By Etay Bogner, VP, Zero-Trust Products, Proofpoint
Whether you are the IT manager of a growing startup company or a midsize enterprise, you have probably already faced the increasing demand by end-users to remotely access organizational resources.
Naturally, an end user’s main concern is how easy it is to access the services he or she needs, with a user-friendly interface that doesn’t require any technical skills or hands-on configuration. As an IT manager, you are concerned with security; but you’re also concerned about the hard work and the hours of configuration needed to set up and maintain secure remote access for mobile users.
Software-Defined Perimeters (SDP) provide end-users with multiple connectivity methods without requiring advanced technical skills. They remove the implementation and management burden and allow secure remote user access from anywhere to anywhere within the enterprise network. Advanced SDPs offer:
User Management and Authentication
We all know that IdP providers like Okta, OneLogin or Azure AD have become very common for a reason – they provide greater flexibility for user management and authentication. Some organizations have even replaced their on-premise Active Directory with an external IdP.
Next-generation SDP solutions offer user management and authentication that are integrated and interoperable with third-party IdP providers supporting SAML 2.0:
User Management and Provisioning: Adopt platforms that support SCIM, enabling you to provision, synchronize and de-provision users and groups through their existing IdP. All registered user records in the IdP can be automatically created during the user onboarding process. They can then be automatically assigned to relevant groups and policies as needed. In addition, manage users and groups using a platform that integrates with the old but reliable Active Directory.
User Authentication: Any user trying to access resources should have to be authenticated using one or more factors. IT is preferable to leverage an integrated authentication mechanism (that includes MFA) with authentication that can be configured to work via your IdP provider. The user will then need to click ‘SSO Authentication’ during login and authentication will be redirected.
Self-Service Device Onboarding
When replacing the existing VPN with a new solution, you also want to reduce the burden of onboarding each and every device.
Agent Onboarding
Once the SDP agent launches a self-service onboarding process on each user device, integrating with an IdP like Okta, OneLogin, or Azure AD, the onboarding process is even easier and shorter. The agent can be set to ‘Always-on,’ so whenever the user logs in, the agent will automatically connect for a seamless experience. Once authenticated, the user gains access to the relevant services and applications according to the pre-defined policies.
Browser-Based Access
There are cases where it is not possible to install an agent on an end-user device. This is common for BYOD, as well as with partners and subcontractors who need access to internal corporate resources. This is why select vendors have developed clientless, browser-based solutions. The solution then allows users to access corporate resources from any browser with protocols like RDP, VNC, SSH, and any web-based application. Users simply browse to the platform URL, authenticate and receive a list of available links according to his or her policies.
- Onboarding Network Resources
User onboarding and provisioning is only one side of the equation. Users need to access enterprise network services like applications and servers. Most organizations and enterprises host resources on-premises, in private data centers and cloud providers like AWS, Azure, GCP, and OCI. So it’s entirely possible for a midsize enterprise to have services on AWS in Europe, Azure in North America, a data center in India and an office in London.
You can onboard resources to the SDP platform quickly and simply. This is done using a virtual appliance, which acts as a gateway and establishes an outbound IPSec connection to the nearest PoP. Because the platform initiates the IPSec connection, only outbound ports need to be opened in the data center or cloud firewall, which limits exposure to threats.
Setting up more advanced SDP platforms takes just a few minutes; They are easy to deploy, scalable, highly available, and require no maintenance. The SDP also provides an image for any cloud environment as well as an OVA for in-house VMs.
- Micro-segmented Access to Network Resources
Most VPN solutions allow access to the entire subnet, requiring IT to manually segment the network in order to reduce the attack surface. However, some SDP solutions offer micro-segmentation that is enforced out of the box.
You can set it up so only the relevant CIDR blocks are exposed through the SDP solution (protecting the rest of your resources from possible attacks) and hiding applications, services and networks from the Internet to control exposure depending on the user and device identity.
- Policy-Based Access
Once a network resource is onboard to the SDP platform, that does not mean that users can access it. The opposite is true – all access is denied, and every network resource is hidden unless you explicitly expose it as part of the user policy.
An identity-based SDP solution makes it easier to manage the access policies and provide granularity at the port and protocol level. Defining policies is as easy as selecting users and groups, and choosing the target, such as a subnet or a specific service with a defined port and protocol.
- Automating Security with the API
The use of APIs has become very common and is actually a must on any system.
For those incorporating an API, administrators are able to easily set up automated workflows and integrate the SDPs capabilities with any service. For example, you can set up an API flow to automatically trigger alerts to your email or Slack channel about events that interest you.
Additionally, automation can be used to automatically implement and auto-configure a full environment with the click of a button, or to build custom-tailored user interfaces.
Summary
At the end of the day, a big part of IT is providing access to services, allowing users to work from anywhere, and securing enterprise assets from threats. That’s not an easy task, however, there are tools to help make it easier to manage, control, deploy and monitor, without overloading your team.
About the Author
Etay Bogner is the former CEO of Meta Networks and now VP of Zero-trust Products for Proofpoint. He is focused on helping organizations provide secure remote access for employees, contractors, and partners to corporate applications and the internet. To learn more, download a detailed whitepaper on the subject.