Zeus Kerravala, Founder and Principal Analyst at ZK Research, focuses on emerging technologies that enable organizations to transform.
Hybrid work is here to stay, making it important for businesses to have an easy but also secure way for employees to connect to company resources. Although caffeine and connectivity are easily available from public places like cafés, it’s a real Sophie’s Choice for IT and security leaders: Allow users direct access to the internet and software-as-a-service (SaaS) applications, with no security controls; or route traffic to a remote data center where their security controls are located using a virtual private network (VPN). It can be like flying from San Francisco to Chicago with a connection in Miami.
Many organizations have adopted a Zero Trust model for branches, factories and other remote sites to overcome the security and user experience tradeoffs of a remote workforce. This strategy is referred to as a café-like branch architecture.
Understanding Zero Trust
Zero Trust is a departure from 30 years of networking and security history. To better understand what has led to the development of the Zero Trust model, we’ll need to go back in time. In the 1990s, companies built IP networks to connect users and devices in branches and remote sites to applications in the data center. These networks were protected with firewalls and other security appliances by establishing a security perimeter. Everything outside the security perimeter was untrusted, and everything inside or connected to the network was trusted.
Companies turned to VPN technology to allow remote users to remain productive when out of the office. VPN stands for virtual private network and extends the corporate network to wherever the users are connecting. During the Covid-19 pandemic, VPNs were used to extend corporate networks to millions of households.
However, there are two major security risks that are inherent in this architecture. The first is that every firewall that is exposed to the internet can be attacked by bad actors. Secondly, once a bad actor gains access to the network, they can see and move around freely. A single infected device can wreak havoc on the corporate network and every device connected to it. These risks are driving the adoption of Zero Trust.
The concept of Zero Trust has been around for a while but wasn’t previously achievable with existing network and legacy security products. With Zero Trust, no one and no device is trustworthy and there is no such thing as a trusted corporate network. Networks are viewed simply as transport, and every request to access an application is sent to a Zero Trust Exchange, where business policies are applied and security enforced.
Think of the Zero Trust Exchange as a modern-day switchboard. When you call a company today, you often speak to a receptionist. The receptionist wants to know who you are, why you’re calling and who you want to speak with before routing or denying your request. A Zero Trust Exchange operates in a similar way. A request comes, the person’s identity is confirmed, the destination is confirmed and, depending on the policy, access is granted or declined. If access is granted, security controls are in place to block the bad and protect the good.
Bringing Zero Trust To Branches
Technologies like multiprotocol label switching (MPLS) and software-defined wide area networks (SD-WANs) allow communication between branches, remote sites, data centers and even public clouds. The risk of bad actors leveraging this network to cause harm is very real.
Zero Trust has demonstrated its ability to securely connect users to applications without extending the network using a VPN. And now, companies are applying this model to branches and factories, where there are no direct links between other entities. They can only talk to a Zero Trust Exchange. Instead of relying on complex infrastructure tools like MPLS and SD-WANs, you can use any broadband or even 5G connection to create a Zero Trust scenario where branch offices operate as secure islands and minimize the risk of lateral threat movement and ransomware.
If your organization is looking to adopt the cafe-style branch model, I recommend focusing on these two areas:
• Start with branches that only have users, like a sales office. It’s a simple way to get started and save money. You don’t need SD-WAN at these locations.
• For branches and remote sites that have users and Internet of Things (IoT)/operational technology (OT) devices, go with a Zero Trust SD-WAN solution. Each site still only needs a broadband connection, but you get the security benefit of not having direct links between other sites. Since all traffic goes through a Zero Trust Exchange, your branches and remote sites are not visible from the internet like they are with firewalls. Bad actors can’t attack what they can’t see.
The Future Of Connectivity
The advantages of this model go beyond security. In my experience, simplified branch connectivity can also allow organizations to introduce new technologies with fewer constraints and offer better support to their teams. At the same time, I’ve found that lightweight architectures can help save IT funds and allow teams to concentrate more on strategic initiatives.
By adopting a café-like branch model, companies can remove themselves from the limitations and security risks of traditional networking while addressing the needs of the present and the challenges of the future.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Read the full article here
