Why Is Digital Workplace Enterprise Security Important?

Share this post:

• Share on Facebook
• Share on Twitter
• Share on Linkedin

March 20, 2023

By:Prashant Gokul Pawar, Principal Architect - Cloud and Infrastructure Services, LTIMindtree

Today, even non-IT industries are increasingly focused on digital workplace (DWP) security, which is in high demand because industries have large cloud footprints and use hybrid infrastructure regularly.

In this blog, I would like to shed light on the 'zero-trust network access' (ZTNA) cyber security model because this is well-known and is being adopted faster in the cyber security world as-is (how your infrastructure adheres to the Centre for Internet Security and National Institute of Standards and Technology, Cyber Security Framework).

Given that we are all moving towards the digital era, it is imperative to have security components along with a recommended framework for each infrastructure element, apart from ensuring that all related aspects are covered. However, we need to find out where your data is stored, who manages it, and how they take care of it at the core infrastructure level. At the top level, most data-center infrastructure and application services are typically hosted on IAS, PAS, SAS, or a private cloud and are hyper-converged and on-premises.

In this blog, I have compared the zero-trust network access model with the network OSI layer or TCP/IP model. You may compare this entire model with the OSI layer model and then start to protect each of your infrastructure aspects according to the OSI or ZTNA.

The following are the core elements of DWP enterprise security:

• Endpoints (physical or virtual) and their operating system images
• Notepads, desktops, etc.
• VDIs
• Users' identities
• Applications and collaboration platforms
• Data stores - fixed, cloud, peripherals storage
• Network and remote connectivity

What is a 'zero-trust-network-access' model?

This model is one of the logical concepts of cyber security strategies that protect all areas where malicious traffic or outside actors may attempt to enter your organization. The below diagram illustrates the zero-trust logical model that is trying to cover all elements from a digital workplace (DWP) security perspective.

How to implement 'zero-trust' security for DWP infrastructure?

One must begin with the basics, such as assessing infrastructure, geo environment, network connectivity, and business demands.

Technical aspects to consider:

• Assess how secure users and end devices access the infrastructure landscape.
• The types of security controls of applications and collaboration platforms deployed.
• The network topology and its associated security controls.
• The current governance and security model.
• The current SOC (Security Operation Center)/SOAR (Security Orchestration, Automation, and Response) process.
• The SIEM (Security Information and Event Management) process.

Non-technical aspects:

• Use cases with scenarios.
• Current infrastructure (considering on-premises and cloud), applications security risks, and their impacts.
• Vendor selection based on POC's results.
• The scope document.
• Preparation of a set of actions.

A deep dive into the fundamentals:

There are six pillars that protect your infrastructure, its associated network, identity, endpoints, data, and applications (line of business, enterprise, stored-based applications, etc.).
We will explore each of these pillars in detail.

Identity:

Identity covers both users and devices. To protect identity, you need a good governance model in place, considering your nomenclature, onboarding and offboarding processes, etc. Then, you need to understand how all the identities are situated across the network, given that some are in the cloud or on-premises. With these inputs, all aspects need to be set up in a tiering or layering model, called privileged access or identity management. Multifactor authentication, identity attribute protection policies, and policy frameworks are increasingly important in meeting basic needs.

Sample example:

• Tier 0 - Highly privileged identities, business-critical servers, or services.
• Tier 1 - All applications and data-based servers.
• Tier 2 - All normal business users' layers.

Now, you can protect your identity by thinking along the following lines:

• Who is going to access it?
• When and where will they access it?
• How will they access it?
• What will they access, and in how much time?

In the solution, you put filters on the above-mentioned areas to protect identities and create conditional-based access on systems.

Networks:

The network is crucial to protect from the outer world because it originally exposes both the internal and external aspects. A complete 360-degree understanding of the network and the placement of their devices is imperative, and connecting those dots with their associated services, applications, and infrastructure, which have tags. With tagging these services, it becomes easier to place security controls.

Below are some important factors that you should consider:

• Geolocation of links and network devices.
• What are the different types of protection models for cloud or on-premises devices?
• For those network devices, there is a security governance framework, a role-based access model, and privilege access management.
• WAN links, VPN or non-VPN protection, SD-WAN security policies. In addition, measure all types of access and log forwarding on a single system.
• A central control plane to manage inline devices.

Endpoints:

Endpoints are laptops, notepads, desktops, and VDI (virtual desktops) and should be protected by EDR/XDR (endpoint detection response/extended detection response) with the basic security baseline and OS hardening policies. Some add-on tools, such as data protection and labeling, help prevent data leakage.

Data and Applications:

These are both related to each other. Data applications can be protected in numerous ways here, but some basics, like encryption, should be covered by SSL protections first. Many of the security features are the same as those on endpoints. Only secured and trusted applications should be available to businesses.

Infrastructure:

Infrastructure refers to your physical or virtual data centers and their modelings, like the type of data center hosted and their associated network links or direct connectivity. There are many aspects to protecting your data centers, which is why ISO and other certifications are mandatory. All inbound and outbound communications should be encrypted and secured using the HTTPS, TLS, and SSH protocols. To protect your data centers, you should enforce physical security and zero-trust network access frameworks protecting your servers, other systems, and services.

This way, you can build your zero-trust network access (ZTNA) security model. Once you're satisfied with all the implementations, the logs can be forwarded to the SIEM tools (which also serve as a depth correlation), which your security operations teams will analyze in terms of their correlation to create security incidents based on all chronological orders.

Conclusion:

A zero-trust model for digital workplace security is suggested, considering all the aspects of your IT infrastructure. While the basic security principles or fundamentals are the same in various solutions, a better understanding, correct deployment, and business needs are very important - and all these should be bound together for a more secure digital workplace environment.

The important piece is your security framework, which should work actively with your business to look at vulnerable world factors. Given that cyber security products are emerging in response to market threats, and your security processes and built-in automation are your company's property, it is imperative to build loyalty with a legacy towards business, which helps provide a strong foundation.

At LTIMindtree, we help provide a custom build of the DWP enterprise security model, so that users can access it easily from anywhere with their stateless device form.

To know more, please contact us.

Latest Blogs

Share this post:

• Share on Facebook
• Share on Twitter
• Share on Linkedin