Has your organisation been forced to deploy a make shift Hybrid Work Architecture to support Work from Home during the pandemic? Has this capability since become an expectation of IT and its systems, without consideration for whether the existing infrastructure and system are suitable? Without consideration of the additional workload placed on the IT helpdesk ? Or the significant compromises in security and end user experience?
Are you now forgoing compliance of your mobile devices when they are remote? In particular, when mobile devices are remote to your corporate network, are they obtaining Microsoft Group Policy, authenticating against Active Directory and obtaining Windows, Application and Endpoint Security updates?
Many organisations are currently grappling with how to provide a secure and reliable work from anywhere experience; whilst having to maintain access to legacy on-premise applications. Unfortunately, the first compromise that is made in this scenario is typically security, followed closely by the end user experience, both of which result in increased workload for the IT help desk and a decrease in end user satisfaction.
What are the non-negotiable requirements for supporting users working remotely?
• A Hybrid Work Architecture that guarantees a consistent end user experience, whether working remote or in the corporate office.
• A Hybrid Work Architecture that ensures domain joined corporate devices and users are always authenticating against Active Directory.
• A Hybrid Work Architecture that ensures remote users and devices are protected by the corporate firewalls.
• A Hybrid Work Architecture that ensures users retain legacy functionality such as mapped drives.
• A Hybrid Work Architecture that does not require a costly rip and replace of legacy applications or a full migration from on-prem to the Cloud.
• A Hybrid Work Architecture that reduces overhead for the IT Helpdesk.
What if there was a way to ensure your organisations’ mobile devices were obtaining Group Policy updates whether the user was inside the corporate network or remote? Always authenticating both machine and users accounts against Active Directory? Always have access to mapped drives which your legacy application depends upon? And are always compliant with your organisation’s endpoint security requirements?
This can be achieved with the use of Check Point Endpoint Security and Check Point Quantum Security Gateways. Mobile devices and users can operate with the same levels of access and security when remote as they do when inside your corporate network, significantly reducing the support overhead for internal IT teams, by providing a solution that always works whilst improving the security of your mobile devices.
How is this achieved?
Through the use of always on, machine certificate-based VPN, that utilises location awareness to determine if the user is operating from inside the corporate network or remotely. Through the use and correct configuration of Microsoft Active Directory Certificate Services, Check Point Harmony Endpoint Security and the Check Point Quantum Security Gateway policy, corporate laptops connect to the VPN upon bootup using the Active Directory machine account and authenticating through the use of a Microsoft ADCS machine certificate. The gateway’s security policy dictates what level of access the machine account has access too, which is typically just the Domain Controllers for machine authentication. The user then logs into Windows using their user credentials, which are authenticated directly against Active Directory and receive group policy as if the machine was located inside the network.
This ensures :-
-
Users are always authenticated against Active Directory and are not using cached credentials.
- This removes administration overhead whereby a remote users password has expired without the user knowing, requiring help desk intervention.
-
Removes the security risk associated with cached local logins. If a user account is disabled in Active Directory, it cannot login to the device.
-
Computer and User Group Policy objects are always applied.
- Ensure consistent security and end user experience whether the user is working local or remote.
- Mapped drives are always available.
- User profiles and app data are always loaded correctly.
-
Reduced support overhead for IT Staff
- As users will have the same experience whether inside the network or remote, IT departments see significantly lower support requests from remote users.
- Remote support utilities such as SCCM can obtain remote access as if the device is present on the local network, even if the user cannot authenticate.
-
Significantly improved security
- Check Point Endpoint Security provides industry leading endpoint protection
- As the device is always connected to the corporate network, security policies are always enforced and there is no risk of devices becoming non-compliant without IT’s knowledge
- A stolen or lost device can be disabled, simply by deleting or disabling the Active Directory account.
What about SASE?
SASE or Secure Access Service Edge is the buzzword or buzzwords of the industry at the moment. The reality is that SASE is not a product or a single solution. It is a concept first derived by Gartner and is in fact a collection of remote access technologies which provide a uniform and consolidated security policy with granular control of access to corporate resources, wherever those resources are located.
Always on, machine certificate-based VPN can form part of a Check Point SASE architecture, however importantly, always on, machine certificate-based VPN addresses the requirements of legacy, non-cloud native applications and significantly reduces the support overhead for internal IT teams because to the end user, everything simply ‘just works’ wherever the user is located, as it would when they are working from the corporate office.
What else needs to be considered?
When users are operating from outside the corporate network, they forgo the advanced protections that are provided by the corporate firewall.
Endpoint Security
A suitable Endpoint Security solutions is critical. When the user leaves the corporate network, they are exposed to elements outside of Corporate IT’s control which can leave corporate devices exposed if they are not correctly secured.
Split Tunneling
The decision of whether to split tunnel internal versus internet traffic or tunnel all user traffic including internet traffic back through the corporate firewalls is a key consideration for many organisations.
Split tunneling reduces load on the corporate gateways at the expense of not providing the firewall protections that on-premise users are protected by. This becomes less of a concern where organisations are using an Endpoint Security solution such as Check Point’s Harmony Endpoint. Harmony Endpoint allows for a unified policy that provides the same protections at the endpoint that can be found on the corporate firewall.
Want to know more?
Would you like to know more about the Check Point technologies discussed in this post? Or more about S5 Technology Group?
Please get in touch with us here.
About S5 Technology Group
S5 Technology Group is an Enterprise System Integrator and Managed Service Provider with offices based in Port Macquarie and Cowra NSW. We support Government, Education and Small to Medium Enterprise customers throughout Australia. Our focus technologies include Enterprise Security, Enterprise Network and Enterprise Data Centre.
Notable Partnerships :-
- Check Point 4 Star Partner (The first and only in regional Australia)
- Microsoft Gold Partner
- Cisco Select Partner
S5 Technology Group were the first system integrator to supply and implement a Full Stack Security Enterprise Agreement in Australia. S5 Technology Group is one of only 7 Check Point 4 Star Partners in Australia, and are the only one located regionally.