Secure Access Challenges for the Modern Enterprise

Today’s modern world needs modern solutions to keep up with the pace of change. More than ever before, this year has made it a priority for enterprises to evolve to meet the needs of remote workers, contractors, and 3rd party partners needing to connect to the apps and resources required to get work done. Enterprises were already going through a massive digital transformation when the pandemic shut downs sent everyone to work remote. This is the year when the old VPN couldn’t keep up with demand, VDI traffic spiked to never before seen levels, and thousands of new remote desktops became the frontier for a rush of new security exploits.

The Problem

Modern Requirements

Organizations need a better way to securely connect users to apps and resources. This is no small task for an enterprise that often has more than 250 different company sanctioned applications in regular use. It is common for a modern enterprise to need secure user access for resources across on-premises data centers, private cloud, and public cloud including access for:

• Email, messaging, file transfer, web apps
• Thick client apps
• VOIP, video, peer-to-peer apps
• Remote desktops
• Databases
• Admin logins
• Developer resources
• Public SaaS & IaaS

A typical enterprise also has to provide secure access to different types of users and a range of devices, including:

• Employees with company laptops
• Employees working from their own devices (BYOD)
• Supply chain vendors and partners with 3rd party owned devices
• Contractors and consultants who may or may not have company issued devices
• Employees of acquired companies and subsidiaries
• Temporary users with their own devices
• Development teams
• Privileged users and administrators

With so many different types of applications, devices, and users that need secure access, organizations are hard pressed to find a simple way to solve for all their use cases. And remember, they still need to secure the enterprise against attacks. As a result, many companies have resorted to using multiple solutions, ending up with a complicated and fractured approach spread across multiple teams — IT Security, Networking, Infrastructure, Identity, and Cloud.

Old Methods

The VPN

The VPN is the most common default method for granting secure access to applications and resources. This is too bad. It is decades old technology. No one likes the VPN. Let me count the ways:

1. Users find it inconvenient to navigate and it is especially bad for organizations with lots of acquisitions as you can only be on one VPN at a time.
2. VPNs are expensive to scale and complicated to deploy, a problem many companies dealt with this year when their VPN’s overloaded with a suddenly all remote workforce.
3. VPNs are very inefficient for cloud. No one likes the idea of tunneling remote traffic back to the enterprise network and then back out to the cloud. The alternative is to use split tunneling which is problematic for security.
4. And speaking of security, VPNs overall are fundamentally not secure enough since they tunnel users directly into the open internal network of the company where a malicious or compromised user can wreak havoc on vulnerable applications and gain access to precious data.
5. VPNs also require agents on the endpoint, except sometimes for web apps, but not every use case is a web app — making it very hard to solve for BYOD and 3rd party owned devices.

What about VDI?

Virtual Desktop Infrastructure is one of the work-arounds for secure access use cases that can’t be solved with a VPN. Specifically all those use cases with users on unmanaged devices who need to access resources and applications that are not web apps. Secure access is not the only reason to use VDI but it is increasingly common for organizations to turn to VDI for what should be a simple remote access requirement.

VDI is problematic, too. Let me count the ways:

1. Users don’t love it because it can tax their productivity with painful, painful latency. The lag time for the user trying to accomplish something on a virtual desktop can be maddening.
2. VDI is expensive and complicated. In addition to the virtual desktop infrastructure with servers, storage, etc, VDI still requires a network gateway to enable remote users to access the virtual desktop where the applications and resources are located. So you have to buy and manage infrastructure and network gateways.
3. And that virtual desktop, where the user ends up, is inside the perimeter sitting in the data center or in the corporate cloud. Also you may not be able to protect those virtual desktops with EDR because auto updates can cause the whole virtualized system to seize up and non-persistent virtual environments may not be around long enough for EDR to work at all. Once again you have a security issue with users getting very close to critical and potentially vulnerable assets.

And then there’s CASB, Web Gateways, and Public Cloud

Neither VPNs nor VDI are friendly solutions for public cloud. So, many organizations add even more secure access solutions into the mix. They turn to inline Cloud Access Security Broker (CASB) or Secure Web Gateway (SWG) capabilities to control and monitor use of public cloud and web apps. They may also try to use native capabilities in individual cloud apps and services. This adds even more complexity to the secure access mix because these solutions are only for public web and cloud apps and services. They come with their own policies, management, visibility and integrations.

It’s all too much

It is madness that the one simple business requirement for remote secure access has become such a quagmire of complexity and cost. VPNs, network gateways, VDI, CASB, Secure Web Gateway, IaaS, and SaaS are often managed by different people or even completely separate departments. Each system has its own policies, visibility, integrations, and deployments.

The Solution

There’s no denying that organizations need a solution that is cloud friendly but also good for both cloud and on-prem applications, and can also cover users no matter where they are working from. A solution that is agentless most of the time (not just for web apps) makes it much easier to deliver secure access to users on devices not managed by the company. A solution that supports secure access for the full range of applications and use cases. This includes users with thick client apps or using peer-to-peer apps, VOIP, and video. And this solution needs to meet modern security standards so it should be a zero trust approach to protect vulnerable corporate resources.

This may sound too good to be true, but it shouldn’t be.

One Secure Access Solution for All

What if there was a solution that supported all these enterprise use cases with the myriad of different applications, users, and devices? What if you could deliver secure access with a single fast-to-deploy cloud service that is agentless first and doesn’t require you change your network? What if you had one central place for policies; consistent visibility across all users and apps; one place for integrations with your identity, endpoint, SIEM, and other security systems; and one solution that easily scales as your access needs change?

Such a solution now exists. With Axis Security Application Access Cloud’s recent expansion of capabilities, organizations have a solution that scales with them as they grow, providing more agentless options, and supporting more apps and use cases than any other secure access solution. With Application Access Cloud, all of the secure access use cases that once required the complexity of multiple solutions, can all be handled one fast-to-deploy, easy-to-use, zero trust solution. For more information on what Application Access Cloud can now do for you, check out our December 8th announcement.