What is secure remote access in today's enterprise?
Out with the old, in with the new. The meaning of secure remote access, and how organizations achieve it, is changing. Here's what you need to know.
A solid secure remote access strategy can mitigate risk, improve user experience and lend a competitive edge in today's enterprise.
Craig Bird, managing director at U.K.-based managed services provider Connect Digital Security, said secure remote access technology gave his team a significant advantage when the COVID-19 pandemic sent the country into lockdown in early 2020. "It meant our staff could literally just pick up their machines, walk out the door and work from home the next day," he said. "They could do anything remotely that they could do sitting at their desks in the office."
The goal of secure remote access technology is to connect geographically dispersed enterprise users to the resources they need to do their jobs without putting network security at risk. Until relatively recently, the typical organization provided remote access to just a handful of IT administrators and even fewer business users, according to Gartner analyst Michael Kelley. But since the global pandemic rocked the enterprise, secure remote access has become table stakes for almost every employee.
"'What is secure remote access' is a different question today than it was in 2019," Kelley said. "'Now secure remote access' means any worker can access any application, anytime and anywhere." Meeting that heightened expectation will remain an enterprise priority going forward, experts anticipate, both to prepare for possible future crises and to support a post-pandemic hybrid workforce. IDC predicted that by 2022, 67% of employees will have the option of working remotely at least part time -- and that doesn't just mean from their homes.
"Secure remote access is now predicated on the 'anywhere' worker," said John Grady, an analyst at Enterprise Strategy Group (ESG), a division of TechTarget. "Organizations we talk to are asking, 'How do we give users constant, consistent access, whether they're in the office, at home or in a coffee shop?'"
Many organizations also want the flexibility to securely connect remote users to network resources across a variety of endpoints, according to Heather Hinton, CISO at RingCentral. "Increasingly, we're going to find ourselves doing things like starting a meeting on the way home from the school run and flipping that meeting from the car Bluetooth to the phone to the laptop," she said. Security leaders have to ensure increases in employee mobility and device-hopping don't put sensitive data at risk.
Technologies that secure network connections
Secure remote access technology provides location-agnostic connectivity among enterprise users and centralized applications, resources and systems -- whether in the cloud, on premises or both. According to Grady, the most precise definition of secure remote access describes only technologies that actively facilitate secure network connections, including:
- VPNs. Traditionally, many organizations have provided secure remote access to a limited number of users via virtual private networks (VPNs). A VPN works by extending a private network across the public internet via secure tunnels, using protocols such as OpenVPN. IPsec VPN requires the installation of a client on the end user's device, while SSL/TLS VPN enables clientless connectivity for browser-based applications. Enterprises can deploy VPNs on premises or subscribe to cloud-based VPN services.
- Cloud access security brokers. CASBs negotiate connectivity between end users and cloud resources, while enforcing enterprise security policies across SaaS, IaaS and PaaS environments. According to Gartner, a CASB should facilitate visibility, compliance, data security and threat protection in the cloud. Features may include encryption, authentication, access control, malware detection, data loss prevention, user and entity behavior analytics, threat protection and more. CASB capabilities can stand alone or as part of a Secure Access Service Edge (SASE) offering, which packages secure remote access with software-defined WAN (SD-WAN) capabilities.
- Zero-trust network access. ZTNA, also known as a software-defined perimeter approach, is a new way to tailor access to network resources on a user-by-user basis. While a VPN grants broad entry to a private network, ZTNA uses identity and context to determine which specific resources someone has permission to use at any given time. In SD-WAN environments, SASE offerings may combine CASB and ZTNA capabilities.
- Virtual desktop infrastructure. VDI technology allows users to remotely interact with desktop operating systems and apps as though they were using in-office workstations. Desktop as a service is a cloud-based version of VDI, provided by a third party. VDI can offer a highly consistent UX, according to Gartner's Kelley. But it can also be technically complex and expensive to manage and isn't inherently mobile-friendly.
These secure remote access options aren't all equally effective, according to experts. "The problem is that, historically, remote access technologies have been prone to compromise," Grady said, adding that VPNs are particularly vulnerable and can also be intensive to deploy and difficult to scale. "That technology was meant for a different era."
Growing frustration with legacy options has prompted many organizations to explore zero trust. Miranda Yan, co-founder of VinPit, a Singapore-based startup that serves car buyers, said her company abandoned its VPN in favor of ZTNA during the pandemic. The old technology hindered user productivity, required the deployment of expensive on-premises hardware and didn't, ultimately, provide adequate security, she added. "I'd advise other organizations to ditch the VPN."
Andrew Latimer, CIO of Support.com, a technical support provider with a fully remote workforce, said his team is in the process of following suit, in part, because of its increasing reliance on the cloud. "Integrating SaaS services with an on-premises VPN is onerous," he said.
Gartner predicted that by 2023, ZTNA will have replaced VPNs in 60% of enterprises. Kelley strongly urged any organization still using a perimeter-based security model (legacy VPN) to consider shifting to identity-based security (ZTNA). He cautioned, however, that vendors often abuse ZTNA terminology, calling tools zero trust that don't actually qualify. ZTNA connects remote users based on their identities, so if a product or service doesn't seem to do that, be careful. "The way some people use zero trust is almost fraudulent," Kelley said.
Secure remote access includes identity and access
Secure remote access, by definition, describes the network connection between a geographically removed end user and centralized resources. That said, experts agreed a strong secure remote access strategy must also include a number of distinct but complementary identity and access management (IAM) controls. IAM tools play the critical role of authenticating users as a condition of remote network access.
According to Gartner, an access management (AM) portfolio should include, at minimum:
- Identity repository. An identity repository, or directory, is the centralized, authoritative database where user information resides. It determines who can access which resources and under what conditions.
- Multifactor authentication. MFA verifies user identity via multiple methods of authentication, thus, creating a layered defense. Gartner recommended organizations implement this technology across all remote access use cases, warning that not doing so exposes users to exponentially greater risk of compromise. "You shouldn't be doing remote access without MFA," ESG's Grady agreed.
- Session management. After a user is authenticated via MFA, session management capabilities mean an AM tool remembers that authentication for a set period of time, automatically providing credentials to any applications that user has permission to use.
- Single sign-on. SSO is an authentication service that allows a user to access multiple enterprise applications via one set of login credentials, resulting in better UX. According to Gartner, organizations should only use SSO tools standardized on modern identity protocols such as OAuth, OpenID and SAML.