Toni El Inati – RVP Sales META & CEE at Barracuda Networks, argues that VPNs have had their day and that it’s time for Zero Trust Network Access (ZTNA).
While virtual private networks had already been solving access problems for a generation, 2020 was their shining moment, when they enabled business continuity at scale during lockdowns, across industries and nations. But while the benefits appealed to many, the downsides of VPNs were hard to ignore. While they are easy to set up and easy to use, VPNs are tricky to secure.
Sources vary on how many UAE workers are regularly using VPNs, but one estimate puts the country and its GCC neighbours among the world’s top adopters, with rates between 35% and the UAE’s 61%. Before this scale up, VPN technology was long seen as providing quick and secure access to corporate resources from remote locations. Little, if any, thought was given to the running of sessions over insecure links like home or public Wi-Fi networks.
VPNs create encrypted tunnels but preserve user data within them. They hide IP addresses and browsing history from Internet service providers and others, but these popular gateways have their drawbacks. They are often directly accessible from the public Internet, which makes them vulnerable to network-scanning and brute-force attacks. This means they are a viable infiltration vector and threat actors can exploit zero-day vulnerabilities and misconfigurations to sneak into the corporate environment and cause chaos.
The Rethink
VPN vulnerability is not a fringe issue or a trivial concern. In 2020, the US National Security Agency went so far as to issue a notice on the configuration of VPNs, highlighting many of the concerns stated above and warning organisations that secure VPN tunnels are difficult to deliver and need constant maintenance. The agency’s bulletin was one of a series of “Oh, wait…” moments experienced by security leaders around the world over the past few years. Once again, they have to rethink their security and IT policies to phase out a legacy go-to because threat actors have found a way to use it to their advantage. The more remote workers you have (and trends seem to be heading in this direction), the more VPN tunnels you have to manage. This implies escalating costs and time drains – the opposite of what VPNs were supposed to deliver.
Fortunately, there is the alternative to VPN tunnels – one that is more secure, and easier to maintain. It is zero trust network access (ZTNA), a technology combo based on the strong foundation of the principle of least privilege. This approach ensures that users receive only those permissions that they need to get on with their job. No more, no less. And security ecosystems are configured to never automatically trust a user, process, or session when they try to authenticate themselves for access. Verification is done without exception, after which the principle of least privilege takes over.
ZTNA started life in 2009 when cybersecurity professionals ran with Forrester Research’s concept of “never trust, always verify”. The zero-trust standard now has a place within the US NIST framework. Zero trust, as the name suggests, encourages the SOC to trust no body and no device by default. Every person, policy, machine, and application that is part of the cybersecurity infrastructure must work on the constant assumption that the enemy is already inside the gates and that the job of the security function is, quite simply, to go find it. This approach calls for continual evaluation of the risks to assets and operations. Organisations can move forward with ZTNA in four steps.
- Map the attack surface to ensure the security function is aware of all critical data and assets. Personally identifiable information, credit card data, and intellectual property are obvious contenders, as are applications, endpoints, and services. But each organisation is unique and only a comprehensive panel of stakeholders can compile a comprehensive list of assets.
- Identify all users that will come into contact with the network or any mapped assets. To manage access, implement a single sign-on for all users. Not only will this be more convenient for them; it will enhance visibility of activity for the security team.
- Enable multi-factor authentication (MFA) to require users to verify themselves via a secondary device after initial log-in from a primary device. There are various ways to accomplish this, but a one-time password (OTP) sent as an SMS to a phone is standard.
- Validate every endpoint device used by a credential-holder to access network resources. It is critical that any device used for primary login or MFA is pre-registered, with a record retained of its device ID, serial number, model, and OS. Any unrecorded device should be automatically disqualified from the authentication process.
Leave nothing to chance
The attack surface is growing and SOCs are drowning in complexity. Remote users are on the rise, as is the number and variety of devices they use to access sensitive digital assets. The region’s B2B and B2C businesses are under increasing pressure from regulators and must be able to assure watchdogs that every box is ticked. Zero-trust network access is a box-ticking method by nature, as it leaves nothing to chance and assumes a breach at any given moment. While point solutions are certainly one way to deliver it, complexity will linger under this approach. An all-in-one solution is quicker to deploy and puts less labour burden on the security team. Cometh the hour, cometh a new hero: ZTNA.
