This is the IT Support Department's Infrastructure Team.
LINE Fukuoka's IT Support Department handles all in-house IT work, and is made up of five teams: the Help Desk Team, the Help Management Team, the Technical Support Team, the Infrastructure Team, and the Information Security Team. The Infrastructure Team is responsible for office infrastructure operations and network security, and takes on a variety of projects to bolster the company's cyber-security.
In this post, we will explain the details of how the "Cloud-based Web Isolation Service" (a security solution that has prevented over 20,000 major security risks in just one month) came to be adopted, the results it achieved, and some issues surrounding it.
If you're in IT and are searching for a security solution that is effective for in-office as well as work-from-home (WFH) setups, this article is for you!
Making access to websites safer
Have you ever unintentionally clicked on a link to a suspicious site when you were just trying to look something up for work? If you connect to a website that targets a weakness in your network or may infect your device with malware, you have to stop working, disconnect from the company network, have your device scanned for viruses, and wait for a cause to be found and dealt with until everything is determined to be safe. These investigations and adjustments also place a burden on internal IT.
Just because you accessed a suspicious site doesn't mean that your PC will be impacted, but obviously, you want to reduce security risks as much as possible, especially on devices like PCs that you use for work.
LINE Fukuoka is responsible for checking if there are any issues with URLs posted on LINE services or in the services handled by companies that have applied for a review of their LINE services (such as their LINE official account). The company was considering a solution that would allow employees to safely access any website, and posed no risk to servers or devices connected to the company's network.
Primary methods of utilizing "web isolation" as a security measure
In simple terms, web isolation is the process of separating web content on a standard internet connection from an internal network. The phrase "internet isolation" is sometimes used in a broader sense, but in this post, you can think of it as one example of a basic security solution. The four primary methods of web isolation are explained below, but after considering costs, usability, and management, LINE Fukuoka chose option 4, "cloud-based web isolation."
上As seen in the image above, there are four methods of web isolation, and each of them has their pros and cons. Also, when considering these solutions, one of the major issues the company faced was remote work (WFH).
Which system is the best fit for remote work? On-premise? Cloud-based?
Most companies put various security measures (such as a firewall) in place when their devices connect to the internet from the office in order to prevent employees from accessing dangerous sites. Of course, even when working from home, if you're connected to a virtual private network (VPN), you can access the network safely in the same way by going through the internal security measures.
But what if you aren't connected to a VPN? If an employee bypasses internal security measures when accessing a site, they could directly access the internet from their home connection, and if they open a malicious website, their device may be infected with malware.
Additionally, if you're using a split tunnel VPN (where internal systems are accessed through a VPN but internet access uses your home connection), you can still directly access the internet even if you're connected to the VPN. Accessing the internet directly from a work device is a major security risk.
There are two types of security systems: on-premise and cloud-based. On-premise systems can't perform web isolation for remote work environments if the device doesn't go through a VPN, but cloud-based security systems can isolate in a WFH setup even without a VPN.
Our initial requirements were that the solution should be an effective security measure even in WFH setups, in addition to being able to access websites safely and posing no risk of infecting servers or devices that access the company network. After considering these requirements, we decided that the solution also needed to be cloud-based.
■ Advantages
Unrestricted access to websites that cannot be connected to from the cloud
■ Drawbacks
- Web isolation can't be done without a full tunnel VPN, so directly connecting to the internet from outside of the VPN or via a split tunnel VPN presents risks
- Separate server management costs are incurred
<Cloud solutions>
■ Advantages
- Cloud foundation eliminates the maintenance costs of servers, etc.
- Whether working in the office or from home, the same services can be used (web isolation is ensured)
■ Drawbacks
The IP used to connect to websites is the cloud itself, so sites that restrict access from the cloud cannot be reached
Note: The information below is from August 2020, when introduction was being considered.