Home office in times of crisis? Sure! But Secure!
Covid-19 has made us realize in a very frightening way how helplessly humans, companies and states can be. We wish all readers strength and health in this difficult and uncertain situation. The coronavirus not only has a massive impact on the health sector and our social life, but also has an enormous impact on our economy and existence.
“Extraordinary times require extraordinary measures” is an often quoted phrase these days. One of these measures: home office. In order to interrupt the infection chains of the virus and contain the spread, many companies have – on the advice of federal governments – almost completely switched to home office.
At least in large parts the home office mode still keeps our economy running. However, this fact is (unfortunately) also known by Internet criminals. The step to remote work only is often associated with a high digital risk for companies and their employees: Cybercrime. With the increasing number of home office workers, which is unavoidable and the way to go right now, there is also a steep rise in cyber attacks.
What current approaches à la firewall and VPN can and cannot deliver
Traditional firewalls and VPNs rely on the strict separation of the internal company network and the Internet (external network). This method of isolation is initially obvious and has been a proven approach over the past decades. Today, this approach is no longer secure. Since in times of home office, cloud applications, mobile devices and Bring Your Own Device (BYOD) approaches, data no longer resides in the company’s internal network only and needs to be accessible from anywhere (also from outside the company).
The following analogy illustrates this very clearly. In the past, walls were built around cities to protect against intruders (Figure 1). There were also city gates through which only authorized persons were granted access. However, if a criminal managed to get into the city (e.g. through a counterfeit identity, a Trojan horse or a tunnel), he was able to move around relatively freely and cause trouble throughout the city. Consequently, time has shown that the isolation (wall and gate) approach is not effective – certainly not in a highly networked and globalized world.
But in the digital world, many organizations still largely follow exactly this old-fashioned approach: a firewall is installed around the entire corporate network and Virtual Private Networks (VPNs) are used as city gates to access the entire network. This also means that there is no fine-grained access and connection establishment to individual applications. Rather, one is connected to the entire network and the problems are comparable to those from the “real world” in the Middle Ages.
Once in the internal network (behind the firewall), users and thus also attackers have access to almost all resources. An attacker can thus gain access to large parts of the internal, critical network and identify, manipulate, and damage all network communication and IT systems. The situation becomes even more complex if, for example, external cloud services are integrated via a variety of proprietary interfaces. As a result, the firewall (city wall) increasingly resembles a Swiss cheese full of holes. In short, many organizations still use approaches from the Middle Ages and try to fight new types of cyber attacks, which are based on the latest technology. A clear mismatch! This cannot go well in the long run.
Vulnerabilities of perimeter firewalls and VPNs
- Perimeter firewalls do not allow fine-grained protection, administration and granting of access.
- VPN solutions are only scalable to a limited extent (only via hardware) and often have limitations in terms of throughput.
- When cloud solutions and external devices (e.g. home office remote PCs) are integrated into the internal network, they become part of the network and receive an IP address from the internal network. This reveals a large attack surface.
- No holistic perspective and solution for different infrastructures (on-premise, cloud and IoT), which means no central and consistent identity and access rights management.
Zero Trust as a secure foundation for the age of home office, cloud and IoT
A future-proof and innovative approach to solving the “medieval problem” (perimeter firewalls and VPNs) is offered by the so-called Zero Trust concept. Simply put, this concept follows a very simple but fundamentally different paradigm: trust no one and verify every access – “Never trust, always verify”.
An operationalization and implementation of this concept comes in particular with the following inherent advantages:
1) Equal treatment of all access requests, no separation between internal or external requests.
The separation between internal and external is conceptually removed and the user and device accessing the system are placed at the center. Every access at any time and from any place is authenticated.
2) Fine-grained administration of access on application instead of network level
Instead of relying on a “big” firewall around the entire corporate network, each application is secured individually. This means that access can also be granted fine-grained and user-centered – unlike VPN, which establishes a connection to an entire network.
3) No connection establishment without authentication – authenticate first
In existing concepts, the user and the device are first connected to the desired application, where authentication and authorization are then carried out. With the Zero Trust concept, this procedure is reversed: An independent controller instance first carries out the authentication and authorization and only if this process is success: the connection to the application will be established. Unauthorized and unauthenticated users and devices cannot even reach applications.
4) 1:1 connection instead of assigning IP addresses from the internal corporate network
The fine-grained access control enables direct connections between the accessing devices (+ users) and the desired application. As a result, the accessing device does not receive an IP address from the company network – unlike accessing via VPNs – and thus the device does not become part of the internal network and therefore no potential internal attack is possible.
5) Holistic management of all access rights in the company (on-premise, cloud and IoT)
Through the preceding authentication and authorization at the controller, a centralized and consistent administration and monitoring of identities and access rights is possible. In comparison, the administration of VPNs is complex and only regulates access to the network, but not access to applications.
How can this be implemented? With qbound!
At qbound we have developed an access management solution based on the Zero Trust concept, which utilizes latest technologies and can be used across various infrastructures (i.e. on-premise, cloud, and IoT). With our solution we increase the security level and facilitate as well as simplify the administration of access rights and IT networks. The functionality of the qbound architecture shown in Figure 2 can be divided into four steps:
1) Authentication and authorization of user and device (client)
2) Establishing the data channel between client and gateway
3) Connection of client and target application via gateway and outbound connection
4) Real-time analysis of access and data exchange
Dr. André Schweizer is CEO of qbound GmbH and has many years of experience in industry and research. Dr. André Schweizer is also a researcher at the Centre for Blockchain Technologies at University College London (UCL). Previously he was with the Fraunhofer FIT and the University of Bayreuth.