operational flexibility.” This applies not only to the current pandemic situation, but also for rapid growth and global operations of enterprises. “It also provides a good security blanket for actual device credentials, third parties attempting to access the network, and requirements of audit and compliance in banks, financial institutions, healthcare, telecoms, IT/ITeS, etc.”
With metered access, full recoding and proactive command restrictions, a zero-trust system creates a closed loop one-on-one segmentation of the desired resources in a network. “It drastically reduces the capability to compromise a complete IT infrastructure. Well, there is a possible scenario in which a standalone zero-trust approach might get exploited, but that is the challenge that we—as an industry—should anticipate and gear up for,” Kumar opined. He reckons that, combined with traditional security practices, a 100% robust cyber defense system can be put in place: “Meanwhile, organizations will benefit by implementing resilient processes and an empowered workforce to ensure that they reap in the benefits that this approach has to offer.”
Zero training required?
In zero trust remote access, authorization and security, credentials are approved on needs basis and privileges are provided based on user roles to specific target node(s). This can even be controlled to the level of whitelisted commands and operations for a specific user.
According to Kumar: “The best part is that there is absolutely zero training required for end users (network operators) when a comprehensive provides a seamless experience similar to that of Putty-based sessions. All this gets done while maintaining the multi-stage segregation between user terminal and target nodes, regardless of them being on-premise or in a cloud/hybrid infrastructure design. Actual credentials to the target node remain well hidden from all.”
For granting temporary access to third-party personnel (like OEM engineers/SMEs/consultants) there is no worry of exposing the credentials of the target nodes. Also, there is complete audit of all the operations that have been performed on or from the system, giving forensic systems foolproof evidence of changes that were performed, Kumar said.
Some caveats aside from security
Cybersecurity is paramount in zero trust remote access, but speed and performance are also critical to the productivity of remote workers. The key technology requirements and features that would define successful WFH arrangements would be:
- secure and prompt access to all applications
- cloud identity access management
- rapid deployment
- optimum user experience (i.e., network performance)
- visibility and troubleshooting capabilities
In typical remote access setups, virtual private networking may present scalability and performance issues. A vast majority of businesses are looking to replace their traditional VPNs because of the challenges presented by the rush to implement remote-working.
Fortunately, there are now multiple solutions to overcome scalability issues with VPN, while minimizing complexity and improving security by keeping unwanted users off the network, Kumar noted: “Remote access systems have evolved a lot in the recent times. They also have a big role to play in enhancing secure access in the coming years. The traditional experience of remote access creating lags and disconnect from usual working experience are the things that are being addressed by the current systems. The road ahead for these systems is to ensure consistent and seamless end-user experience, while enabling operations teams to continue delivering services and support in a secure and robust way.”
How will WFH evolve as zero trust remote access and digitalization accelerate at a breakneck pace?
According to Kumar, the workflow will progress from being just simple remote infrastructure access to being an enabler for varied remote requests, including API requests, application access requests, risk-aware automated AI systems, cloud access management and many more.
“Just as organizations have evolved in using public cloud/private cloud/hybrid environments, remote access also will get absorbed and embedded into the DNA of organizational operations.”