How to Secure Internally-hosted Applications and Servers Accessed Remotely
Years ago I remember sitting in a cramped musty basement office surrounded by a curious array of computers, servers and old monitors. I was sipping tepid coffee and staring at a flickering CRT monitor that was slowly draining my joie de vivre. While to the external viewer this would have seemed depressing as an Eastern European art film, this was a challenging project. I was in the process of building a reverse proxy. Why? Because my boss thought it would be a neat project. There was no business case at the time. But that planted a seed in my mind that stuck with me ever since.
If we think of Zero Trust as a journey, protecting cloud apps is a relatively easy first step. The real headaches come when dealing with those tricky applications that are on-premises or homegrown. How about remote access to servers? What type of access is given to contractors? The move to remote work has brought those challenges front and center for a lot of us.
Flash forward to today and I find myself talking to customers around the world and drawing on that experience in the basement..Historically there has been a bent towards a fortified perimeter with guards on the castle walls but, if we’re being honest with ourselves, that is a depreciated and risky notion.
The Remote Workforce is Everywhere
How do we secure internally-hosted applications and servers accessed by remote workers and contractors as well as we do our SaaS applications? Remote access is often painful and slows productivity or runs the risk of giving too much access to the wrong users. The modern perimeter is now anywhere an access decision is being made.
Would it not make more sense to get a firm grasp on where and how those access decisions are being made? Case in point is that you would not want me sitting at a coffee shop in Toronto with the ability to log directly into your customer database or email solution simply because I knew the password. There is nothing to validate that I am in fact supposed to be there in the first place. A reverse proxy will sit inline to validate my credentials leveraging MFA to ensure I didn’t just have a lucky guess.
The Duo Network Gateway Secures Applications Remotely
Enter the Duo Network Gateway, or more succinctly, the DNG. It provides organizations with the ability to secure access to applications that you need in order to ensure that the lights stay on and your business can continue to operate. It allows you as an IT or security professional to control the users and devices that access these applications.
To be able to better control access to your internal resources such as Jira or Splunk, as well as cloud delivered applications such as Outlook 365, Salesforce. It even secures SSH connections allowing you to sleep at night knowing that the risk to your enterprise is being addressed.
How the Duo Network Gateway Works
To better connect the dots we can use this example: users would first authenticate to the Duo Network Gateway and then they would need to approve a two-factor authentication request prior to accessing your enterprise protected services. Session awareness helps to minimize the need for repeated MFA prompts as users access additional services and hosts via your gateway.
When DNG is coupled with Duo’s Policies and Trusted Endpoints it helps to obviate the need to rely on passwords alone. Passwords, in their own right, have long outlived their usefulness. The analogy of leaving a key under the doormat springs to mind. If a passerby happened to discover your key beneath the mat they would be able to access the house. This does not mean that they are supposed to be there. Now when you apply this to the enterprise in the guise of an attacker with access to a legitimate password it helps to drive home the need to reduce the attack surface.
Streamlining the access control to enterprise assets will help reduce risk to the company and reduce costs. For every password reset that needs to be dealt with there is a cost involved. With multi-factor authentication and a DNG at your disposal this cost will come down.
That cost savings comes from reducing password resets will be replaced by the ability of users to self manage. The reduced number of authentications will streamline work for users who will need to authenticate once to the DNG to access the applications that they need in order to get their jobs done.
Reduction in risk. Reduction in costs. Improvement in sleep. What’s not to love?
Try Duo For Free
Sign-up for a free trial to experience the product and see how Duo can give you deep device visibility and get started with Device Trust.