The Remote Worker Question
Remote workers are a challenge for organisations, which is strange considering they have existed for a very long time. I have been in and around cyber security for over 21 years and the quandary that remote workers pose has never really changed.
At its heart, it seems a simple question really. How do my employees continue to work whilst not physically in the office? There are many benefits to having a distributed work force, but benefits aside, the question remains the same.
The first instances I came upon were dial-up modems where employees dialled into the office connection to gain access to systems they needed.
This then morphed into VPN connections as the internet became more prevalent, and organisations had to adapt and adopt technologies such as VPN concentrators to accommodate their users. As bandwidths increased at home faster than they increased in datacentre locations, decisions had to be made on what should traverse these VPNs, so split tunnelling became a necessity to stop users consuming precious bandwidth with their web browsing for non-work purposes.
This change caused another issue though; we lost sight of what our users were accessing outside of our VPNs. Visibility aside, this caused a security headache because we had no power to stop our users from visiting websites and services that could compromise their devices, and ultimately our organisation.
Web Proxy Woes
This is where cloud web proxy servers came to try and fix the situation. Often used internally at organisations to provide a level of web-based filtering and security, they were instead provided as a service where your remote users could still have a level of filtering and control applied by redirecting their traffic to the vendors’ datacentre.
Quite often, this resulted in poor performance for the end users, and management headaches for the security engineers looking after the solution. It worked mostly but was a non-stop source of friction for our remote users.
This solution was the best the industry was able to achieve for several years but was a constant battle of available bandwidth vs the number of users and security concerns affecting what type of solution each organisation was able to support.
This is where we see SASE (Secure Access Service Edge) products enter the market. SASE, in simple terms, is where you tunnel all of a user’s traffic to a vendor’s solution, to achieve the level of access and control that we would if a user was on premise. This can also be extended to your physical sites as well, giving a more consistent experience no matter the location of the end user.
We generally saw this come in two types. The first was to tunnel a user’s web traffic to the solution and then publish a set of applications they can reach within your datacentre. The second was to tunnel all a user’s traffic via a VPN to a central point, and then have that central point break out to the internet or tunnel back to your organisation and make everything available as if they were on site.
These solutions have been dominant in the market for quite a few years now as they have provided the best experience for users, whilst still giving organisations control, visibility and security.
The industry is backing the SASE market heavily right now, and for good reason. It does provide a good balance between security, availability and useability for our end users and lets us extend the perimeter of trusted networks into these solutions.
But it belies the true question we started off asking: How do my employees continue to work whilst not physically in the office? We have gotten used to layering solution on top of solution in a constant battle of buzzwords and technical prowess, which is masking that initial simple question.
We don’t WANT to tunnel our users back to our site if we don’t need to. I don’t want to proxy traffic because of the headaches it causes. Why do I need to push all of my users’ traffic via someone else’s datacentre and then pay extra for doing so? Maybe it makes sense when most of your traffic is coming back to your datacentre, but this has been changing for many years and the ever-increasing amount of SaaS services ensures that it will continue.
The current state
With the rise of SaaS services consuming most of the market, the amount of traffic that needs to come back to datacentre environments is constantly shrinking. So why are we continuing to tunnel all of a user’s traffic to a central datacentre, not under our control?
We don’t want to tunnel web traffic anywhere, but we do so because we want to maintain a level of control over what they can view for security and policy reasons. So why continue to do it?
SEP2 has been working in this industry ourselves for 7 years as a business, but our founders and many of our senior leaders have seen this journey the same as I have. We know that an organisation doesn’t want to do any of the above, but have to in order to maintain the control that is required.
When we were introduced to an enterprise browser called Island, we were immediately onboard. The browser is as close to a user as we can possibly get in most scenarios, so why not apply security at this point? We were tunnelling traffic to a central point and then interfering with it via SSL decryption and deep packet inspection to see what that traffic was actually doing; not because we wanted to, but because we had to.
Why not take all that filtering, visibility, and connectivity that we have been attempting for years to move away from a central office and put it directly in front of the user without them even noticing? No more unnecessary tunnelling, just users getting directly where they want to be whilst still maintaining more visibility and control than ever before.
This is a new and exciting solution that is only just starting to make waves, but the more you hear about it, the more sense it makes and the more questions you raise on previous attempts to do the same.
I’ve only scratched the surface here in mentioning the capabilities of what we can do when we are that close to a user’s actions (real-time DLP and confidential masking anyone?), but if you are considering or re-evaluating how your remote workforce is empowered to do what you want them to do, I believe this is really what the industry has been seeking for all these years.
If you want to know more, please reach out to me or your SEP2 account manager to find out why we think this is truly what your remote workforce deserves.