Due to the radical change in the way we work in IT caused by COVID-19, communications and IT professionals and administrators have been forced to implement or improve necessary mechanisms to ensure security in corporate environments while maintaining their availability for users working from home or anywhere.
There are a variety of mechanisms that help to achieve the objective – some new, others well-known, and others that combine new technologies with old concepts: VPN, ZTNA and SDP.
VPNs (Virtual Private Network) are mechanisms that allow users located on a network to access another network or different network resources in geographically separated locations by way of a non-controlled environment (usually the Internet). These mechanisms are the traditional IPsec and SSL based VPN protocols or the new WireGuard protocol. All of them authenticate users and devices and guarantee their access to remote network resources from any location. They use encrypted communications and although the goal is to provide remote user access, it is also valid for local users.
Once the user has been validated at the VPN gateway, the gateway then makes sure they have full access to the network behind.
The ZTNA (Zero Trust Network Access) concept starts from the basis that all users and devices (whether internal or external) are insecure and without access to resources. With ZTNA, a “controller” validates a user and device and informs a “gateway” that said user and device have permission to access a resource, which is no longer a network resource but an application. Access is limited to the application for which access was requested. If access to multiple applications is required, different authentications may be required even though the applications are on the same network. Also, said authentication validation is continuous and if validation fails at any time, the gateway will close access to the resource.
In this scheme, the resources are behind gateways, but the gateways do not validate the users. Rather, external users only “see” the controller. Since the resources are hidden, it’s harder for potential hackers to find and attack them.
The concept of SDP (Software Defined Perimeter) can encompass both previous approaches. SDP is a mechanism that allows you to deploy one or more security environments that can behave like a traditional VPN perimeter or as a ZTNA-type environment, defining how each user accesses each type of resource. It also allows you to define each access in a simple way without needing detailed knowledge of each configured element, mechanism or technology, providing an abstraction layer between the administrator and the network elements with a data model easily assimilated by IT administrators.
To achieve this degree of simplicity, one of the sought objectives is to ensure that both the configuration and consumption of resources can be done simply from a browser. This avoids having to install extra software and allows said tasks to be performed from any location and type of device (BYOD), but always maintaining the same levels of security and availability.
Implementation, deployment and use
Regardless of the chosen mechanism, there are several factors in these environments to be borne in mind and which we cannot lose sight of if we want to achieve our goals:
- Information security. End-to-end communications need to be encrypted.
- Information availability. User access to data needs to be ensured.
- Ease of use for users. Increasing ease of use for users can, over time, help lessen IT managers’ workloads in maintaining the first two points.
- Independence of the user (and if possible, administrator) location and the information or application.
Our goal as communications professionals is to give our customers the tools and mechanisms needed to provide these elements. This means developing and using innovative technologies adapted to today’s needs.