Remote work requires a rethink of your edge security strategy

Or Katz Akamai, Principal Lead Security Researcher

Because of changes in how your employees and customers access your applications, the network perimeter is now defined from the outside in, not the inside out. In other words, access to applications and services usually starts from users and devices located outside of traditional on-premises network perimeters.

Factors driving these changes include new business models that require remote access, the adoption of distributed edge computing services, and the response to an evolving threat landscape. This has become even more evident this year, as enterprises react to COVID-19 workplace guidelines and execute adaptive access and business continuity plans to allow remote work.

This requires a new approach for your defensive security strategy at the edge. This new approach needs to be easy to adopt and integrate, must focus on the connected entity and its security posture, and should consider threat signals that allow risk-based actionable protection and permit autonomous, adaptive access capabilities.

Here's why.

Home-based access is inherently more risky

One of the byproducts of remote connectivity in the past year has been to allow more access from relatively new device types such as mobile phones and tablets. While this undoubtedly helps improve workforce productivity, it also introduces more risk, since those devices are known to be less secure and more vulnerable.

In fact, home access changes users' habits, according to Akamai research that was released in May 2020. Previously, the remote device may have connected to corporate applications and services. But these days, that device is also being used to connect more frequently to consumer-based activities and to apps such as streaming services, gaming, and social networking.

The change in browsing habits also leads to the device being exposed and vulnerable to more threats. As this graph shows, the increase in connecting from home resulted in changes to users' browsing habits.

Malware-associated traffic skyrocketed with the shift to remote work. Source: Akamai

Working from home leads to an increase of nearly four times more access to malware-associated websites and an increase in the risk that those connected devices will be compromised.

A new security approach

As the boundaries of enterprise networks continue to change and a new model of distributed remote-connectivity architecture that allows intelligent access takes its place, you need to consider a new form of defensive strategy as well. 

You need a new strategy that enhances those already in place and introduces another layer of defense that includes the following three key components: data and indicators, risk-based signals and entities, and protective actions. These components take into account the gaps and challenges of protecting remotely connected users.

The tension between usability and security needs to be balanced to provide a controlled environment and ensure a successful business.

The core concept behind being able to react to observed signals is to give more time to security teams to dig into the root cause of abnormal and risky behavior. Therefore, you should consider correlating signals with tools such as security information and event management (SIEM) to allow more accurate decision making.

When considered together and incorporated into a signal-based risk score, these signals may determine that protective action is required.

Combine your approaches

The defensive strategy needs to combine both deterministic and nondeterministic actions that will be used based on the level of risk associated with the devices and users. The strategy should also be able to adapt and change the action based on a change in the risk level.

Actions should use your remote accessibility infrastructure to be able to reduce risk by shrinking the attack surface or limiting access functionality. Those kinds of actions will ensure that user access is still allowed, but limited, to address the risk involved and reduce potential damage.

While nondeterministic actions like these are important, deterministic actions—such as isolating or blocking any access from risky, remotely connected devices—are also a valuable part of your security strategy.

The trade-off between security and usability is subject to each enterprise's policies and its sensitivity to security risks. Adaptive access, which changes based on the risk associated with the connected user and device as derived from risk signals, is another essential piece. This reduces the overhead of managing users, devices, and protective actions while adding another layer of defense.

Keep your ultimate target in mind

The goal in adopting this new architecture is to reduce security risk. One of the key principles in a defensive edge strategy is a continuous authentication mechanism (as opposed to one-time authentication).

A defensive edge strategy will minimize the attack surface, since in this model the connectivity is to a specific enterprise application, and not to the entire network. This is in contrast to traditional access solutions such as a VPN, which give the connected user access to the entire enterprise network and thereby allow for the potential of lateral movement of an attack across the network.

Enterprises' perimeters and connectivity locations are constantly changing; as a result, users' hygiene and browsing habits are as well, so the defensive strategy also needs to change. Such change needs to reflect an ability to add a new layer of defense that puts more focus on connected users and devices. Evaluate the risk associated with users' connectivity, and allow for a flexible and adaptive defensive strategy.

Read more articles about: SecurityIdentity & Access Management

More from Identity & Access Management