Client Architect, Networking
Corporate networks haven’t changed all that much over the years. They’re often considered a utility to be left untouched if traffic flows as expected. Most IT leaders and network administrators have the mindset “if it ain’t broke, don’t fix it.” This has been the case virtually since the inception of computer networks.
Most networks today are still designed or run in traditional architectures, such as overlapping star topologies (via VLANs) on the LAN side and site-to-site VPN or MPLS-VPN tunnels in either a star or mesh topology beyond the corporate boundaries. While the technologies have changed, the primary network is still built based on old thinking.
As I look at these topologies in many of our customers’ networks, I constantly hear the explanation, “It works for us the way it is.” When asked how their networks might be improved to accommodate application flow, better security, and user experience, most still believe that what they have is adequate. Nothing could be further from the truth.
The COVID-19 pandemic created dramatic change.
The COVID-19 pandemic brought about significant changes, particularly for the IT department, as it created the need for a massive remote workforce. In early 2020, I remember the panic around business continuity when no one could come to the office any longer.
Without much planning, IT departments rushed to set users up to remotely access the applications housed in their data centers and central offices. “Get everyone on VPN ASAP!” was the rallying cry as customers approached their technology partners to resolve this dire need.
As this transition happened, businesses suddenly found their boundary devices overloaded and unprepared for the massive shift in traffic direction, going from inside-out to outside-in. Furthermore, companies found that their applications were similarly unprepared for this shift.
One of my customers had their call center application infrastructure on-site at their two call center locations. Calls and their CX applications worked great when all the call center employees came into the office to work. But when they were forced to have all the call center employees work from home, they suddenly found themselves looking at massive QoS issues, dropped calls, long hold times, and customer sat ratings dropping rapidly.
CX applications were not functioning correctly for remote employees. Their network was no longer adequate to facilitate critical business applications. As the pandemic dragged on, ‘work from home’ started morphing into ‘work from anywhere,’ and the IT department suddenly realized their ‘protected networks’ weren’t so protected. Traditional networks were simply not designed to facilitate this dynamic and are no longer sufficient for protecting corporate assets and IP.
Traditional network architectures are designed to have defined layers that may be coupled with a DMZ and VPN-connected sites. They depend on segmenting via VLANs, VRFs, and firewall boundaries for security.
And most importantly, traditional architectures depend on assets and applications being at a fixed point on the network, behind a fixed ingress and egress point. Network administrators and cybersecurity personnel must now contend with the threats on every employee’s home network or the very insecure WiFi connections at the local coffee shop.
Remote workforces are not going anywhere.
Companies have come to accept that business can be conducted via Zoom, MS Teams, or WebEx, and they’ve found having a remote workforce is cheaper than renting expensive floor space in office buildings. But with change comes new challenges.
Ransomware and malware incidents increased more than 400% from 2019 through 2022 as more employees exposed their corporate machines to their home networks.
Very few people think about their home network’s security. Most folks just go to Best Buy or Amazon, get the latest WiFi router, connect it to their modem, and off they go. They rarely change the default password, network numbering, or set up security features. Then, when they click a link to check out the latest cat video, their laptop is suddenly compromised with malware. And when they VPN into the corporate network, the malware that was silently downloaded onto that laptop is suddenly loose in your network.
It’s time to rethink “the network.”
To combat this growing threat, it’s time to rethink the network. Instead of being centralized, the network is now dispersed, with no secure edge. IT staff must shift their thinking from “we trust everything on the network” to “we don’t trust anything, regardless of where it is.”
IT staff must assume that nothing is secure, whether in a cloud, in a data center, connected to a VPN, or behind a firewall. This is where Zero-Trust comes in.
Zero-Trust is a set of security principles that demands implicit trust rather than explicit trust.
Zero-Trust technologies include:
- SD-WAN to replace site-to-site VPNs,
- Zero-Trust Network Access (ZTNA) to replace user VPNs,
- Secure Access Web Gateway for secure access to corporate web applications, and
- Microsegmentation to replace VLANs by moving application access permissions from the management layer of the network to the control plane.
Zero-Trust technologies push the security barriers of the network out to the end-user and the end-user device where most bad actors gain access to the network in the first place.
Zero-Trust doesn’t just authenticate the user and the user’s device; it constantly checks them for compliance with policy. If a device has been authenticated via Zero-Trust and it suddenly begins reaching out to an unauthorized network-based resource, it is instantly disconnected.
With Zero-Trust, only properly authenticated users and properly configured devices can access only the applications and resources they are authorized to access. And then only if they remain in compliance with corporate security and access policies.
DataEndure can help you on your journey to a safer network. If you’d like more information, please contact us or read our white paper Think ZTN doesn’t work or is too hard to deploy? Think Different.