Ivanti Connect Secure (ICS)
A seamless, cost-effective, SSL VPN solution for remote and mobile users from any web-enabled device to corporate resources— anytime, anywhere.
As supervisor of the IESO’s infrastructure team, Armando Valdrez juggles management of different technology solutions, including networking, security, NERC cybersecurity and telemetry, which is the field data for the power grid. Ten years ago, his existing client-based VPN didn’t have the ability to allow vendors and contractors access into their network. And because the solution leveraged their internet-facing DMZ firewall perimeter, administrative tasks became high risk due to the management of a single appliance performing multiple operations.
They need a simplified solution that would be portal-based, would enable remote two-factor authentication and that would effectively segment access ability and responsibilities for the different departments, so they chose to adopt a purely remote VPN. By separating their previous VPN and firewall functionalities, they were able to separate duties for better role-based operations and outcomes. Armando elaborates,
“We wanted to separate duties based on Tier One Control Room Operations and Tier Two Network Engineer functions, but you can’t do that with a consolidated device missing granular access control features. So we had to look for a solution that was purely for remote VPN and a solution that was only for firewalling functions. We achieved that by decoupling the remote VPN functionality and firewall functionality. We shifted left. Now our OPS team manages the remote users, while our Tier Two Engineers focus on other things like projects, as opposed to managing the operational tasks. This move addressed our issues from both a business standpoint and a technical standpoint.”
For Armando and his team, weaving in some of the principles of zero trust can help reduce exposure and unauthorised access across the threat landscape. Incorporating multifactor authentication (MFA), micro-segmentation and the “policy of least privilege” provides a hardened security posture and aligns to zero trust best practices.
Armando shares his thoughts on incorporating zero trust, “We are talking about zero trust at a high level right now. We’re seeing how it can fit with our network refresh strategy. There’s a lot of features we can play with.”
Adopting zero trust practices helps both operations and information security teams gain visibility with insights and analytics to determine the number of users connecting, where they are connecting from and what applications they are accessing. From an operations perspective, Ivanti Security Appliance provides administrators a single pane of glass for management and analytics, while PCS features include the ability to:
With a critical utility infrastructure, the IESO performs regularly scheduled disaster recovery exercises to ensure business continuity in the event of a catastrophic network failure. Being able to minimise downtime and data loss is paramount to any disaster recovery plan (DRP), with a primary objective to protect the organisation during any event where operations and services are incapacitated. In the IESO’s case, they were able to perform failovers of their Ivanti Security Appliance clusters. Armando explains,
“Our clients need applications that are patched and allowed, before having access to the network. This also aligns with our disaster recovery initiative in a sense that we have high availability functions. Just a couple of weeks ago, we finished our business disaster recovery exercise, and we were able to perform failovers of the PSA clusters. You have a thousand users connected at a given time and it was all transparent to them. It’s even more important now during this COVID pandemic as the majority of our users are working remotely.”
Ivanti Connect Secure’s “always-on” VPN enables the IESO to enforce security and compliance on all traffic from endpoints, even when they are not on prem. Taking advantage of features such as split tunnelling helps limit secure access platform usage only to critical enterprise/data-centre applications. One advantage of split tunnelling is that it alleviates bottlenecks and conserves bandwidth as internet traffic does not have to pass through the VPN server. Another advantage is in the case where a user works at a third-party site and needs access to network resources on both networks throughout the day. Enabling split tunnelling reduces traffic on corporate networks, increases speed through reduced latency for specific tasks and grants privacy to end users. To help improve network performance, Armando is actively running tests on split tunnelling:
“Right now we’re having our QA team test split tunnelling, because since the pandemic hit, we noticed that collaboration traffic, specifically things like Microsoft Teams, Skype, Webex, was being scanned by a lot of our cybersecurity tools. For example, traffic will go through our VPN gateway, then firewall and a myriad of tools such web filtering proxies, IPS and advanced malware protection. We have a lot of tools that it goes through and there was performance degradation. We are testing the split tunnelling functionality right now to bypass things like Microsoft O365, Outlook, Teams, Skype, and Webex. We are two weeks into that testing and the results are promising. So that is something we will be enabling. Before, things like collaboration video would hit a bottleneck and the outcome would be choppy streaming. But now in our QA system, playing with this stuff, we’re hearing really positive results.”
Organisations like the IESO understand the architectural decisions that go into implementing security and clearly understand the impact of those outcomes. One size does not fit all, so being able to test and right-size solutions prior to broader deployments can help IT departments implement stronger security best practices.
Note: A customer’s results are specific to its total environment/experience, of which Ivanti is a part. Individual results may vary based on each customer’s unique environment.