Crossbow Labs

Crossbow Labs Logo

Is the 3 Tier Network Architecture Still Relevant ? BAU during the times of COVID



The COVID outbreak and ensuing business continuity during this outbreak has led to a bit of a deep dive in thinking and re-calibrating what is the way forward for us – people in the IT / ITES space. The tweet from TCS on their plans to mobilise 75% of their workforce to a remote working model and the subsequent chatter around the topic goes to show that it’s the way forward whether we like it or not.

Most remote working strategies were designed in the pre COVID era – calculated for fewer (less than 20%) employees to be connecting remotely to the corporate network. Post COVID is a different scenario. Its 90% of the workforce on this side of the radar. Atlas VPN has noted that there is a 150% surge in the VPN usage post the COVID outbreak in the USA. Meaning that the our traditional VPN solution is probably chocking.

What are the foreseeable technology changes as we move to remote working Paradigm ?

The present network infrastructure is based on the traditional 3 – tier architecture. With workforce distributed and not confined to a single LAN, this is not only a network drift but a drift of modus operandi.

Moving to a Zero Trust Model

A zero trust model is as the name goes – trusting no one. This is a paradigm shift in our belief that everyone on the inside of the network is trust worthy and anyone on the other side is untrusted.

What’s the shift – its that no one is trust worthy – inside or outside. Every user trying to access the organisation assets will be authenticated based on their identity and their device identity. The user could be on any network for that matter.

Adopting to a Zero Trust Model is a philosophy by itself. It needs to be strategized to meet the needs of a remote workforce – we are talking flexibility and autonomy here, while decreasing the threat exposure. Here we discuss a few next wave technology implementation trends that support the Zero Trust philosophy.

A Robust NAC

Port – based NAC is the most popular NAC deployment model. With a zero trust philosophy – we need to step up with a more dynamic network access control mechanism. Software defined network perimeter will be the way ahead. In a software defined perimeter solution, routing decisions are made based on policies and not based on the network topology. VLANing will not be required as there is uniform access control irrespective of whether the user is on-premises or is remote working.

Additionally a software defined network perimeter will be able to work well with cloud based solutions. And transition towards adopting to cloud based solutions is something we have already warmed up to pre COVID.


A 3 tier architecture follows a north – south approach – meaning you are permitted access to the applications after gaining authorisation from the top (perimeter) to the bottom (VLAN). With microsegmentation, lateral (east-west) movement is also taken care of. Microsegmentation can help enforce granular security policies based on the type of applications systems or data servers. It provides better insight on the lateral traffic movement and can help network administrators make dynamic routing / policy decisions.

Microsegmentation reduces the attack surface as one compromised application will not provide way to another compromise. Also it enforces better incident response, compliance and policy management.

User and Device Based Authentication

‘Untrusted users using untrusted devices’, ‘trusted users using untrusted devices’ and ‘trusted users using trusted devices’ – all there categories could be legit user groups, however the level of data and resource access should be based on a ‘least privilege basis’.

Multi Factor Authentication is the name of the game, no doubt. With the device component included, it would be MFA + Managed Device. And for accessing sensitive / confidential resources it would be only prudent to check on the security settings on the device, which would be MFA + Managed Device + Device Security.

So how do we get this going, by implementing End Point Detection and Response (EDR). Devices for remote working would need more than just an antivirus protection. They should be supported with end point protection that can continuously monitor for threats and defects and provide confirmation on the device meeting necessary security requirements to access critical systems / applications.

Data and People Sensitivity

Managing sensitive and confidential data was and will continue to be the number one priority pre and post COVID. With heightened awareness on privacy and legal reproaches being rolled out by countries across the globe, data handling will be need to dealt with kid gloves.

What is traditionally hosted in the company’s internal server and held within the company’s network will now have to be moved to the cloud. This calls for a relook at how security and confidentiality can be maintained while giving employees the convenience to access the data from anywhere. The deal breaker will be employee recruitment and retainment in a remote workforce model. So far in this forced lock down, only trusted employees have had access to data and that brings in the comfort that they understand the sensitivity and importance of the data at hand. This trust factor will be a longer hill to climb with a pureplay remote workforce.

The dependence on collaboration tools and virtual water coolers will be all that we have to keep up with the humane aspect of working together as a team.

Closing Notes

Almost overnight, the pandemic has changed how the companies across the globe conduct businesses. This has also provided the much needed perspective on business resilience and critical services. On the brighter side, the productivity boost that is being observed during this lock down shows us that there is light at the end of the tunnel. We see the next wave as Technology First, this time however for employee flexibility and engagement, which will be the cornerstone for a dedicated and efficient remote workforce.