Guess Who? Access Management Struggles in the Age of Remote Workby@verasmirnoff
411 reads

Guess Who? Access Management Struggles in the Age of Remote Work

tldt arrow
Read on Terminal Reader

Too Long; Didn't Read

In the age of remote work, access management has become one of the most important- and difficult- tasks for IT professionals. But it doesn't have to be this way. There is a new class of solutions that are designed for the age of remote work. These identity-first networking solutions use user and device identities to control access rather than IP addresses.

Company Mentioned

Mention Thumbnail
featured image - Guess Who? Access Management Struggles in the Age of Remote Work
Vera Smirnoff HackerNoon profile picture

@verasmirnoff

Vera Smirnoff

Credibility

react to story with heart

TLDR: VPNs are passe. It's time to upgrade to a Zero-Trust Network (if you haven’t already)

If you are an employee who works remotely, I am sure you have been in this situation. You are trying to access a corporate cloud resource from home, but you can't get past the company's VPN.

The experience is horrible- it's slow, hard to connect, and once you're finally in, you can't access half the things you need without back-and-forth Slack messages to the IT help desk.

On the other hand, if you are an IT professional who manages remote workers, your users are constantly complaining about the VPN, and you are struggling to keep up with requests to add new apps and services to the corporate firewall.

You are running around like a chicken with your head cut off, whitelisting IP addresses to maintaining complex subnet assignments and VLAN segments. You are starting to feel like your job is nothing but granting access to different parts of the network- like a medieval castle guard.

If this sounds familiar, then you are not alone. In the age of remote work, access management has become one of the most important- and difficult- tasks for IT professionals.

Access Control in the Age of Remote Work

The problem is that most Access Management solutions were designed for a world where everyone worked in the office. They relied on things like IP addresses and site-to-site VPNs to control access.

But in the age of remote work, those solutions just don't cut it anymore. Today, network security and access control are hard. Users are accessing corporate resources from all over the world.

It's hard to keep track of all the different devices, apps, and users on your network. It's hard to know what they're doing and where they're going it. And it's especially hard to ensure they're not doing anything that they shouldn't be doing.

But it doesn't have to be this way. There is a new class of solutions that are designed for the age of remote work. These identity-first networking solutions use user and device identities to control access rather than IP addresses.

Problems With VPNs

VPNs were designed for a different era- an era when network security was based on the perimeter. But in the age of remote work, the perimeter has all but disappeared. The first step in moving to an Identity-First solution is understanding the limitations of your current VPN:

  • Incompatible with remote work: VPNs rely on IP addresses to control access. But when users are working remotely, they often don't have a static IP address. This makes it hard to grant them access to the resources they need.

  • Security issues: VPNs provide access to entire networks, increasing the blast radius of incursions. Even worse, by publicly exposing an access point into your network, VPN s may give attackers the ability to identify systems and users on your network.

  • Poor user experience: The biggest complaint with VPNs is the poor user experience. Users have to log in, wait for the connection to be established, and then hope they can actually access what they need. In a battle between user experience and security, security will lose every single time. If you make your users jump through hoops to access resources they need for their jobs, they will find (often creative) workarounds to access the data they need.

  • VPNs are difficult to scale. As the number of users and devices grows, so does the complexity of managing the VPN.

  • Difficulty in audit and reviewing access: When you have hundreds or even thousands of users connecting to your network through a VPN, it can be difficult to audit and review who is accessing what.

  • Lack of granular control: With a VPN, it's all or nothing. Users have access to the entire network, which makes it difficult to limit their access to only what they need.

The bottom line is that VPNs are no longer enough to keep your network secure. It's time to move to an identity-first solution.

Identity-First Networking vs. Traditional Network Security

Identity and Context-Based Access

The biggest problem with the traditional network security model supported by a VPN is that it relies on a static perimeter. There is a clear distinction between "internal" and "external" users.

Internal users are trusted because they have been physically verified (e.g., they are inside the building), while external users are considered untrusted and are subject to more stringent security measures.

With the rise of remote work, the proliferation of mobile devices, and the increasing use of cloud-based applications, the network perimeter has become increasingly porous. It's no longer possible to rely on the network perimeter as a security boundary.

In a Zero-Trust Network, there is no concept of "internal" network traffic. All users are treated equally, regardless of location. Access is based on user identity and context, not on an IP address.

This makes it much more difficult for attackers to gain access to resources since they would need to have a valid user account and be able to pass both identity and context evaluation.

Granular control over resource access

While a VPN creates a secure tunnel between two points, it does not provide granular control over who has access to what resources. A Zero-Trust Network, on the other hand, uses identity and context to make real-time decisions about whether to allow or deny access to a resource.

Zero-trust principles

One of the biggest issues with VPN is that it is incompatible with Zero-Trust. Access is a security model that requires all users, regardless of location, to authenticate before accessing any resources. The model is based on the following principles:

  • Verify before you trust: Every request to a private resource is authenticated and authorized based on real-time contextual information (user identity, location, device, risk, etc.).

  • Never trust, always verify: There is no such thing as an internal network or an external network. All traffic is treated equally and requires verification.

  • Tie users to their actions: Users are identified, and their actions are logged so that you can audit and review them later.

  • Enforce least privilege: Users are only given the bare minimum permissions they need to do their job. No more, no less.

Benefits of Zero-Trust Networking

There are many benefits to implementing Zero-Trust Networking, including the following:

  1. Increased security: By implementing multiple layers of security, you can make it more difficult for attackers to penetrate your network.

  2. Improved compliance: Zero-Trust Networking can help you meet compliance requirements, such as those set forth by the GDPR and HIPAA.

  3. Enhanced user experience: Zero-Trust Networking provides a better user experience than traditional VPNs, which can be slow and cumbersome.

  4. Simplified network management: Zero-Trust Networking simplifies network management by eliminating the need to maintain separate "internal" and "external" networks.

Zero-Trust Networking is the future of network security. It provides a more robust and comprehensive security posture than traditional network security models, and it's easier to manage and maintain.

It's time to rethink your access control strategy and move to an Identity-First model that will allow you to take advantage of the cloud, improve your users' experience, and increase your organization's security posture.

RELATED STORIES

L O A D I N G
. . . comments & more!
Hackernoon hq - po box 2206, edwards, colorado 81632, usa