Avatar

Part 3 of the 6-part Future of Work Networking Series: Reimagine Security.

The future of hybrid work is one with no digital boundaries. But a workforce that is mobile and untethered also increases the attack surface of the enterprise, putting data and day-to-day operations at risk. In addition, the number of IoT devices introduced onto the network everyday balloons the attack surface. Without the proper protections in place, any device could provide unauthorized access into the network and its valuable resources.

From an IT perspective, the policies of the workplace need to be enforced wherever people and devices are located or on the move. Traditionally this has been achieved by putting endpoints on a trusted network behind a campus firewall. Today, SD-WAN enables the remote  workforce to securely access SaaS and data center resources via direct internet connections. This enables IT to manage traffic using enterprise-wide access and security policies that secure access to resources.

The Future of Hybrid Work requires a security experience that is an easy-to-manage platform combining wired, wireless, and WAN connections with zero trust, authentication, and privacy protections.

Reimagine Zero Trust to Secure Hybrid Workforce

The future hybrid work needs a zero trust approach to network access. In short, the network assumes that every device can be compromised. Therefore, each device can only have access to specific resources according to security policies. But the workforce is mobile, so policies that were once enforced by location on the network need to move with people and devices. As a result, the previously fortified security perimeter is dissolving, leaving people and devices vulnerable to invasive and business-destroying threats like ransomware. IT security needs AI Analytics and Machine Learning automations to instantly determine which endpoints can be allowed on the network and what access privileges to grant, even as endpoints move fluidly around the physical and virtual world.

Cisco SD-Access provides all the capabilities required for Zero-Trust in the workplace with Visibility (endpoint analytics and traffic policy discovery), Segmentation, Continuous Trust Assessment, and Containment that can be implemented in phases to meet each organization’s security goals. Using SD-Access, SecOps can define access policies once, and they’re consistently enforced everywhere in the network. Security Group Tags (SGT) travel with traffic everywhere it goes, so there’s no need to configure separate policies for the WAN, data center, and internet. This makes it possible to set up zero-trust networking in a campus and hybrid work environment. No matter where and how the workforce connects, there is a consistent access policy from end to end. The next step is to make authenticating endpoints easy and seamless for the workforce.

SD-Access Trust Analytics
SD-Access Trust Analytics

Reimagine Authentication to Make it Simple and Effective

Secure authentication has been possible with digital certificates and physical mechanisms like simcards and USB dongles. However, these tend to be expensive to implement and distribute and can make devices less flexible to use. Ideally, the authentication process is simple and seamless, fitting into the daily workflow, so that the workforce will embrace it, not fight it. Authentication needs to be automatic to support open roaming, using credentials in the device to authenticate access. Cisco Duo is an example of how two-factor authentication ensures a device is tied to specific security and access policies by using an app on the owner’s smart phone.

Bio-characteristics will change how we authenticate devices and provide an even higher level of security. There are more than 30 characteristics that can be used to identify a person, including their face, voice, heartbeat, breath pattern, and walking gait. While some of these are not as distinctive as a fingerprints, when used in combination they establish a trust score. When a higher level of security is required, such as accessing a bank account, a higher trust score can be demanded from the device or personal biometrics.

This is how Cisco DNA Center implements zero trust. Devices must be authenticated before they are given access. Their access is limited to their specific permissions or device class. Note that the trust score can be dynamically adjusted. Just because a device has been authenticated doesn’t mean it can’t be subsequently compromised. Cisco DNA Center with Cisco Identity Services Engine (ISE) extends the zero-trust approach by observing each device in operation, creating a profile stored in the management controllers. If the device deviates from its expected behavior, such as trying to connect to an endpoint it usually never interacts with, ISE can downgrade its trust score. This in turn causes the network to adjust the device’s access permissions—preventing the potential spread of malware—until it can be reauthenticated or isolated for additional investigation.

Reimagine Privacy Protections

As the boundaries of the network disappear, concerns about privacy continue to be raised. If a laptop or cell phone is linked to the identity of the current owner and the network knows where every device is located, then a person’s every move can be tracked.

A key part of any security strategy is to assure the privacy of the workforce, where appropriate. For example, an employer has the right to know what a person is doing at the airport when on a business trip. However, this right does not extend to personal activities such as accessing a brokerage account.

Privacy is more than just a nice-to-have feature. According to Gartner, 65% of the world’s population will have their personal data covered under modern privacy regulations by 2023. Some of these regulations, like the GDPR, impose real financial consequences for violations. Organizations that ignore privacy regulations will find doing so negatively impacts the workforce experience and their bottom line.

Cisco secures connections and protects the workforce through Cisco DNA Center, Trust Analytics, and ISE. Each person’s device can be segmented based on applications and services it has permission to access. With zero trust and management platforms, IT can maintain a high level of security, regardless of where the workforce is located. With better visibility and technology like segmentation and trust scores, IT can protect people and the enterprise from high-cost and high-profile security breaches.

In part 4 of this blog series, we will Reimagine IoT and Smart Buildings and how they support the future of hybrid work.

Read the Future of Work Networking Series

Advance your mobility, advance your business with Cisco Catalyst 9000

Subscribe to the Cisco Networking Blog



Authors

Greg Dorai

Senior Vice President & General Manager, Cisco Networking Experiences - Campus Connectivity

Networking Experiences