Leveraging the cloud to expand access for remote workers: A guide

Leveraging the cloud to expand access for remote workers: A guide
Lior Cohen is Senior Director of Products and Solutions – Cloud Security at Fortinet. He has over 20 years of experience working in the information security, data center network and cloud computing spaces. Lior serves as Fortinet’s lead for cloud security solutions with a focus on securing enterprise public cloud-based deployments and private cloud build-outs. Lior previously held a variety of vendor and customer side positions in the cloud security space, including cloud solutions architect, information security consultant and subject matter expert for SDN, virtualization and cloud networking for leading industry vendors.

As organisations work to enable remote workers and remote students to meet the sudden demands of the current crisis, their goal is to quickly enable remote services in a way that does not introduce additional security challenges or incur unjustified operational overhead. However, implementing such protocols – especially when blending networking and security into a single solution – can be a complicated process in the best of times, let alone when they need to happen in a short time frame.

However, because of digital transformation, remote access is about a lot more than just providing remote workers with a secure connection back to the office. Many critical business applications and other essential resources are now hosted in the cloud, or even across multiple clouds. And rather than backhauling those applications through the core network, organisations need to consider how to provide a secure connection to those applications directly from a teleworker’s desktop or laptop. Direct connectivity will not only reduce the load on the network, but also improve overall user experience, especially for high-bandwidth or latency-sensitive applications.

It is also critical for remote access to include advanced security. As a result, organisations need a remote access solution that offers consistent security posture across multiple locations combined with high performance and flexibility to scale to today’s heightened demand.

A unified security solution for all teleworker use cases

Deploying large-scale VPN solutions for remote users requires enabling access, along with segmenting users and devices based on role, device type, or security profile. It also requires implementing role-based access control (RBAC) in order to maintain principles of least privilege and need to know. Effectively, limiting those users and devices only to the content and resources they require. IT teams also need to identify users that require special access to resources.

As part of that process, it is critical that IT teams often assign different users to different role, an example could be to identify which employees are power users – such as system administrators, IT support technicians, and emergency personnel who require a higher level of access to corporate resources and the ability to operate in multiple, parallel IT environments.

These users include administrators with privileged system access, executives and their support staff, the human resources and financial teams, and even key partners aligned to the continuity plan.

These requirements can be addressed using things like SSO, Identity Federation and general integration with Authentication, Authorisation, and Accounting (AAA) systems. It is important to maintain continuous monitoring and automated response for quick resolution should any policies be broken. But because access can span multiple network environments, organisations also need to provide consistent access controls so enforcement is consistent, scalable, and adaptive whether resources being accessed are in the cloud or on premise.

Solidifying network edge security to enable remote access at scale

Business performance and user experience depend on direct access to content and applications from any location at any time. In cloud environments, security solutions need to be able to secure high volumes of IPSec VPN traffic and potentially tens of thousands of simultaneous SSL-VPN sessions. This flexibility and scalability ensures that organisations can meet their remote access needs without the need to redesign networks or security policies.

Because more remote access users will need to access more applications, whether hosted on-site or delivered in the cloud, security solutions will need to support the termination of more VPN connections and transfer of more data in both environments. There will also be more site-to-site VPN traffic as a growing number of users need to access applications globally, which in turn increases traffic volume across application functions and modules between datacenters and cloud regions. Security solutions need to be chosen that are able to accommodate the resulting decryption and encryption performance requirements.

Building a high performance and scalable solution for remote access

Increased traffic demands will create more stress on existing infrastructure performance, and functionality is going to be pushed to its limits. In such situations, excess performance headroom is much appreciated. Following are some of the leading considerations when addressing increased remote access demands:

IPSec aggregation: There may be a need to secure high-speed links that require performance higher than that those available on a single cloud compute instance. Organisations will need a solution that can aggregate connections to equally spread traffic across multiple network interfaces as part of a single IPSec tunnel to achieve high throughput for secure, site-to-site encrypted connections. This capability is extremely important for large volume secure communications across clouds and datacenters and is instrumental when possible without any redesign.

Scale-up vs. scale-out: For large-scale VPN, especially since VPN is a very stateful communications technology, too many challenges are introduced when designed as a scale-out solution. The ability to scale-up to support the volume of traffic and remote users is critical and can accelerate an organisation’s ability to quickly respond to demand, by scaling to very large levels of user connectivity and traffic encryption.

High performance security virtual machines (VMs), especially next-gen firewalls (NGFWs) being used to terminate VPN connections, are essential for organisations looking to securely connect to a public cloud-based security services hub to access applications in the cloud. It also enables them to access on-premise applications through the closest cloud region, and on to the private data centre, to ensure continuous high-speed data transfers from the cloud to data centres and vice versa.

Ciphers and CPU affinity: Since in-the-cloud compute is generally bound to general purpose CPUs, its ability to support high-performance crypto negotiations is limited. Choosing the right cipher for the job is an important task, as it will dramatically affect the feasible performance and scale of a secure connectivity solution.

Leverage existing investments to accelerate deployment and reduce costs

Addressing new or increased capacity requirements due to a suddenly increased demand for direct remote access to applications hosted in the cloud, including SaaS services, can seem like a significant challenge. But by leveraging the innovation and capabilities in many of their existing technology investments, organisations can often address a majority of their requirements without significant additional overhead. By fine tuning their existing configurations and environments to address urgent and critical business requirements, organisations can quickly provision the lifeline needed to effectively and securely support their sudden increase in remote workers.

Photo by Hello I’m Nik 🎞 on Unsplash

Interested in hearing industry leaders discuss subjects like this and sharing their experiences and use-cases? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London and Amsterdam to learn more.

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *