IT fire drill: Remote access expansion under COVID-19

COVID-19 is forcing organizations to establish or enhance remote work processes, structures and policies. This development has increased the pressure on organizations (Authentic8 included) to rethink investments to enable remote work access.

How can IT ensure and scale safe access for a variety of business-critical scenarios, while protecting existing technology investments?

To keep costs down, most organizations (ours included) invest in remote access capacity based on the needs of a subset of workers, but not the entire organization. To keep our team and their families safe during the COVID-19 pandemic, Authentic8 has adopted a work-from-home mandate.

Like many other companies small and large, we are now facing the need for a significant remote access expansion to keep everyone productive and protected. What will it take?

Expanding remote access infrastructure to manage through what hopefully will be a short time has caused us to reconsider traditional approaches. One of the reasons is that we don’t know if supply chain challenges caused by COVID-19 will let us deliver upgrades to our company infrastructure in time.

Another reason is that we don’t know if traditional approaches are sustainable or desirable. We can learn from this crisis to make us a more resilient organization. If we’re going to invest, we’d like to invest in a better way instead of doing more of the same.

So we’ve decided instead to make a deeper investment in our own product adoption (bias fully admitted, I’m a believer and a fan).

Our product, the Silo web isolation platform, is cloud-based, so it isn’t constrained to the same supply-chain rules that apply to physical appliances.

Another advantage: It’s also cloud-agnostic, which allows it to run in public or private infrastructure.

To accomplish our goal, we’re planning a little bit differently than traditional organizations. We have organized the company into several groups:

• Always on VPN: These are the critical roles that require all traffic to be protected or to access properties that are restricted to corporate IP space. These roles mostly use non-web protocols for their workflows (e.g., ssh, APIs, etc.).
• Intermittent VPN: These are roles that require occasional VPN access to either sync or access internal resources for short periods.
• Web-based SaaS Workflows: These are roles with functions inside Finance, Customer Support, HR, Sales, and Marketing.

We’re moving to place all web-based SaaS workflows into Silo, regardless of device or network location. We’ll be in Silo on corporate networks and home networks alike. This brings about a set of improvements:

• First, IT gets an improved control point this way for all remote access into SaaS applications. We have two approaches, one that leverages our cloud security broker investments and one that complements it. In both cases, moving to Silo will remove blind spots and improve internal oversight through the platform’s centralized and unified logging capability.
  Silo steps up protection by adding finer-grained admin web controls and - an industry first - protocol flattening. Others have referred to this as isolation -  but this is something fundamentally different and in a good way… We’ll have more on that topic later.
• Second, to enforce Silo adoption across managed and unmanaged devices, we will leverage one of the features that are unique to Silo, administratively controlled credentials. Our IT administrators provision SaaS accounts and populate Silo shortcuts on behalf of the end user (our customers can do the same for their users). For end users, the only access to their SaaS accounts is through Silo. This approach leverages Secure Browsing where an iDP or CASB has not been built out.
• The third improvement affects a part of the company where we have invested in an iDP, which provides another easy path to Silo adoption. We are placing the iDP portal inside of Silo. The result: Now we have complete zero-trust isolation, in addition to the other benefits of our iDP. Remote users launch Silo and use the iDP just as they’re used to.

To use Silo, we’re asking employees to install a small local display agent on unmanaged machines at home. IT has already installed the same agent on corporate-managed assets. For anyone unable to install executables, there is a web-based display agent available that runs in modern web browsers. Employees will perform work from within their Silo session and browse from the internet as they’ve always done.

This has several benefits:

• High assurance applications are placed behind an added layer of security regardless of device or network.
• Users who don’t know their passwords are much more difficult to phish.
• And lastly, this will add a consolidated and central IT control point for SaaS apps that fits a modern security paradigm.

To be clear, this isn’t the only way Silo can be adopted. It’s our approach, as an effective way to get immediate results under current conditions, and we may partially shift or completely change it in the future.

We hope COVID-19 will be contained quickly, before it can cause more harm than it already has. It has forced us as an organization to explore new ways for greater adoption of our own product. If you find your organization in the same situation, we’d be happy to have a further conversation.

Looking for a step-by-step primer? Get our detailed Guide for CIOs and CISOs: Rapidly Enabling Remote Workers in Time of Crisis.