Subscribe

Enterprise mobile security in the cloud

By Stuart Hardy

Johannesburg, 25 Nov 2019

With major advancements in connectivity, mobile technology and network infrastructures, remote employee security has become more critical than ever. Companies are now allowing employees to work less in the office, and more from distant locations, ie, a home office, coffee shops, restaurants and hotels while working on the road.

Stuart Hardy
Stuart Hardy

What these companies now face is the growing challenge in replicating network security when users are outside their trusted network. In addition, each user with an Internet connection represents another unsecured Internet break-out point for the enterprise, underpinning a significant challenge in why network-based security appliances can no longer deal with the increasing threats in today’s mobile and cloud-first world.


More horsepower

Year on year, the level of Internet threats have become more sophisticated, necessitating a barrage of security processes and technology to protect an organisation and its mobile users. Each additional process requires considerably more horsepower suffocating our devices and, in most cases, renders the mobile device virtually unusable.

One example of this is the processing power required in today’s world for SSL inspection. Almost 90% of all our Internet requests are SSL encrypted, the bad guys know this and target this blind spot, resulting in at least 50% of all malware hiding in SSL sessions. This means that organisations can miss more than 50% of Internet related threats by not enabling SSL inspection.

So why doesn’t everyone simply do SSL inspection? Well, adding a heavy process like SSL inspection on top of your existing security appliances generally means you need to add significantly more processing power to your current security stack. In fact, up to eight times more horsepower is required.

Implementing SSL inspection on a company’s network stack is challenging enough for most organisations, but trying to apply SSL inspection for users when they are sitting in an untrusted network is almost impossible. In this case, companies are either shirking their security duties by not providing the same level of security on remote devices as they would in the enterprise network, or they are trying to force users to connect back to the network via a remote VPN to ensure they get access to the network security appliances in their DC. While the latter seems viable, it’s clumsy, as it doesn’t scale and has a significant effect on Internet and application performance as well as a cost.

But SSL is only one of several key network security processes that have become essential for mobile users. DLP, Sandbox, IPS, L7 firewalling, URL filtering, malware protection, advanced threat protection and several others are also critical. Most if not all are subjected to users when they are inside the network, but few to none are available when they leave and connect to the Internet.

So how do companies solve this growing problem?

Digital business transformation inverts network and security service design patterns, shifting the focal point to the identity of the user and/or device – not the data centre. Security and risk management leaders need a converged cloud-delivered secure access service edge to address this shift.

Gartner

Gartner believe that if you are to address growing security requirements in a world where your users have left the network and your applications are being delivered from cloud, you will need to shift from appliance-based network security to cloud security.

Read more about Gartner’s The Future of Network Security is in the Cloud report and download it here.

Cloud security, if executed correctly, can resolve many if not all of the growing challenges organisations have in securing their ever-growing mobile workforce. Especially important is the ability to add the full security stack to all users anywhere necessary in today’s threat landscape, without compromising the user’s experience.

The main benefits cloud security offers organisations

The cloud effect: A significant benefit of cloud security is that cloud security vendors are able to see the traffic and associated threats of all their customers. This results in being able to instantaneously block new threats arising (Zero Day) to all customers in real-time. Current appliance-based security solutions can take hours to deal with similar threats as they are disconnected from a larger view.

Mobile security: Cloud security remains the only security architecture that delivers network level security to mobile devices without compromising user experience.

In the diagram below the entire security stack has been moved to the cloud. As a result, the cloud security provider becomes an onramp to the Internet for the organisation and their users. All that’s left is to ensure is that the branch and user traffic is also routed to the security cloud. For mobile users, agents are best practice and force all TCP and UDP requests to cloud security nodes via a DTLS/TLS tunnel.

The result is virtually no heavy security processing happening on the end-user machine, therefore maintaining a fast Internet and cloud application user experience, even when doing full SSL inspection, DLP and cloud sandbox.

Improved performance: True security clouds that are multi-tenant and built to deal with considerable scale and volume, process heavy security processes with ease. This ensures that when delivering a full security stack to network and mobile users, or small SD-WAN branches, performance will be optimal.

A prerequisite to speed and a great end-user experience also ensures your cloud security solution is based on a true cloud global footprint. This ensures that users can connect to the closest available node when travelling to remote locations, and get direct and local secure Internet breakout as if they were in the local network. Deploying a stack of security appliances or building a virtualised security solution in one DC does not constitute cloud.

Decentralised security (SD-WAN): SD-WAN presents an interesting and cost-effective network architecture for organisations with large branch footprints. However, like mobile security challenges, replicating the DC security stack at the branch Internet breakout is expensive, complex and resource intensive. This generally results in a scaled down version of what you offer at your head office breakout, leaving you wondering what’s the point. As with mobile devices (TLS), SD-WAN vendors integrate with cloud security vendors and direct all Internet requests via an IP Sec or GRE tunnel back to your cloud security solution for processing – ensuring a full security stack and optimal performance. This also extends the lifetime of your SD-WAN appliance, as its only responsibility now is routing.

Cost efficiency: Cloud security scales well, not only when choosing features, but because it expands seamlessly to your branches and mobile users – allowing you to reduce the amount of disparate solutions you have, delivering security to your DC, branches and end-users. When leveraging cloud security in these three areas, it represents a 50% drop in the direct cost of delivering and managing security for your entire organisation. Management is also simplified through a single view of your security posture, from your branches, to users, to applications and to their devices – a full inventory of your digital footprint.

For more information, contact Stuart Hardy or go to www.zafrica.co

Share