Published: March 17, 2020

Authors of this Market Insight report: Scott Crawford, Garrett Bekker, Eric Hanselman, Fernando Montenegro and Dan Kennedy.

Introduction

In the last few days, an inflection point was reached in the worldwide outbreak of COVID-19 disease spread by novel coronavirus. The World Health Organization (WHO) has declared it a pandemic, and enough data has emerged from models to compel leaders in both the public and private sectors to recommend policies and practices to mitigate its spread.

The impact of this outbreak, and the sudden and radical shift in the nature of the workplace it is precipitating, has decided implications for security across the board. In this and subsequent reports, we will examine the role of technology in dealing with the emerging pandemic, and how it can help organizations cope with the crisis.

The 451 Take

While telecommuting and remote work have become increasingly common with the growth of cloud and mobile computing, many segments of society are largely unprepared to handle mass numbers of people working from home or attending virtual classrooms. 451 Research previously discussed the role of workforce productivity and collaboration tools poised to meet suddenly increased demand, but the scramble to deliver on this need could highlight existing cybersecurity risks that were, until now, much lower on priority lists of overworked security teams. Organizations should be aware of the technologies and vendors that have emerged in recent years that make this prospect more tenable for firms and their employees by providing methods for securing remote access. In this report, we will examine some of those new technologies and consider the additional security implications of a massive, unprecedented and possibly extended move to remote working.


Identity and Access Management: Expanding the User Population at Scale

Most organizations already have identity and access management in place for authentication, authorization and single sign-on to enterprise resources. With the potential for dramatically increased remote access, not just to enterprise IT but to a new range of SaaS applications and cloud services to meet demand, IAM may be stretched and organizations will have to consider alternatives to scale the enrollment of large numbers of new or expanded teleworkers.

Identity-as-a-service (IDaaS) vendors represent the IAM market segment aligned not only with SaaS, but also with the scale required to reach millions of users and endpoints regardless of location. Recent 451 Research reports on IAM include Microsoft's latest initiatives, as well as those of IDaaS vendors Okta, IBM, Idaptive, OneLogin and Ping Identity. Authentication vendors, meanwhile, expand the range of resources available to validate users and manage them at scale, while newer approaches to authorization can help enforce access policies. Vendors covered in our recent reports include authentication providers Auth0, Entrust Datacard, Plurilock, Preempt Security, SecureAuth and Silverfort, as well as authorization vendors Axiomatics and PlainID.

Another recent initiative in access management is the concept of 'zero trust.' In simple terms, the zero-trust approach to security does away with the notion of a hardened perimeter that separates 'trusted insiders' from 'untrusted outsiders.' In this new model, nothing is assumed to be trusted and access to resources is based more on who you are rather than where you are – in other words, what you are allowed to access is based more on your identity and role than what network you happen to be on, as has been the case historically. This approach predicates access on factors that can be demonstrated to the satisfaction of the relying party, without having to trust that whoever wields a password, for example, is the legitimate user (when it may be an attacker who has stolen or otherwise compromised that user's credentials). Multiple attributes, such as source network, IP address, the combination of attributes of the user (such as biometric authentication) and recognized device (such as verifiable hardware and software complement), the network context from which access is sought, and others, can be factored into technologies that make access more reliable and more transparent. Examples of activity in this realm include Cisco's 2018 acquisition of Duo Security, known for its implementation of Google's BeyondCorp zero-trust concept as well as for more user-friendly two-factor authentication, at the time the largest transaction in infosec at $2.4bn.

Zero trust embraces more than access control, however. One of the domains it has affected most visibly is the means of access itself.

Making Remote Connections: From VPNs to Software-defined Approaches

The expansion of a remote workforce means increased need for network connectivity. Virtual private networks (VPNs) have long been the historical anchor for meeting this need. Simply put, VPNs provide an encrypted 'tunnel' that allows remote users to securely connect to corporate networks over the public internet, which is largely unsecured. VPNs also have often been, until now, sized to support a limited number of users, such as IT teams performing administration or a select number of roaming employees. VPNs have been a staple of network security for over two decades, but they certainly have their limitations. From a security perspective, VPNs can provide wide access to entire network segments, in the process often allowing users to access more than they typically require to do their jobs. When this access is exploited, adversaries may find themselves on very flat networks. This may minimize friction for remote workers, but it can also substantially increase the target surface accessible to an attacker. VPNs also typically require issuing and installing VPN client software, which can be a challenge to roll out to employees as well as business partners.

An unprecedented volume of employees working from home could place enormous strains on many firms' remote access infrastructure, which could have both positive and negative effects on the VPN market. On one hand, as was the case during 9/11, many New York-based firms ordered massive amounts of new VPN appliances to support hundreds of thousands of workers who were forced to work remotely for lengthy periods of time. However, sustained reliance on VPNs can also expose their limitations, and perhaps force firms to rethink their long-term remote access plans.

More recently, software-defined perimeter solutions have emerged as a viable alternative to VPNs. Simply put, SDP enables secure remote access to any application, regardless of where it might be located, without requiring VPN hardware appliances or client software. Furthermore, because of their programmability, they are particularly amenable to integration with zero-trust implementations in the sense that they can provide granular access to only those resources the user is entitled, not an entire network segment. This helps deliver access control as finely grained as the more modern approaches to authentication and authorization that zero-trust initiatives often embrace – a key factor when a move toward wholesale connectivity highlights the need for greater granularity in discriminating appropriate access. There are various architectural approaches to SDP, as well as to zero trust, which we have chronicled in a series of reports.

We have also published individual reports on numerous SDP vendors, including Cloudflare, Perimeter81, Banyan, Odo Security, CyberArk (Alero), Cyxtera, OPAQ and Pulse Secure. Established security vendors with SDP offerings or that directly address zero-trust principles include Cisco (Duo), Zscaler (Zscaler Private Access), Akamai, Google (Context Aware Access) and Microsoft (Conditional Access). There has also been considerable SDP-related M&A in the past few years beyond Cisco's pickup of Duo, including Meta Networks (acquired by Proofpoint), Luminate (acquired by Symantec/Broadcom), Vidder (acquired by Verizon) and ScaleFT (acquired by Okta). Other upstart SDP firms include Strongdm, Zentera and Safe-T.

SASE comes of Age?

The strains that organizations are feeling with regard to scaling remote working are among the issues that the newly monikered Secure Access Service Edge vendors have been identifying as addressable. The SASE approach of using cloud-native architecture to disperse security controls for performance and scale has the potential to do far more than the VPN gateway approach could achieve. In building on the ideas of zero trust and tightening the software-defined perimeter, it can deal with one of the larger risks in remote work – that remote workers will bypass security controls that make it harder to do their jobs. A surge of new users could reduce performance in fixed-capacity gateways, motivating users to seek alternatives. If users fall back to direct connections to SaaS applications, a host of protections will be lost.

This is another area where user security education is misaligned with the current crisis. They've been told not to trust the Wi-Fi at the coffee shop, but they will now be connecting through their home wireless networks since the coffee shops are all closed. Their access points are much less likely to have the latest firmware versions, but they're in a situation that they're much more likely to imbue with higher levels of trust. Going directly to a SaaS application could seem safe, when they're unable to understand the risks from compromised or malicious neighbors. SASE technologies could offer performance benefits that could keep them satisfied within corporate controls.

There is inertia for organizations to overcome in getting to SASE. It's a change in mindset and operations, but one that should reduce operational burdens in the long term, if done properly. The question is whether organizations currently in a reactive mode can make those strategic choices. There is much more to come in this sphere.

At the Endpoint

All that remote access doesn't happen by magic, of course. There's still an endpoint at the end of that VPN tunnel or SDP connection. This brings considerations of endpoint security into the fold: How secure is that endpoint? How does that endpoint protect itself without the benefit of the corporate network perimeters that we've built over the years? As the workforce moves to work from home, all of those defenses are back at corporate HQ, but the users are not. Organizations will have to assure that the policies that secure workers within the enterprise network extend to these devices, wherever they may be found.

A multitude of endpoint-centric security questions arise. For a user now connected through a VPN or SDP, what are the implications for the telemetry being captured by EDR? Not only do IP addresses potentially change, but is there sufficient network capacity – bandwidth, low latency and so on – for extracting data from the devices? What about backups, software licensing, patch management and privilege account management? All these questions must now be considered in a scenario where remote users can't stop by the helpdesk department or representative for assistance.

Beyond the Crisis

One of the implications of significantly increased remote work is the possibility that some employees will want these arrangements to become long-term, if not permanent. Those who had previously been attached to an office may find that, not only is the remote experience satisfactory, they may prefer it to coming into the office or that they no longer want to surrender the hours lost to commuting. Organizations may realize that deltas in productivity, if any, do not justify the maintenance of existing commercial real estate. This could have long-term implications not only for the market of remote access solutions, but for the market of technologies and services that secure that access, as well.

That outcome, however, depends greatly on how vendors of these technologies and their customers fare in one of the most far-reaching compulsory remote-work stress tests ever attempted. Organizations are likely to embrace more SaaS and cloud services, for example, across a wider range of offerings than ever before. Historically, flat access to the legacy enterprise via VPN gave organizations a single choke point for defining and enforcing secure access. A wide and varied range of services to which users can connect directly, through secured channels with no need for VPN, could significantly complicate security policy definition and management. Could the new variety of SaaS breathe new life into the market of cloud access security brokers (currently implemented at 14% of enterprises per recent Voice of the Enterprise: Information Security research)? Could an uptick in adoption of multiple cloud services introduce a new opportunity for cloud security posture management? Could a failure of zero-trust initiatives to perform at scale under these new demands force organizations to look at VPNs with fresh eyes? Alternatively, could problems in existing access drive new adoption of zero-trust approaches, currently implemented at approximately 18% of enterprises?

Beyond Access

These topics only touch on aspects of secure remote access. Other security considerations enter into play. How, for example, can organizations monitor this access to assure that, once it's granted, it isn't abused or doesn't introduce malicious activity? What about the access needed to support these new IT demands? Can we make it more possible for IT support workers to get off-site and out of the datacenter to reduce their infection risk, too? How can organizations combat the likely attempts to exploit anxiety over the crisis to induce people to execute attacks unwittingly? We will address these and other aspects that challenge the security of dramatically expanded remote work in further reports.

Daniel Kennedy
Research Director, Voice of the Enterprise: Information Security

Daniel Kennedy is responsible for managing all phases of the research process. He is an experienced information security professional who has written for both Forbes online and Ziff Davis, has provided commentary to numerous news outlets including The New York Times and The Wall Street Journal, and his personal blog Praetorian Prefect was recognized as one of the top five technical blogs in information security by the RSA 2010 Conference.

Jeremy Korn
Research Associate

Jeremy Korn is a Research Associate at 451 Research. He graduated from Brown University with a BA in Biology and East Asian Studies and received a MA in East Asian Studies from Harvard University, where he employed quantitative and qualitative methodologies to study the Chinese film industry.

Aaron Sherrill
Senior Analyst

Aaron Sherrill is a Senior Analyst for 451 Research covering emerging trends, innovation and disruption in the Managed Services and Managed Security Services sectors. Aaron has 20+ years of experience across several industries including serving in IT management for the Federal Bureau of Investigation.

Want to read more? Request a trial now.