It used to be common to drive into the office five days a week. COVID has changed that dramatically. For many companies, it became important to support a work-from-home workforce right away and I do not see that changing back anytime soon. Personally, I have found that I can do more work from my home without the need to commute. However, as an Information Security Manager, I am concerned with this change since we lose control of how data is accessed outside of the corporate offices.
Virtual Private Networks, or VPNs, have been around a long time. Their original design was to give remote access to resources back on the corporate network. Of course, as companies use more cloud services, the need to use VPNs goes down. Forcing staff to use a VPN to enforce security when they are going to a cloud service, like Office 365, means traffic is going to the corporate network just to go back to the Internet – the end-user experience can be impacted because of how their traffic flows. So, how does IT deal with the security of company data and allow for this new work-from-anywhere environment?
Recently, I discussed this topic with Peter Newton, Senior Director of Products and Solutions for Fortinet. Peter told me about Fortinet’s solution to Zero-Trust Network Access, or ZTNA. Fortinet states their “unique approach, delivering ZTNA as part of our FortiGate Next-Generation Firewall (NGFW) makes it flexible, covering users when they are remote or in the office.” Peter mentioned that if you have a FortiGate firewall it can just be enabled as there is no extra licensing needed. But what if you have a competitor’s firewall? Fortunately, FortiOS (Fortinet’s firewall operating system) can be loaded on a virtual machine – no need to replace any competitor firewalls to try it out. The graphic below illustrates Fortinet’s version of ZTNA. The red object in the middle could be a firewall, a virtual appliance, or even running in the cloud.
Peter had a good comment that I deal with a lot: “Work-from-anywhere is a big challenge because, when you think about it, it’s not just remote work or on-prem work – its work in the office and remote and traveling.” My company has most of its staff working remote but not all. Some staff, like facilities and Help Desk, still need to come into the office, plus sometimes that face-to-face meeting is required. Having a solution that works the same whether you are in the office, at home, or somewhere else would be ideal. Of course, it must be easy for the end-user. For instance, it is not a good practice to tell end users to use a VPN only for certain services. But it must be secure because the thought of losing sensitive data is what keeps IT security staff, like myself, up at night.
My company is a collection of acquisitions, so we have different vendor products. One of the issues currently identified is trying to make connectivity easy for end users no matter which location they are in, and this includes visitors. I will not mention our current web protection solution, but it is a proxy in the cloud. Proxies are an older technology and I have found issues including rewriting web pages incorrectly, too much administrative overhead, and only protecting workstations that have the agent installed (and enabled). Obviously, this solution does not work for those visitors. According to Peter, ZTNA could answer my concerns with the current solution, offer a simpler experience to end users, and protect visitors that come to our offices. Plus, it sounds like a simple install for a proof of concept without needing to replace any of the existing products, which is important since we currently have a few different vendors between all our locations.
After my chat with Peter, I think it is time to talk with my own management about ZTNA. For anyone who wants to know more about this, you can listen in to our conversation or head over to Fortinet’s website.