Before we discuss remote access for Office 365 for the Department of Defense, it’s important to look at how remote access has shifted this last year and the security challenges surrounding remote workforces. Earlier this year, we worked with Cybersecurity Insiders on the 2020 Remote Work From Home Cybersecurity Report, surveying more than 400 cyber security decision makers on how their enterprises are responding to accelerated WFH adoption during the COVID-19 pandemic, key challenges, concerns, strategies, and anticipated outcomes. Accelerated work from home initiatives have increased security challenges and are highlighted in this report.
Some top security challenges revealed in the report are:
- 59% of survey respondents say user awareness and training is a main concern
- 56% of survey respondents are concerned with users accessing resources through home or unsecure public networks
- Followed by 43% having concern with use of personal devices/BYOD
Applications: To Share Publicly or Not to Share, That is the Question
Remote work has not spared application security either. The number one security concern related to work applications used by remote workers is file sharing. What is riskier than downloading files only to then share them over public forums, now making sensitive data public and accessible to anyone? Second in line to this are web-based applications. These applications access sensitive data behind a web app and the application itself is not secured. Threat actors then have easy access via public portals and public proxies.
This is where compliant application access comes in; the process of giving people access to an application in a compliant way where a specific set of requirements need to be assessed and then met. The first thing to come to mind is BYOD. The challenges that surround BYOD starts with being able to identify that endpoint and making sure that endpoint meets the corporate security requirements while also doing security checks.
Remember the basics and drive it home
There are certain security practices that should always be in place, especially when faced with unexpected circumstances. Emergency remote access readiness plans should be developed around these security practices.
- Least privileged access connectivity: authenticated users should only be given authorized access to resources they absolutely need to perform their duties and nothing more
- Consistent policy implementations: centralized policy management ensure consistency across global implementations making it easier to troubleshoot and manage devices
- Single sign on: SSO for users to avoid querying them multiple times for credentials and to prevent out of sync credentials
A real-world example: Department of Defense
Let’s look at the specific application Office 365 and remote access for the Department of Defense. Initially this implementation was a full L3 tunnel application. What’s the problem with this? Traffic and communication to the O365 implementation is hair pinned off the DoD network where it can only take authentication authorizations from one of two IP addresses. Those two IP addresses belong to the Department of Defense and users could only log into O365 if they came from a DoD network.
Hair pinning all that traffic over an L3 VPN tunnel makes it extremely difficult to scale and slows down user performance. So, the question becomes, how can we make this more scalable and enable a better user experience? Still using the Pulse Connect Secure Gateway with Pulse Client on the endpoint, a layer four application-based tunnel can be created.
The client can directly “access” the DoD Office 365 URL, where it gets redirected to the Pulse Connect Secure gateway, collects user information, completes an endpoint posture check, does stateful endpoint security checks, and collects users’ credentials. This process meets all the security requirements of the DoD all while avoiding hair pinning off the DoD network with an overall better user experience.
Larger Implications of Direct Connectivity
In an ideal world, users have no idea of the type of security that is happening in the background as they access corporate resources and applications. In looking at the DoD example, the same basic parameters are implemented with software defined perimeter wherein the SDP architecture gives direct device-to-application trusted connectivity. All security is done in the background as endpoints are being validated as are users, helping to ensure the user is accessing the appropriate application. SDP does not care where the application lives. It only cares about authenticated and authorized access.
Pulse Secure has had a long and proud history with the Department of Defense. We have well over 24,000 enterprise customers connecting up over 21 million endpoints users on a daily basis to our solutions, giving them access to corporate resources. As we look to 2021 and to the future of how organizations work, whether remotely or in an office, just remember that we are in the business of Secure Access and your security never has to take the backseat.