It is almost a year since the COVID-19 outbreak as of the writing of this article, with the end of the outbreak nowhere in sight and new cases springing up every day, remote working is becoming the new normal for many companies. The modern workforce is no longer bound to a single working location, it could be in the office, at home or even on the way to work. With the benefits and mobility of remote working, connecting from the outside of the company network also comes with a share of security risks, especially when it comes to sensitive and confidential data. According to the 2018 Cyber Incident & Breach Trends Report by the Internet Society’s Online Trust Alliance (OTA), in 2018 more than 45 billion USD losses were reported globally due to cyber-attacks and 95% of these attacks could be avoided or mitigated. Some of these examples include ransomware, phishing email, misconfigured cloud systems etc. With some high profile ransomware such as WannaCry and security breaches making the headlines and opening up companies to legal ramifications, causing millions of dollars of losses in the process, it is not difficult to see the value of secure remote access.
What is secure remote access?
Before we start, what is secure remote access? Secure remote access is an umbrella term that refers to any type of cybersecurity policy that protects an internal network from remote unauthorized access. For example, the truest and tried secure remote access policy is probably VPNs (Virtual Private Networks), with most big companies requiring their employees to use VPN should they have the need to remotely connect to the company network from the outside. In general, the less moving part of a security system contains, the more secure the system is. One of them being the zero-trust security model, a framework determines that only authenticated and authorized users and devices can access private network applications and data with minimal user input. Secure remote access being a crucial part of any system, with companies requiring the employees working remotely due to the COVID-19 pandemic, often with their own devices, older security policies are no longer able to comply with the need of the current workplace requirements.
Different type of secure remote access model
There are many different types of secure remote access model on the market, each with different merits, here are some of the examples.
Zero Trust Security Model
In any secure system, users are the most vulnerable part of the system. What if the system builds on never trust the users and always verifies the user? Zero Trust Security Model as the name suggests, is a security system that eliminates the trust from the system. A zero trust security model is a 5-part model with each part protecting different parts of a system:
Mobile Devices Management (MDM) or Endpoint Management
With companies requiring employees to work remotely often with their own device and even bringing their own devices to work on premise, compromised devices leave a secured system vulnerable to outside attackers even without fault of its own. With endpoint management, a device has to abide by a certain set of security policies to be allowed to be connected to the network.
Single Sign-On (SSO)
Single sign-on is an authentication scheme that allows any user to access different systems with a single set of credentials through a centralized set of authentication systems. One of the daily examples is Google accounts, with a single account, a user can access services such as YouTube, Gmail and different other Google applications.
Cloud Access Security Broker (CASB)
Cloud Access Security Broker (CASB) is a middleware that sits between the users and the system that enforces security policies and monitors user activities within the system. In simpler terms, CASB insulates, manages and monitors user activities in the system.
Cloud-Based Security & Compliance
Compliance is the cornerstone of any security policy. Without compliance and someone enforcing the rules there will be no control over the security of the system.
Any anomalies, including errors and abnormal activities can be analysed and traced in the logs, as long as the events are properly logged. A simple yet effective part of the stack.
Zero Trust Security Model probably deserves its own blog post sometimes in the future.
Virtual Private Networks (VPNs)
VPNs, like the name suggests, extends a private network across the internet and such retains the security of a closed, private network. Nowadays, VPNs are as ubiquitous as internet access, as the population is more concerned about their privacy online. There are many types of VPNs, but we are focusing on SSL/TLS VPNs and IPSec VPN today. They are very different from each other in the technical level, but that is not the focus of today, instead we will be focusing on the difference in everyday office usage.
SSL/TLS is an authentication and authorization protocol built into every modern web browser. SSL/TLS VPNs encrypt the connection of the web browser AND only the web browser through the VPN. For clients, they are generally easier to set up as it only requires a browser to function.
If the VPN uses a software to connect the client to the network, it is probably an IPSec VPN.. Unlike SSL/TLS VPNs, IPSec VPNs connect the client to the entire network instead of just a specific app and/or service. This is the reason some VPN clients come with a dedicated software instead of just a browser plugin should the user need to fully encrypt their internet connection.
As you can see, not one type of VPN is more secure than each other, it is more important to consider use cases scenarios and how the users are configuring the VPN to suit the needs of their organization.
Single-sign On (SSO)
This refers to the individual implementation Single-sign On. Single-sign On(SSO) allows clients to access every selected service with a single set of credentials. Consider the following scenario: you are using Google, but you have to enter credentials individually every time you want to use another Google service. Annoying, and probably rage-inducing. Single-sign On is one of the unsung heroes of the internet, not just for the quality of life features it brought but also security benefits.
Make no mistake though, these solutions are not the be all, end all solution. The weakest link of any security system, no matter how robust, is always humans. Security policies are often not one single product that covers every aspect of a system but a combination of them. What most people do not realize is that a robust security system is (mostly) invisible when it is working as intended, and mildly annoying at best when it is in action.
Credit: How Hacking Works by xkcd (https://xkcd.com/2176/)
The truth is, whichever the case, security systems are there to help mitigate and reduce errors caused by human factors but never eliminate them. The correct approach of a complete cyber security policy is a combination of a robust security system and a supplementary cybersecurity training program.
Ready to make the transformation with us?
Are you ready to make the move? Master Concept is the winner of Google Cloud Specialization Partner of the Year in Work Transformation in 2020 and a long-time Google Cloud Premier Partner. We provide clients one-stop work transformation solutions tailor-made just for your company. With offices in multiple major cities around the world, we can customize and localize the solution for your company.
Not only did we successfully transform the business of over 300 companies of different sizes in the APAC region by integrating Google Cloud solutions, we are also the Top 3 Google Cloud Partner in Asia and Top 20 Google Cloud Partner in the World, winning multiple prestigious awards against the best system integrators around the world.