The security challenges of hybrid work are complex, but the solution shouldn’t be. How can you securely connect remote workers across a variety of solutions and protocols without creating headaches for employees or administrators?

Applications, employees and devices are everywhere. In a hybrid work environment, there is no longer a safe space. Every device and its user must be optimally secured at every location, otherwise leaks will occur. This is easier said than done.

Large attack surface

“There are more entry points into the corporate network for attackers than ever before,” said Patrick Commers, cybersecurity evangelist at Fortinet Belgium. “Hackers can break in through headquarters, satellite offices, retail stores, manufacturing environments, cloud services and hybrid workers. The corporate network is more elastic and dynamic than ever. The different parts of the corporate network are interconnected and have a direct connection to the Internet and cloud environments. We talk about a proliferation of “edges”. “As a result, an organization can no longer say that certain parts of the network may be less secure.” Never before have all of an organization’s digital components been so connected and at the same time so disconnected.

It’s now clear that just having a firewall at headquarters won’t get you there. So what should you do to protect the IT environment in a world where the CEO can log into the corporate server from a coffee shop in Hawaii?

Choose your tools

Commers points to different technologies being adopted by companies at different levels.

• VPN: A virtual private network is the most popular telecommuting technology. After logging in and a one-time verification, an employee receives almost unrestricted access to the company network. This is useful, but not completely secure, as this access is also available to an attacker who has compromised a laptop.
• ZTNA: Zero trust security considers the user’s identity, a device’s security level (e.g. most recently installed updates), and policies associated with an employee to grant access to a specific application. These different variables are continually checked and produce a security score. As soon as this value deteriorates, the application will be disconnected. Depending on the application, different requirements may apply.
• CASB: A cloud access security broker sets rules and policies to ensure that the right people with the right permissions connect to the right SaaS applications.
• SWG: The Secure Web Gateway works the other way around and protects employees from dangers on the Internet. For example, malicious websites are blocked.

No single technology is the answer to all telecommuting challenges. ZTNA is very secure, but you can’t easily implement it for older apps. A VPN may be suitable for accessing such applications. The CASB has nothing to do with applications that do not run in the cloud. Then the secure web gateway must be located somewhere. To secure a teleworker’s laptop, you need a variety of tools that ideally work well and efficiently together.

Why not everything?

According to Commers, Fortinet has the solution with FortiSASE. “This security framework brings everything together,” he says. “SASE is the combination of a network component – SD WAN, WAN optimization, routing and content delivery and a cloud-based security solution that includes Firewall as a Service/Secure Web Gateway (FwaaS/SWG), Cloud Access Security Broker (CASB) and Zero Trust Network Access (ZTNA).”

On the back, the infrastructure runs on FortiOS. It is an enterprise-class converged operating system that can support all SASE features, including firewall, SD-WAN, Secure Web Gateway, encryption and decryption, CASB, DLP and ZTNA, both on and off device the cloud.”

As soon as the employee works outside the company environment (at home, at work, in the hotel, etc.) and is therefore no longer behind the company firewall, the FortiSASE framework offers the right solution for 3 important use cases. Commers: “Firstly: When you surf the Internet (Secure Internet Access), your connection runs via Fortinet’s own infrastructure in the cloud. There is a secure web gateway and the company’s Internet policies are applied. If the employee needs to consult Secure SaaS Access (SaaS) applications such as Microsoft 365 or Salesforce, this is done securely and the employer has visibility into who is doing what on which SaaS application through the built-in CASB capabilities. The teleworker therefore goes through security measures at the company level. “

If an employee wants to use applications located on-premises or in their own cloud environment (Secure Private Access), the customer also connects to our SASE environment in the cloud to access internal resources in a secure manner. To ensure an optimal end user experience, the different locations and your own cloud environment can be connected to the SASE platform via our SD-WAN technology, which is integrated into the FortiGate Next Generation Firewall.

The interaction of all factors is a great advantage, says Commers. Finally, management takes place via a central portal where policy rules are rolled out across the entire security infrastructure. The same safety rules apply in the office or café and FortiOS ensures these are enforced through the right technology. “This way there is no spaghetti with different solutions,” says Commers.

SASE with local protection

In the Fortinet scenario, both the headquarters and the branch offices as well as the company’s own cloud environment are equipped with local firewalls. These firewalls not only provide security but also support SASE functionality. If necessary, employees can connect to the on-site infrastructure directly via the firewall, ZTNA or via a Fortinet SASE Pop. “But that shouldn’t be the case,” emphasizes Commers. “The Fortigate provides security.” Conversely, the office firewall provides efficient protection and does not redirect traffic to a web firewall in the cloud unless necessary.

How important are the POPs?

With FortiSASE, businesses can gain complete visibility into their networks and security for secure internet access, secure private access and secure SaaS access from anywhere. To provide the best user experience and high availability, Fortinet now has over a hundred FortiSASE cloud locations worldwide.

None of this changes the fact that Fortinet recently announced that it has entered into a strategic partnership with Google Cloud to increase the number of POPs to over 100 and continue to ensure an optimal user experience, where proximity for optimal availability , redundancy etc. essential is performance.

SASE is still a relatively new solution that is constantly evolving, but it is more than a buzzword. The technology offers a leaner and more efficient way to manage and secure network traffic, especially in the context of hybrid work. A well-rolled solution protects connections to and from the Internet, including for SaaS and private applications.

To ensure advanced threats cannot penetrate your network, device or edge, cloud-based security solutions within the SASE solution must remain current. In this way, they keep up with the latest developments and can protect against constantly evolving threats.

This article was created in collaboration with Fortinet.