In our last two posts, we talked about the unexpected acceleration of remote work resulting from the COVID-19 global pandemic and how VPNs are incapable of providing reliable, secure Internet access to all of these new remote employees. It’s clear that a new network architecture is needed, but it is too much to expect organizations to completely rip out and replace their network architecture all at once. A measured, step-by-step approach is more practical.
The first step is to segregate data center traffic from Internet traffic through split tunneling. This can reduce VPN traffic by 70 percent—a much more manageable load. The second step is to secure Internet traffic through a global cloud proxy. Once this is done, organizations may want to consider getting rid of their VPN service completely and route everything through the global cloud proxy for efficiency and consistency. But again, this should be a measured approach, and there should be no rush to completely replace your legacy VPN.
But how should your global cloud proxy be set up? What features are necessary?
We’re glad you asked, because Gartner recently published an excellent report on best practices for migrating to a secure web gateway (SWG). Not surprisingly, the guide serves as a roadmap for implementing the Menlo Security Global Cloud Proxy platform with an Isolation Core™.
Gartner Outlines Global Cloud Proxy Essentials
According to Gartner, organizations should look for an SWG that is based in the cloud, connects users and remote sites with IPsec or GRE tunneling, authenticates users by type, deploys your TLS certificate to the cloud, uses advanced threat detection technologies, and can be rolled out to subsets of users in a step-by-step deployment.
Metered Policy Rollout: Make sure you keep the lines of communication to users open during the implementation process to alleviate any concerns and resolve issues quickly. Once you have your base policy set defined, implement it and deploy the solution to a subset of users. For example, you can start by creating a policy that sends uncategorized sites to the cloud and roll it out initially to remote users. This gives you a chance to identify, troubleshoot, and resolve bottlenecks before you scale it out to the entire organization.
Connect Sites and Remote Users to the SWG: It’s important to set up either an IPsec or GRE tunnel to connect remote sites, and the choice depends on your plan for traffic redirection and network vendor support. You should also work with endpoint management teams to deploy agents or configure proxy autoconfiguration (PAC) files for browsers.
Authenticate Users by Type: Ensure that your users can authenticate to the cloud SWG service and that your policies are blocking content based on the organization’s security policies. User attribute mapping can assist in creating granular policies allowing specific content to be passed to the intended users. If you are in the multidomain Active Directory environment and are depending on this for user and group mappings, it may add additional complexity.
Deploy TLS Certificate to the Cloud: Deploy your organization’s TLS certificate to the cloud SWG platform and ensure that it is inspecting the categories you want. You should also set appropriate privacy policies for categories that may contain sensitive personal information. This is especially critical in healthcare, banking, and other industries that deal with personally identifiable information (PII). If you can’t deploy your own certificate, you’ll need to distribute the vendor’s certificate to endpoints to avoid certificate errors and warnings. It’s important to have a proper exception process in place to provide TLS inspection bypass sites that do not support TLS inspection because of certificate pinning.
Set Up Advanced Threat Detection: It’s essential to scan files and content before they enter the organization. The largest attack vector for ransomware and malware is through attachments downloaded by users through web-based email or malicious websites. Advanced threat detection technologies include remote browser isolation (RBI) sandboxing.
Menlo Security Global Cloud Proxy Platform
The Menlo Security Global Cloud Proxy platform with an Isolation Core™ meets Gartner’s recommendations by delivering security through the cloud and enabling split tunneling. These capabilities allow Menlo to create a new cybersecurity architecture for remote workers in which traffic to the data center is secured by a VPN and all Internet traffic is secured in the cloud by Menlo Security—a crucial first step when moving all security controls to the cloud.
Menlo Security excels in delivering security with its Isolation Core™. The Isolation Core™ takes a block-or-isolate approach rather than the block-or-allow approach that is standard for most SWG solutions. Isolating all traffic in the cloud, far from the endpoint, is the only way to 100 percent protect users from web-based threats. In addition, isolation is the foundation of the Menlo Security Global Cloud Proxy platform. It provides users with 100 percent secure email and web browsing without impacting the native user experience. It also provides IT with the most granular visibility and control of users, data, and applications.
A Measured Approach
It’s clear that organizations need a new network architecture for securing today’s remote users. Delivering all security services through the cloud is a great end goal, but organizations need a measured, step-by-step adoption roadmap that is least disruptive.
Secure Remote Workers: Enable split tunneling to alleviate VPN traffic and secure Internet traffic through isolation.
Secure Branch Offices: Deliver security services to users in remote offices through the cloud.
Consolidate Network Architecture: Assess whether you really need complex and costly legacy network infrastructure—such as VPN, firewalls, and so on— if cloud security does a better job of securing users and is much more efficient.
Migrate to Ubiquitous Cloud Security: Move all security services to the cloud.
Eventually, security will be delivered 100 percent in the cloud. It’s clear that’s the way we are heading. But until then, Menlo Security provides a low-risk adoption roadmap that starts with remote workers and is in lockstep with Gartner’s SWG best practices. For more information, download our Remote Workers Guide to learn how to provide your organization’s remote employees with reliable, safe Internet access.
Please do not hesitate to contact us with any questions.