Article by: Rob Koeten, Chief Software Architect, Pulse Secure
Driven by multiple technology, market and social trends, the world of application and cloud information access is evolving and expanding rapidly. Simply trusting a device connected to the corporate LAN with proper perimeter security is no longer sufficient in the multi-cloud environment used by agile enterprises today. Let’s explore a next generation, future-proof approach to Secure Access and learn how you can incorporate and transform your current environment for the next decade. By leveraging context and analytics driven trust, you can get to ubiquitous secure connectivity for your multi-cloud environment.
When thinking about Secure Access, it is important to have a common understanding of the problems addressed and the key value it provides:
- Secure the access such as to provide one or more connections to applications and information, at any time, anywhere and from any originating network.
- Access is secured from the application provider perspective; how can they establish and maintain trust with users and devices, to prevent being compromised while avoiding information leakage.
- Securely access the cloud/enterprise application from an end-user (or IoT device) perspective; can they trust the service and application providers, information integrity and any potential intermediaries, as information is persisted or retrieved?
The common factor across these interpretations is trust: Secure Access to corporate or IoT device information is rooted in the establishment of mutual trust between the provider (service) and consumer/subscriber (client) of that information. This trust extends to any intermediary service and connection fabric. The client must trust that the provider and its information is legitimate, maintains its integrity and is protected. On the other hand, the provider must trust that the client (user, device, application) is legitimate and authorised and doesn’t pose a threat to compromise the provider or leak information, either accidentally or intentionally.
The end-user experience plays a critical role in establishing trust consistently. Usually, users want to do the right thing to get their jobs done but if security becomes too cumbersome, users will find a way around it. It is imperative that security is pervasive while largely transparent. In the end, corporate productivity depends on its employees’ ability to collaborate internally and externally, while minimising information and security risks. That leads to another key objective for Secure Access, whereby we move from a pure controlling, restrictive access model, based on a zero trust model, to an enablement model (trust but monitor and verify principle) such that the users/devices can optimally get their jobs done.
Trends that redefine Secure Access
The enterprise IT environment is increasingly shaped by four major trends that have ramifications for Secure Access to applications and information. First the emergence of the multi-cloud corporation, based on the explosive rate of cloud computing and hybrid IT environment adoptions. The main driving factors are:
- Cost benefit of using SaaS, PaaS and IaaS providers.
- No or limited competitive differentiation for infrastructure or standard business applications.
- Agility; much faster Time-To-Value for new business applications, with an ability to respond to rapidly changing market conditions.
- Data centre extensions into the cloud for scale-out (peak demand) as well as on-demand disaster recovery failover.
Very few companies, if any, will be exclusively on-premise or fully cloud based. Most companies will have a blend of legacy data centre, public and private PaaS/IaaS and SaaS-based applications and services. The diversity and rapid evolution of the technology stacks within the multi-cloud environment, requires multiple methods of remote, mobile and cloud secure access. A simple VPN connection back into the corporate LAN can be critical, but no longer sufficient.
Second, the consumerisation of IT is revolutionising the nature of today’s workplace. Millennials are accustomed to a rich on-the-go digital experience in their personal life, and they expect a similar digital experience at work using their own devices. Companies must provide this user experience for their employees without compromising key compliance and security requirements.
Similarly, application developers in both the IT organisations and business units operate with a self-service mind-set, consuming SaaS, PaaS and IaaS services without being burdened by complex and slow (IT) approval processes. Barriers to adoption and the cost of initial development are perceived to be minimal. Operational effectiveness and security are generally secondary considerations.
Third, users, applications, services, devices and company networks are under increased and focused attacks from hacktivists, individual threat and nation state actors. Additionally, the corporate multi-cloud environment with its more open collaborative approach has dramatically increased the exposure and attack surface. Consequently, establishing secure access must become the collective responsibility of the NOC, SOC, Business-App and DevOps teams.
Fourth, the Internet of Things (IoT) segment is exploding. Printers, smart TVs, security cameras, sensors, and other peripheral devices are all connected to smartphones, cloud services and enterprise networks. Often, organisations are unaware of the myriad of ways IoT devices connect to their internal systems and external services. Cyber criminals view IoT devices as a golden opportunity for targeted attacks, taking advantage of security weaknesses and employee ignorance alike. To gain control of the security risks posed by the IoT devices, organisations need end-to-end visibility, contextual awareness, real-time action and, perhaps foremost, Secure Access.
The evolving Secure Access
In order to start to understand how Secure Access needs to evolve, we need to establish a trust model that underpins the secure access in all of its forms. One such model breaks the problem into four layers, that are typically associated with distinct management domains within the IT organisation. The top-level objective is to provide the user (or IoT device for that matter) secure access to create, store and retrieve information. This is based on client side services and applications that connect to cloud and enterprise applications, that in turn rely on client devices connecting to cloud and data centre infrastructure, through wired and wireless connectivity into public and corporate networks.
Secure Access then translates into information access based on trust across and between the layers. Some use-case scenarios rely on implicit trust, whereas others require explicit trust relationships. For example, a user who logs into a legacy corporate computer that is connected to the corporate LAN used to be implicitly trusted to access most internal/on-premise enterprise applications (file-shares, mail-server, intranet server, etc.). In today’s environment, a user may need to authenticate with a mobile application that was installed and secured by an End-Point Management solution, using a device profile for using corporate Wi-Fi connections, to access the enterprise application behind the firewall. A user role and profile would determine which part and what information of the application would be accessible.
Note that when trust depends on the trust between the layers, then this also implies that the systems solutions used by the different IT departments can trust each other (and have the same model and understanding of such trust). Using this model, we can now define Secure Access in the multi-cloud environment as the “ubiquitous secure connectivity for users and devices to a specific set of enterprise multi-cloud applications and services, based on their role and context, from any location through any network at any time.”
Given the diversity of applications, cloud applications, client devices, server/service infrastructure and networks and topologies, it is unlikely that a single vendor can cover all data paths in this multi-layer fabric of connections. It is envisioned however that a vendor who is client, service and infrastructure neutral, can orchestrate multi-vendor solutions based on a central, consistent policy and trust model. Whether an information access request occurs between an IoT device and end-user-device, between cloud services or as a client aggregation request across cloud and data centre, a common policy model would consistently determine and enforce trust and trust levels amongst the requester and providers of information.
At the same time, the end-user experience or IoT connection setup needs to be simple and consistent regardless of the different paths, layers and solutions that support the Secure Access connection types. To do so, you would adopt a single orchestration solution that centralises the core principles of your Secure Access and trust model into a single, consistent management model that is distributed across the ecosystem and your multi-cloud environment.
What to Look for in a Secure Access Orchestration solution
With a Secure Access Orchestration solution in place, companies can take advantage of multiple use cases, including BYOD, multi-vendor IoT support, unified compliance enforcement, and DevOps delivery with integrated secure access. Given the diversity and dynamics of today’s businesses, your solution should reflect the switch from a static trust and policy enforcement model into a more dynamic, but consistent context-based and analytics and insights driven trust model. The Secure Access Orchestration solution should also provide API management services for developers and 3rd party products, that integrate into your existing solutions, services, processes, and fabric. All of this in support of ubiquitous secure connectivity based on a common, dynamic, multi-layer trust model, will deliver on the dual objectives of enterprise security and user productivity.