In September of 2001, I was conducting a comprehensive security audit of a major health care insurer. They were dealing with the early days of the HIPAA regulations and needed to assess data and application controls in their environments.
Then 9/11 happened. All air travel was suspended and major city centers such as NYC, Chicago, and Los Angeles removed all but essential personnel from many corporate offices.
The health care insurer, as well as many other organizations, decided to employ a rapidly evolving set of technologies around Virtual Private Networks (VPN), such as Citrix Remote Desktop, to support employees working from home. They had to focus on protecting the network perimeter because most of their applications were not designed with exposure to the outside world in mind.
We called it the “tootsie pop” defense. A hard candy shell (well, at the time anyway) represented by the network perimeter controls and the soft, chewy center were the applications and data storage platforms inside.
It was all they had available, and it worked to varying degrees. VPN technology was new and had yet to be as explored and exploited as it can be today.
Eventually, those remote workforce controls were relaxed, and employees started going back into the office. In fact, it was in the early to mid-2000s when companies like Yahoo and Microsoft began to require employees to be onsite. This was primarily a productivity initiative, but, as VPN use was reduced, it did serve to insulate many of those sensitive applications again.
Flash forward to today.
There are many factors driving the need to increase support of remote access. In our world, mobility is king. If I can watch movies or play games on my phone, why can’t I do my job from the same device? Another key factor is this new normal of social distancing and isolation in the face of the current medical environment.
Companies are sending everyone home. But they still have to maintain some semblance of business continuity.
So, are we better prepared to meet these remote access challenges than we were in 2001?
Network protections are still a part of the solution. VPN platforms and their associated support for complex encryption can provide that relatively hard candy shell around the organization’s infrastructure.
However, today, in the mobile world we live in, identity is the new perimeter. Requiring users to authenticate at the network can be a costly and maintenance-intensive approach. Especially for organizations that support large and/or external user bases such as students or partners.
The ideal is to provide direct access to the applications they need. But, that’s not a very good idea if we maintain an application infrastructure that is truly a chewy center.
The great thing is that application security controls have evolved since 2001. Controls such dynamic data masking, targeted multi-factor authentication, and selective access based on use cases such as role, location of access, etc. have allowed us to harden up that chewy center. Another key evolution is in the area of access logging.
The trend towards remote access will only evolve as we recover from the current crisis. I believe organizations will focus on establishing the necessary network and application-level controls to create a “jolly rancher” defense versus “tootsie pop.”
I’m dating myself, so substitute “jolly rancher” with your favorite hard candy.