Zero Trust Network Access for 3 Different Types of Workers

In part 1, we introduced the new VPN that brings Zero Trust concepts into the age of the hybrid remote worker. Today, we will explore the needs of 3 different workers.

We will explore how IT departments can best support these workers that spend half their time at home and half their time in the office. Workers want a similar network access experience between the two, same network performance, same application experience, and a seamless ability to transition between work environments.

From an IT support perspective, the ability to monitor service levels both at the individual/application level and at the aggregate level is invaluable in staying on top of continuing traffic pattern shifts as return-to-office ebbs and flows. IT sees itself as responsible for ensuring all can access the network effectively and at requisite service levels whether in office or at home.

Worker 1:

Here we have Harry who manages his company’s production supply chain that supports multiple lines of production.

He needs to visit the office and the production plant twice a week, to be seen, to exert some authority, and to physically inspect operations, and to capture some readings. For the other 3 days he works from home.

When offsite, he frequently has to VPN in to do checks on internal systems and to work within his ERP. He is a wide user of user web-based collaboration tools, Office 365, and routinely connects into the web portals of the vendors with whom he does business.

When on the VPN, his SaaS traffic is hair-pinned through the corporate office. This works for now, but will it scale into the future? Despite his company’s return-to-office initiatives, his traffic hair pinning usage may continue to increase as the company’s march to the cloud continues. Bandwidth demands will grow with each cloud-hosted application release. The company’s set of vendors/suppliers is also growing.

What options does Corporate IT have for Harry?

• Eliminate hair pinning by moving portions if not all the company to a cloud-based VPN service, hopefully one that implements Zero Trust. Access efficiencies and reliability will improve. Each service provider may have a different take on the amount of improvement they can offer. Double bandwidth usage will surely decrease.
• For trusted web-based SaaS applications that the Corporate IT department trusts, implement policy to allow local split tunneling for users in need of improved application experience.
• Leverage the Zero Trust framework of the ZT service provider and implement group policy to control, inspect, and treat for threat the Internet destination usage of each user.
• Continue to tunnel everything else from the corporate device to the corporate data center where application specific access controls into corporate-hosted applications are still maintained. Depending on the service provider that has the VPN service to offer, the communications path between the corporate device and corporate data center may be on its own tunnel that eliminates hair pinning through a service provider gateway.

Current solutions in the marketplace are attempting to make the remote access experience seamless to the end user. Through means of single sign-on (SSO) and always-on secure access connectivity, the end user should never know or care how traffic is being routed out of his device for the destinations he is trying to reach.

Worker 2:

Now comes Sally, a salesperson who rarely needs or wants to be in the office. She is much more productive without the distractions of the office and hopes that she never has to go back.

Much of her on-line work is done via Office 365, Zoom, and Salesforce. Given that all 3 applications are cloud-based, she has no need for a VPN when she is out and about or at home. Embarrassingly, she can’t remember the last time she ever used one.

What options does Corporate IT have for Sally?

• Give her the access treatments you gave Harry. ZTNA can add in the hooks for inspecting and controlling her Internet usage, ensuring that her corporate-issued device is access constrained in its use for corporate business.
• End Point protection packages can monitor for process utilization and rogue behavior in data and process usage. File and inflight scanning tools can detect and block Virus, Malware, and Ransomware attacks. These things tend to be thought of as going beyond the scope of Zero Trust access control but are nevertheless important to overall end point protection.

Worker 3:

Vyrl is an office worker and is most productive when in the office. From distractions to getting technology to work, working from home is challenging. His VPN seems so unreliable and slow to him.

Luckily for Vyrl, his access needs at home are satisfied if he can simply check up on his email and calendar. On occasion he will fire up the VPN from home and hope he remembers how to use it.

What can Corporate IT do for Vyrl that will give him the confidence that he can be just as successful working from home, when he needs to work from home as he is in the office, without having technology constantly staring at him in the face?

For one, he needs a better at-home user experience, an experience that replicates the experience he enjoys in the office.

• Today’s Secure Access clients are not like the VPN clients of yesteryear. The clients today can track throughput usage by application process and funnel the data to either cloud-based or prem-based storage where data analytics can process and present the data to Corporate IT. Behavioral indicators can lead corporate IT into spearheading programs for training users who need additional training on work at home solutions.
• The clients of today can report on how much of the traffic is being split tunneled, sent to a cloud-based security provider, or backhauled to corporate. They can measure response times on application flows to give corporate IT the indicators they need to improving application access experiences.
• And to boot, this data can be collected whether the user is in the office, at home, or on the road, segregated by these 3 access types, to help corporate IT determine if their remote access solution is working for all employees that they support.

As we can see, Zero Trust Zero Access, the Next Gen Remote Access VPN has a lot to offer to every type of remote access worker. Lots of options exist in the marketplace from multiple venders.

Lumen has just introduced its Managed Zero Trust Network Access offering based on Appgate’s Software Defined Perimeter technology.

For those looking for Zero Trust within the scope of a wider-deployment of SD-WAN, options include the ZTNA solutions from SD-WAN vendors Versa Networks, VMware, Palo Alto, and Fortinet.

Lumen also has its Adaptive Network Security Mobility based on the Lumen hosting of Fortigate.

This content is provided for informational purposes only and may require additional research and substantiation by the end user. In addition, the information is provided “as is” without any warranty or condition of any kind, either express or implied. Use of this information is at the end user’s own risk. Lumen does not warrant that the information will meet the end user’s requirements or that the implementation or usage of this information will result in the desired outcome of the end user. This document represents Lumen’s products and offerings as of the date of issue. Services not available everywhere. Business customers only. Lumen may change or cancel products and services or substitute similar products and services at its sole discretion without notice. ©2021 Lumen Technologies. All Rights Reserved.