The ways organizations can secure remote working over the long-term were discussed by a panel at the Akamai Edge Live virtual conference.
This is in the context of the rapid shift to home working as a result of COVID-19 social distancing restrictions which, for many businesses, is expected to sustain beyond the pandemic.
The first thing CISOs need to decide is which approach they should employ that best suits the needs of their business. Patrick Sullivan, VP and CTO of security strategy at Akamai, commented: “The big decision seems to be: do you want to use that shift to remote work to advance your architecture along a strategic axis towards SASI or zero-trust, or do you feel that’s too risky at this time and want to double-down on existing technologies?”
According to Tim Knudsen, VP of enterprise security product management at Akamai, establishing a zero-trust architecture is key for organizations in achieving an improved security posture with lower costs and improved efficiency compared with virtual desktop infrastructure (VDI) and remote desktop (RDP) technologies.
“You can achieve a similar secure environment that allows you to avoid or block any lateral movement but leveraging the application specific approach of zero-trust and getting granular when it comes to context – users’ location, trust with device, time of day etc.,” he explained. “All those things you can apply towards your access policy, but you can also do it in a more flexible way because you don’t need that underlying infrastructure to present those applications.”
Yet in Japan, there has still been a strong emphasis on using VDI architecture in the remote working environment, although zero-trust and SASE solutions are becoming more popular. Takashi Ohmoto, expert engineer, multi-cloud business department, cloud and security services division at CTC, said this is because many Japanese businesses view devices used outside of the corporate network as the biggest security risk to their organization. This way, employees can take their corporate devices home to work on safely. “By using VDI, enterprises don’t have to concern themselves about the risk of the devices,” he commented.
Ohmoto added that, at the same time, employees can send data in the cloud through web conference applications such as Zoom, which “works together well with VDI.”
In keeping with Ohmoto’s point about the importance of device security, Knudsen acknowledged that zero-trust principles have to be strongly focused on devices as well as users to be effective. “Even if those devices are managed, they are exposed to a far greater risk of being compromised,” he said. This means if network level access is granted “even to a user that’s passed multiple factors of authentication, that device, if compromised, now has broad lateral access.”
Countering this requires further application-specific restrictions to decide whether a device can be trusted, “using the context of the device and its risk profile to make that decision,” according to Knudsen.