During research for the TAG Cyber Security Annual, the topic of secure remote access emerged as a tough control to explain. I discovered an alphabet soup of options, standards, and protocols including VPN, SSL, HTTPS, RDP, HTML5, VDI, Citrix, and IPSec. The number of endpoint options made things no easier, with many different shrink-wrapped and SDK solutions for PCs, mobiles, gadgets, servers, and workloads.
With such complexity in mind, I scheduled some learning time with HOB, a German company that knows a thing or two about secure remote access. HOB executive, Armin Graefe, was kind enough to share his unique perspective on this control area. After our discussion, I came to two conclusions: The first was that Armin had much to share, and the second was that I had much to learn!
Secure remote access involves four architectural regions: The first involves endpoints, including PCs, mobiles, and IoT devices. The second involves the end-to-end security protocol being used, with SSL and IPSec as most popular. The third involves VPN access gateway and proxy solutions, which is where the HOB solution resides. The fourth involves the entities, including servers, targeted by endpoints for access.
With this model in mind, I could create four-tuples to place Armin’s descriptions into context. For example, a user PC (1) can use IPSec (2) through a VPN gateway (3) to reach a cloud server (4). Similarly, an IoT device (1) can use SSL (2) to send telemetry securely through the HOB WebSecureProxy (3) to a research center database (4). This 1-2-3-4 approach allows you to build use-cases that can be compared.
Such an explosion of possibilities, however, does pose a challenge for cyber security teams, primarily because the selection of remote access method will not be driven primarily by security. Rather, user preference, business need, operational requirements, physical footprint, and cost will be the main drivers of how remote access is achieved. Hence, the security engineer is best focused on ensuring solid security design goals.
The three security design goals Armin shared involved scale, integration, and efficiency of a secure remote access method. Each of these goals, he explained, were essential to a properly implemented secure access solution. “In the early days of HOB,” Armin explained, “our team discarded two SSL implementations because it was believed that we could improve on the security design objectives in our product.”
The issue of scale is especially challenging for secure remote access solutions. The massive increase in number of IoT devices, for instance, complicates their secure management. Provisioning, in particular, must be handled in a scalable manner to avoid identity-based spoofing. “The HOB IoT solution focuses on provisioning through a highly secure mobile pre-installation processes,” Armin explained.
The issue of integration is also challenging given the number of interfaces in a remote access environment with the four regions cited above. To minimize complexity and to reduce the likelihood of exploitable vulnerabilities between regions, secure remote access solutions should optimize standards-based interoperability, hopefully pre-tested for the various use-cases that can arise.
The issue of efficiency follows from the size growth of IoT environments. Security teams struggle to introduce protection solutions that track connectivity and speed requirements. The HOB SSL gateway addresses this issue through a classic architecture, driven by experiences with centralized processing. “We have a thoroughly-proven architecture for our gateway,” Armin said.
Clearly, the complexity of use-case possibilities for secure remote access will continue to nag CISO teams trying to simplify their infrastructure. Complexity is also no fun for security analysts like me trying to make sense of the field. Sadly, however, the complexity of the secure remote access market will continue to grow, given the plethora of endpoints, protocols, options, and solutions in use today.
My learning from Armin and the team at HOB, however, is that you can control the complexity, and that a scalable SSL solution is one of the most effective controls in your entire environment – especially if you are moving toward large-scale IoT. I fully recommend that you make it a priority to take inventory of your current secure remote access ecosystem, and I am certain you will find some ways to improve.
Please share with us your experiences.