Securing a Borderless Network

How to protect data when there is no more traditional corporate network.

istock 626305688

In an age of virtual organizations, ubiquitous mobile devices, and cloud computing, the traditional network perimeter – firewalls protecting an information system hosted in an on-premises data center – has dissolved. But the need to protect critical corporate data and intellectual property is more urgent than ever.

Protecting these assets is far more difficult than just a few years ago, when only full-time employees could log into individual applications from within the corporate network. Today, everyone from part-time contractors to business partners to customers needs to access, use, and share information across devices, diverse corporate systems, cloud-based SaaS applications, and more.  

“We see many of our clients meeting this challenge with a three-pronged strategy of zero trust networks, identity management, and endpoint protection,” says Nicolas Fischbach, global chief technology officer (CTO) of Forcepoint.

Zero Trust Networks

A zero trust network approach can meet users’ need to access corporate data from locations outside of corporate control, such as public Wi-Fi, while at the same time keeping data secure. This strategy works by funneling traffic from such locations through a secure transport layer whether the traffic is going to an internal data center, the public cloud, or Software as a Service (SaaS) such as Microsoft Office 365.

Virtual Private Networks (VPNs) have long provided encrypted connections for remote users back to the “big corporate firewall”. This was when this firewall was “the” corporate perimeter and once a user was logged into the VPN they could “access almost anything internally,” says Fischbach.

But such unfettered access is far too dangerous in today’s digital business environment and not adapted for SaaS applications which are distributed by nature. Instead, he says, modern approaches combine secure transport with a proxy and application policies tied to each user’s identity to allow access to only approved applications and data. This is the role of a Cloud Access Security Broker (CASB).

Identity Management

It’s impossible to protect the human point – the intersection of users and data over networks of different trust levels – without ensuring each user’s identity, regardless of which network, device or application they are using. Unless an organization can assure an individual is who they claim to be, there is no way to determine if they deserve any access or at all, and if so which data or systems they should have access to.  

Identity and access management identifies individuals and controls their access to resources by associating user rights and restrictions to their personas. Whether the identity directory runs on-premises or in the cloud its integration with the various apps and security tools is critical. Policies then define which devices and users are allowed on the network and what actions a user can take, depending on their device type, how clean the device is (ie., OS up to date, A up to date, protections turned on, etc.), location, privileges, and other factors.

Endpoint Protection

The endpoint – be it a notebook computer, tablet, or smartphone – is where users access the data they need. It’s also the place where they may intentionally or unintentionally “exfiltrate” their data to unauthorized outsiders, and that hackers target to penetrate corporate systems.

Endpoint security solutions prevent users from accessing dangerous websites and downloading possible malware, enforce various company policies as well as provide secure connectivity. This is where data access and sharing can be detected, user behavior be gathered to drive analytics, etc.

The Bottom Line

Today’s corporate networks extend far beyond the enterprise firewall and into environments and devices IT leaders can’t always control or even detect – up to the point where some CI(S)Os have started to to treat all networks equal, be they internal or the Internet. The right combination of a zero trust networks approach, identity management, and endpoint protection can keep critical corporate data out of the wrong hands while ensuring it also reaches the right hands in a secure manner with great user experience.

Forcepoint’s human-centric cybersecurity systems protect your most valuable assets at the human point: The intersection of users and data over networks of different trust levels. Visit www.forcepoint.com


Copyright © 2017 IDG Communications, Inc.