With remote and hybrid working now firmly part of normal operating expectations, it has made securing external workplaces and devices a longer-term consideration, with connection resilience and security essential. Wataru Izawa, CISSP, shares his experience of dealing with this for his organization.
Disclaimer: The views and opinions expressed in this article belong solely to the author and do not necessarily reflect those of ISC2.
From my experience working in enterprise IT at a multinational company, migration to the hybrid and cloud-first world is an exciting journey with many challenges. Hybrid workplaces require us to go beyond operating office environments and enable effective business activities from literally anywhere. To accelerate digital transformation, our systems have moved from on-premises to the cloud, along with our company resources. Employees and resources are no longer located within our enterprise-owned boundary and we need to protect our assets end-to-end in this distributed environment.
This requires us to manage the external networks our laptops connect to. We also need to protect resources in the cloud by verifying and controlling access from different devices and locations. We must do this without adding latency which will slow down business.
I have encountered these challenges and, working in the telecoms industry with some insights into 5G, would like to share a potential solution using the capabilities of 5G laptops.
The Difficulty of Protecting Enterprise Resources
The COVID-19 pandemic forced us in 2020 into a hybrid world almost overnight. A concern we soon encountered was how to fulfill Wi-Fi security standard requirements for our remote workers. Unlike office Wi-Fi, it wasn’t possible to implement technical controls to ensure non-corporate Wi-Fi was following a certain security standard, but there are vulnerabilities depending on security protocol used:
- Wi-Fi is not always encrypted between laptops and the wireless access points (WAPs) and authentication methods can be weak
- Wired Equivalent Privacy (WEP) uses a predefined shared Rivest Cipher 4 (RC4) secret key for both authentication and encryption. Since the shared key is static and shared, WEP can be hacked in less than a minute
- Wi-Fi Protected Access (WPA) was designed with improvements, but is insecure due to the existence of tools designed specifically to crack it
However, according to statistics from WiGLE, there is still a small percentage using either WEP (around 2.7% at the time of writing) or WPA (around 2.3% at the time of writing) .
Another challenge I encountered was how and where to place access controls to cloud services that are publicly accessible, to prevent accidental information leakage. As a company that was primarily on-site before the pandemic began, services configured on our office network firewall were fine, but this was no longer effective in hybrid environment.
To deal with the situation quickly we decided to add policies on the endpoint detection and response (EDR) agents for a group of laptops, to identify access to certain sites as malicious activity and respond by blocking access to the destination. This worked but was unsuitable in many cases because some processes needed the block, while others needed the access. I needed a more sophisticated solution for the distributed environment. This was when I properly understood why the concept of zero trust was gaining popularity.
The NIST SP 800-207 Zero Trust Architecture notes: “Zero trust focuses on protecting resources (assets, services, workflows, network accounts, etc.), not network segments, as the network location is no longer seen as the prime component to the security posture of the resource.” This is a big paradigm shift, which requires authentication and authorization to be performed before any session to an enterprise resource is established.
Challenges with Current Solutions
To quickly ensure Wi-Fi connections used by remote workers were following a baseline security standard, a rule was added to our standard operating procedures to use WPA2 or a higher security protocol when performing customer service delivery activities.
Overall, this didn’t solve the problem, since business activities such as sales require travel. In turn, this requires employees to connect via public Wi-Fi to access company resources between customer visits and meetings. Also, even if connecting to WPA2 then – according to Data Security - WPA-2 PSK Vulnerabilities – it’s commonly implemented as a pre-shared key (PSK), thanks to its ease of use (a single password is shared by all users connected to the network). If that gets into the hands of an attacker, they will be able to access the network for malicious purposes.
Secure Access Service Edge (SASE) is a network architecture that includes zero trust principles, incorporates data leakage prevention (DLP) to identify sensitive data, and implements security policies to control unauthorized data access as well as unsafe movement of data. It’s a sophisticated and dynamic solution that could replace our static configurations on EDR agents, but our enterprise IT department still faced challenges with SASE.
Challenges involving SASE seem to be common. In one look at SASE operational pain points and how to fix them, a report from the author’s organization, based on research conducted in 2024 asking network managers what they found most challenging about managing and monitoring SASE, found that more than 39% responded that they struggled significantly. The findings revealed four main reasons for this:
- Applying security policies and controls in a coordinated and consistent manner on a multi-vendor SASE deployment
- Monitoring the health and performance of SASE point of presences (PoPs), where all network traffic gets routed through to either receive multiple layers of security inspection or breaks out directly to the internet
- Managing the integrations between different SASE components
- Minimizing SASE PoP latency by making sure user traffic takes the best overall path to its destination
Solving These Challenges Using 5G
With a focus on business partnership and enablement, I work in the enterprise IT division of a telecommunications company. I am always interested to see if the technology our organization delivers could be applied within our operations to solve our own problems. I feel that the challenges we face can likely be solved by outsourcing our network to mobile network operators (MNOs) with 5G laptops, for three key reasons.
Firstly, 5G-connected laptops will address the risk of public Wi-Fi connection: 5G uses AES 256-bit key for wireless encryption, which is stronger encryption than the latest Wi-Fi WPA3 using AES 192-bit. With extensive geographical coverage and authentication using unique international mobile subscriber identity (IMSI) securely stored electronically in the embedded subscriber identity module (eSIM), 5G laptops are able to ensure high security standards for wireless connections.
Secondly, 5G-assisted SASE can efficiently protect resources in the cloud from anywhere. Using 5G-assisted SASE, the MNO steers enterprise’s traffic to specific data networks, which are 5G infrastructure that handles the transmission of data packets. Data networks are identified by a unique Data Network Name (DNN), and DNNs can be used specifically for enterprises to route traffic to different data networks that then can pass the traffic to an MNO edge SASE PoP.
Lastly, 5G-assisted SASE can be further combined with network slicing, a technology that creates virtual networks on top of the shared 5G infrastructure. Each slice may have its own security rules, policies, and Quality-of-Service (QoS). Each network slice is assigned a unique DNN, which acts like a virtual DNN. Adding this unique DNN as an attribute to the subscriber profiles will put the 5G laptops onto the slice where the security rules, policies, QoS will be enforced. 5G network slicing can enable effective business activities from anywhere.
In totality, this will provide us – the enterprise IT division – the ability to end-to-end manage our services in the hybrid world.
There are further advantages with 5G laptops with 5G-assisted SASE. Most SASE offerings require agents installed on laptops as a form of identity to make access and routing decisions, but the deployment of this can become complex. Since 5G-assisted SASE uses IMSI as identity it will eliminate the need of these agents on laptops.
It will also help reduce the network assets that need to be managed by an enterprise, since network infrastructure including SASE management will be outsourced to MNOs. To accelerate digital transformation, we are already migrating our on-premises IT infrastructure to cloud; going further and outsourcing the network infrastructure to MNOs aligns with our cloud-first strategy.
There is also potential for further 5G capabilities to be available for us with 5G laptops in future. A venture was recently launched to accelerate the global adoption of common network Application Programming Interfaces (APIs). These are meant to be standardized open interfaces to enable developers to access 5G resources globally and integrate them into new services for enterprises.
The current challenge we’re encountering is the initial step to provision a remote SIM, to install a batch of MNO profiles onto the 5G laptops’ eSIMs so they can connect to 5G networks in a controlled and efficient way. It’s exciting to see a possible upcoming solution which can enable us to perform this with ease. It is also important to note that 5G is not a ubiquitous network, there will still be areas of poor or no signal, along with entire areas that have not yet deployed 5G cellular networks.
Wataru Izawa, CISSP, has 13 years of experience in IT, telecommunications, and professional sports. He has held business and management roles, with responsibility for business partnership and IT management.
Related Insights