How AWS Partners Can Help You Sleep Well with a Strong Zero Trust Strategy for Remote Work
By Kristin Escobar, Global Segment Lead, Digital Workplace – AWS
By Andrew Kloman, Global Partner Solutions Architect, Digital Workplace – AWS
By Dudi Matot – Global Segment Lead Security – AWS
By Scott Ward, Global Partner Solutions Architect, Security – AWS
Many of us have spent the past year following pandemic guidelines, either working remote or at home. Even as we begin to see a slow return to the office, remote work will likely become a mainstay in the future.
Security is something keeping many IT leaders up at night in this new normal. They are focused on ensuring their corporate environment is safe while allowing remote workers to work anytime from anywhere.
As organizations prepare for long-term solutions to support workers’ flexible work requirements, securing those users is at the heart of planning. Businesses need to establish a level of trust between their staff, whether full-time individuals, part-time workers, or contractors.
As companies build their long-term digital workplace strategies, looking at Zero Trust and what that means from a user perspective is key. Gartner predicts significant growth in security and risk management in the coming year. Areas of growth that apply to the digital workplace are identity management, data security, and cloud security.
In this post, we’ll define Zero Trust, highlight solutions that are key to delivering trust at the user level, and highlight AWS Digital Workplace Competency Partners and AWS Security Competency Partners that offer these solutions to customers.
As you look to evaluate the right solutions for your organization, there are three areas to consider: cost, risk, and user experience. Is too much security too costly and difficult for users? Do some user types have greater risk than others?
Asking these questions as you build a trust strategy for the digital workplace will set the stage for meeting the needs of your organization in this new flexible work environment.
What is Zero Trust?
Zero Trust is a conceptual security model and associated set of mechanisms that focus on providing security controls around digital assets. These assets do not solely or fundamentally depend on traditional network controls for network perimeters.
There are two key dimensions: network and identity.
From the network side, do we achieve the right level of trust by allowing network packets to flow between endpoints and put security controls above, or do we break systems down into smaller components and implement micro-perimeters? Do we add gateways, or do we pursue a combination of these?
From the identity perspective, we are thinking about the human interaction via PCs, phones, and tablets. Identities and authentication methods may vary and a combination of solutions put in place.
When we look at this through the lens of the digital workplace, we’re specifically looking at solutions that provide endpoint management, web application management, and desktop application management.
For a more detailed discussion about Zero Trust, read the blog post Zero Trust Architectures: An AWS Perspective.
Zero Trust for the Digital Workplace
As you look to implement Zero Trust in your day-to-day work environment, make sure there’s a clear understanding of the business requirements. These become a balance of security risk, cost impact, and productivity, and they vary by industry.
Let’s look at an education and a government entity as an example. An educational institution may rank their security risk below their ease of use for students, while a government agency may rank the security risk at the highest levels. Check out this case study from CyberArk for work they did with Texas A&M University.
Once the requirements are outlined, you’ll need to asses which controls are important to your business. An important part of the Zero Trust concept is adding contextual or risk-aware policies and metrics. For example, providing access to all applications when they are accessed via the network but not when the device is off network illustrates a network-level contextual metric and policy.
Another example is looking at the login frequency of users as a risk-based assessment. There are numerous scenarios to consider: block, limit, or allow full access. These should not only be considered for initial access but validated throughout the duration of a user’s session.
Solutions that provide these levels of security are things like single-sign on (SSO), identity and access management (IAM), or mobile device management (MDM). When it comes to the digital workplace, we break it down into three buckets: endpoint management, web application management, and desktop application (VDI) management.
Zero Trust Solutions from AWS Partners
Now that we understand what Zero Trust means as it relates to the end user, it’s important to note this is a conceptual model and not a prescriptive reference architecture.
As you look to evaluate the right solutions for your own organization, Amazon Web Services (AWS) has validated partners in this space that can help companies find the right solution for their needs.
Check out these validated partner solutions and find out what Zero Trust means to your company.
Endpoint Management – Network & Identity
Endpoints are a primary piece of ensuring security for an organization. While they have always been an important piece, with the current increase in remote work these endpoints are outside the corporate perimeter now more than ever.
Make sure your applications, if needed, assess your endpoints. This includes networking, local data storage, operating system (OS) and application execution, and user and device permissions.
Key concerns focus on provisioning, security, and getting intelligence from the endpoint and it’s peripherals. Check out these solutions to solve for these concerns.
AppGate SDP provides secure multi-point connectivity to eliminate virtual private network (VPN) switching. Based on the principles of Zero Trust, AppGate offers a unified, API-enabled enterprise-grade solution that reduces operational complexity for DevOps to efficiently work in today’s diverse, hybrid IT environments.
Enforcing privilege security on the endpoint is a fundamental part of your security program and a core requirement of a solid hygiene program. By allowing your organization to run employees as a standard user (and not an administrator) and enforcing least privilege on their workstations/VDIs/VMs, CyberArk’s Endpoint Privilege Manager keeps your organization secure while keeping users, IT, and security teams happy.
Druva delivers cloud-native data backup and recovery, management, and data governance across SaaS apps and employee devices. Built on AWS infrastructure and utilizing a Zero Trust security architecture, Druva reduces the cost and complexity of data protection while improving cyber resilience and compliance.
PrinterLogic is an AWS Well-Architected solution that allows you to empower end users with secure and simple printing capabilities designed for the modern workplace. With PrinterLogic, you can centrally manage direct IP printing from a single SaaS-based solution that supports all endpoints, including VDIs.
SOTI MobiControl is an Enterprise Mobility Management (EMM) solution that empowers companies to securely manage their mobile deployments with any device, any form factor, and any OS in the cloud. Control all aspects of business mobility, from tracking physical assets to managing apps and content, plus keeping devices and data, safe, and secure.
Zscaler enables the world’s leading organizations to securely transform their networks and applications for a mobile and cloud-first world. Its cloud services—Zscaler Internet Access and Zscaler Private Access—create fast, secure connections between users and applications, regardless of device, location, or network.
Web Application Management – Provision and Protect
Web application backends can be monolithic or use microservices or serverless architectures. When it comes to managing these, we are concerned with the provisioning, protecting, and intelligence of applications to end users via a web browser.
Provisioning can be accomplished by providing a web application portal. Intelligence can be received via the connection of the web application protocols or other agent-based metrics.
Security uses these intelligence metrics to apply contextually aware risk-based policies that grant or deny access as well as ongoing analysis. Take a look at how these partner solutions support this need.
Auth0’s modern approach to identity enables organizations to provide secure access to any application, for any user. The Auth0 platform is a highly customizable identity operating system that’s as simple as development teams want and as flexible as they need. Auth0 is also now part of Okta.
Beyond delivering identity as the foundation for a Zero Trust framework, Okta integrates deeply across security solutions to unify your approach. Through the Okta Integration Network, Okta invests in and maintains deep integrations across all components of the extended Zero Trust ecosystem. Okta offers integrations for a variety of AWS technologies, enabling seamless user and customer experiences.
OneLogin offers a complete IAM solution that manages all of your workforce and customer identities. OneLogin provides many integrations with AWS to help securely accelerate your cloud journey, whether you’re migrating workloads or building cloud native applications.
Ping Identity helps enterprises achieve Zero Trust identity-defined security and more streamlined user experiences. The Ping Intelligent Identity Platform provides customers, employees, and partners with access to cloud, mobile, SaaS, and on-premises applications and APIs, while also managing identity and profile data at scale.
SailPoint ensures your AWS environments are properly secured and governed. Through the power of identity security and artificial intelligence (AI), you can be equipped to meet the requirements of your continuously evolving business and digital workplace.
Desktop Application (VDI) Management
Desktop applications are tied to the OS they run on. Adding abstraction layers, between the endpoint, OS, and application helps with the management of these desktop applications.
VDI or Desktop as a Service solutions allow for the execution of the desktop and their applications away from the endpoint. In a way, this can make the desktop more like a web application.
Citrix transforms how businesses and IT work, and how people collaborate in the cloud era. With market-leading cloud, collaboration, networking, and virtualization technologies, Citrix powers mobile workstyles and cloud services, making complex enterprise IT simpler and more accessible for 100 million users across 400,000 organizations.
Nutanix Frame is a cloud-based Desktop as a Service that’s quick and easy to deploy. Frame simplifies the secure management and delivery of Windows apps and desktops to your users, regardless of where they work and what device they use. Turn Windows apps into web apps by streaming them to any browser from the cloud with Frame.
Teradici CAS provides high-performance remote visualization capabilities to deliver a high-performance user experience for even the most graphics-intensive applications and workloads. CAS is built on industry-leading PCoIP technology, to securely deliver a rich and lossless user experience across all network conditions on a variety of desktop and mobile endpoint devices.
VMware Horizon on VMware Cloud on AWS delivers a modern platform for secure delivery of virtual desktops and applications across the hybrid cloud, from a market leader in Software-Defined Data Center (SDDC) and digital workspaces.
The way we all work continues to evolve. Be prepared, make a plan, and build trust across your organization and your customers.
As you begin your journey towards Zero Trust and ensure your flexible work plans are securely enabled, remember to understand the outcome you’re trying to achieve. The solution you look for will be a balance between security needs and cost, coupled with providing a positive user experience.