By Scott Gordon, CISSP
CMO, Pulse Secure
Despite rapid growth of cloud services and SaaS apps, organizations are not giving up their data centers anytime soon. Why? Conventional on-premises deployments offer the complete control over applications, infrastructure, and resources required for business-critical and legacy applications as well as compliance with data protection regulations.
“The 2019 State of Enterprise Secure Access,” a recent research study conducted by IDC Connect and sponsored by Pulse Secure, found that 100% of enterprises surveyed have data centers and intend to keep them. Moreover, the 60% enterprises that anticipate increasing their IT delivery investment over the next year will allocate between 20% and 42% of their budget on the data center.
That means the notion of the “network perimeter” being a thing of the past is quite wrong.
Hybrid IT brings new security challenges
At the same time, all 300 companies surveyed are adding some form of cloud to their infrastructure mix. The combination of data center with public cloud, including SaaS services, is most prevalent at 44%, with 30% operating data centers with private cloud capabilities and 26% combining all three delivery methods for a hybrid IT multi-cloud approach.
The result is a hybrid IT model that brings new challenges around data protection and security. Employing a Zero Trust model for secure access that incorporates software-defined perimeter technology is one alternative to consider.
Defending an expanded perimeter with access security
With hybrid IT and multi-cloud use, the network perimeter becomes more porous and elastic – and a point of vulnerability requiring a security approach that expands on the traditional defense of the data center perimeter. That’s not to say that the data center perimeter no longer exists. Instead, it’s more important than ever as companies reserve on-premises deployments for sensitive data and business applications. The challenge, acknowledged by 44% of survey respondents, is to not end up with a fragmented approach that results in less visibility and control rather than more.
In fact, the more complex, dynamic and distributed the hybrid IT environment, the greater the need to improve access security capacity. This is reflected in the study by interest in initiatives to refine privileged user and service account access management (42%), and to automate access provisioning of respective applications, network, systems and data that comprise a hybrid IT app workload (42%). Enabling access control consistency across hybrid IT environments (39%) was also cited as top interest among respondents.
Applying zero trust principles and software-defined perimeter technology to secure access
Companies are now employing two new security technologies, Zero Trust and software-defined perimeter (SDP), to the challenges of protecting data in the hybrid IT and multi-cloud world. Along with the use of firewalls, virtual private networks (VPNs) and network access control (NAC) and cloud access security broker (CASB) technologies to assure role-based and segmented access to network resources, the security industry has been implementing a zero trust model to mitigate malware, attack, breach and data leakage risks.
A Zero Trust model, which Forrester Research predicts will become the ad hoc standard in the U.S. by 2020, applies authentication, authorization and verification controls to users, devices, applications and network resources. This is all about proving identity, location, device, and security state before and after being granting access based on least privilege to applications and resources in the data center and the cloud.
Interest in software defined perimeter (SDP) technologies for multi-cloud access is clearly growing. SDP enables secure access directly between the user and their device to the application and resource. Like perimeter-based VPN technology, SDP invokes user, device and security state authentication controls before and during an authorized, protected connection. When asked to what extent their organizations anticipate implementing SDP technologies, more than half of respondents indicated they will begin or pilot an SDP project within the next 18 months; an additional 24% said they anticipated plans in the future.
What to look for in secure access solutions
As enterprises look for ways to augment perimeter-based access security with technologies like zero trust and SDP to protect hybrid IT and multi-cloud environments, visibility and integration were among the desired characteristics cited by survey respondents. That’s why over 90% of survey respondents said they plan to increase their secure access technology expenditure.
In evaluating options available in the marketplace, look for SDP-enabled, zero trust secure access solutions that offer:
- Dual-mode VPN and SDP architecture that integrates the two complementary security approaches can provide single-pane-of-glass secure access management and operational visibility across public cloud, private cloud and data center resources.
- Multi-factor authentication and authorization options to ensure users, their devices and the applications they access are continuously verified before and during the transaction.
- Uniform policy management across both technologies enables consistently provisioned secure connections while reducing configuration errors.
- Granular, stateful access enforcement aligns business and compliance requirements with on-demand, application-level access that supports anywhere access and preferred device.
- Seamless user experience that offers users easy access options including web portal, application-activated, SSO and captive portal.
- Access responsiveness by separating data and control planes to ensure scalability and expedite application delivery.
- Deployment flexibility to allow moving or extending implementation on premises and through private and public cloud.
Issues with poor access authorization (46%) and resource access protection (45%) through lax authentication and encryption are among prominent factors contributing to security incidents impacting organizations today. This strongly suggests that the now is the time for to re-assess access security for today’s hybrid IT in order to prevent exposures and mitigate risks.