Category: Zero Trust Network Access

Virtual Private Networks (VPNs) have long been the standard technology for remote access, multi-site connectivity, and third-party access. However, recent trends in cloud adoption and remote work have exposed significant weaknesses in VPN security. This article examines the transition from VPNs to Zero Trust Network Access (ZTNA) and its implications for cybersecurity, drawing insights from the 2024 Zscaler VPN Risk Report and an in-depth interview with Deepen Desai, Chief Security Officer and SVP Security Engineering & Research at Zscaler.

The Decline of VPNs: A Vulnerable Legacy

VPNs have been the cornerstone of remote access for decades, allowing users to connect securely to corporate networks from anywhere in the world. They provide essential functionalities such as remote connectivity, multi-site connectivity, and third-party access.

“More than 70% of the use cases for VPNs are around remote access,” Desai noted. “In cases of mergers and acquisitions, companies often set up site-to-site VPNs, which can inherit security issues from the other side. Third-party access, although less common, poses even greater risks.”

However, as Desai pointed out in the interview, these legacy architectures are increasingly proving to be liabilities. According to the report, a whopping 56% of organizations experienced VPN-related cyberattacks in the past year, an 11% increase from the previous year. And more than half of enterprises breached via VPN vulnerabilities (54%) experienced lateral movement by threat actors.

“The legacy architecture of VPNs, which grants broad network access once credentials are verified, significantly increases the risk of lateral movement by attackers within the network,” says Deepen Desai. “This means that once an attacker gains access through a compromised VPN, they can move laterally across the network, accessing and exfiltrating sensitive data with relative ease.”

Critical Vulnerabilities: If You’re Reachable, You’re Breachable

One of the primary issues with VPNs is their susceptibility to zero-day vulnerabilities. Recent high-profile exploits, such as CVE-2023-46805 and CVE-2024-21887, have exposed critical weaknesses in VPN products. The recent Ivanti VPN attacks, for example, exploited zero-day vulnerabilities in Ivanti Connect Secure appliances, allowing threat actors to implant web shells and harvest credentials. These breaches enabled attackers to bypass authentication, execute commands with elevated privileges, move laterally within networks and maintain root-level persistence, even after device resets. In response, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued emergency directives for federal agencies to disconnect affected devices, highlighting the severity of these vulnerabilities. Forensic analysis revealed that attackers could even evade detection by modifying internal integrity checks, creating a false sense of security among users.

In general, VPNs are vulnerable to zero-day vulnerabilities and other attacks, in part, because they are externally exposed, internet-facing devices with public IP addresses. This means that attackers can easily scan for and exploit these vulnerabilities in exposed VPNs. As a result, VPNs exposure substantially increase the enterprise attack surface, while exposing enterprise servers and networks to the internet — all of which increases the chances of attacks like ransomware.

Ransomware and Other Threats

Ransomware actors are particularly adept at exploiting VPN vulnerabilities. Deepen explained that ransomware groups often target VPNs to gain initial access to a network, move laterally, and deploy their ransomware payloads. The 2024 VPN Risk Report identifies ransomware (56%), malware infections (35%), and DDoS attacks (30%) as the top threats exploiting VPN vulnerabilities. These statistics underscore the breadth of risks that organizations face due to the inherent weaknesses of traditional VPN architectures.

“In the last twelve months, we’ve seen more threat actors going after zero-day vulnerability exploits in some of the popular VPN providers,” Desai emphasized. “The zero-day vulnerabilities have become a prominent issue, with several CISA advisories also confirming this trend.”

The Shift to Zero Trust Network Access

As the limitations and vulnerabilities of VPNs become increasingly apparent, more organizations are turning to Zero Trust Network Access (ZTNA) as a more secure and robust technology. Zero Trust is built on the principle of “never trust, always verify,” meaning that no user or device is trusted by default, whether inside or outside the network. Every access request is authenticated, authorized, and encrypted.

“Zero Trust is fundamentally different from VPNs in that it does not inherently trust any user or device,” Desai points out. “Every access request is scrutinized, authenticated, and authorized, which drastically reduces the attack surface.”

The 2024 VPN Risk Report reveals that 78% of organizations plan to implement Zero Trust strategies within the next 12 months, with 62% recognizing that VPNs are fundamentally anti-zero trust. This dramatic shift is driven by the need for a security framework that can effectively address the dynamic and evolving threat landscape and overcome the risks associated with legacy VPN technology.

Principles of Zero Trust

Zero Trust is a comprehensive security strategy built on several key principles:

1.Never Trust, Always Verify: Every access request, regardless of its origin, is subject to strict verification processes. This principle ensures that only authorized users and devices can access network resources.

2.Least Privilege Access: Users are granted only the minimum level of access necessary to perform their tasks. This minimizes the potential damage that could be caused by a compromised account.

3.Assume Breach: Zero Trust systems are designed with the assumption that breaches will inevitably occur. This approach focuses on limiting the blast radius of any potential attack by ensuring that even if an attacker gains access, their ability to move laterally within the network is severely restricted.

Granular Access Control

One of the most significant advantages of Zero Trust Network Access solutions over VPNs is the ability to provide smart, granular access control. Zero Trust also ensures that users connect directly to applications rather than the network, further reducing the risk of lateral movement and minimizing the potential impact of a breach. This level of control is crucial in today’s complex digital environments, where traditional perimeter-based security models are no longer sufficient.

Scalability and Performance

Unlike VPNs, which often struggle to scale and maintain performance under the load of a fully remote workforce, Zero Trust architectures are designed to be inherently scalable. Desai highlighted that during the COVID-19 pandemic, many organizations found their VPNs unable to handle the sudden shift to 100% remote work. With remote and hybrid work becoming the norm, Zero Trust solutions, in contrast, can scale seamlessly to support a distributed workforce without the performance bottlenecks associated with VPNs.

Zscaler’s Approach to Zero Trust

Zscaler’s Zero Trust Exchange platform is a prime example of how Zero Trust can be effectively implemented to protect modern enterprises and provide secure, direct connections between users and applications, eliminating the need for traditional network-based access. Desai outlined Zscaler’s phased approach to implementing Zero Trust, which involves four key stages:

1.Reduce Attack Surface: The first step in the Zero Trust journey is to reduce the external attack surface by making applications invisible to the internet. Zscaler achieves this by hiding applications behind the Zero Trust Exchange, ensuring that they are not directly accessible from the internet and can’t be discovered by probing missions. This significantly reduces the risk of external attacks.

2.Prevent Compromise: The next step is to prevent initial compromises by applying consistent security policies across all user environments. Whether users are remote, in the office, or traveling, the same set of security controls and policies should always follow them. Zscaler provides advanced threat protection and full TLS inspection to detect and block threats before they can cause harm.

3.Prevent Lateral Movement: To prevent attackers from moving laterally within the network, Zscaler employs granular user-to-application segmentation. This ensures that users are never placed on the same network as the applications they access. By doing so, Zscaler eliminates the risk of lateral movement, as there are no network paths for attackers to exploit.

4.Prevent Data Loss: Finally, Zscaler’s Data Loss Prevention (DLP) solutions ensure that sensitive data does not leave the organization. By performing inline DLP policy controls and full TLS inspection, Zscaler can detect and block attempts to exfiltrate sensitive information.

Implementing Zero Trust: Best Practices

Transitioning from VPN to Zero Trust requires careful planning and execution. Desai recommends a phased approach, starting with the most critical applications and high-risk users. Here are some best practices he recommends for implementing Zero Trust:

1. Identify Mission-Critical Applications: Begin by securing the applications that are most critical to your organization. These ‘crown jewel’ applications should be the first to be protected by Zero Trust principles.

2. Focus on High-Risk Users: High-risk users, such as those who frequently fail phishing simulations or have access to sensitive information, should be given priority in the Zero Trust implementation process. Implement strict access controls and continuous monitoring for these users.

3. Apply Zero Trust Principles Consistently: Ensure that Zero Trust policies are consistently applied across all environments, whether users are remote, in-office, or mobile. This uniformity is crucial for maintaining a robust security posture.

4. Educate and Train Users: Finally, user education is a critical component of any security strategy. Ensure that users understand the principles of Zero Trust and the importance of adhering to security policies.

“Zero Trust is a journey, rather than a starting place,  particularly for large organizations with diverse IT environments,” Desai acknowledges. “However, a phased approach, starting with mission-critical applications and high-risk users or use cases, like VPN replacement, can help manage this complexity and ensure a smoother transition.”

The Future of Secure Access

The evolution from traditional VPNs to Zero Trust Network Access marks a significant shift in the cybersecurity landscape. As organizations face increasingly sophisticated cyber threats, the limitations of VPNs have become evident. Zero Trust offers a comprehensive approach to security by meticulously verifying access requests, enforcing least privilege principles, providing granular access control, and continuously monitoring user activity while mitigating long-term costs and increasing ROI.

By adopting Zero Trust, organizations can enhance their security posture and protect sensitive data. As Deepen Desai summarized, “Organizations must move away from remote access VPN solutions, especially for crown jewel applications, to reduce risk and enhance security. Zero Trust is not a single technology but a strategy that requires comprehensive implementation across all user environments.”

The post The Evolution of Secure Access: The Shift from VPNs to Zero Trust Network Access appeared first on Cybersecurity Insiders.

“If it ain’t broke, don’t fix it,” is a well-known saying that applies to many things in life but certainly not to businesses. The business environment is rapidly evolving, and one needs to embrace a culture of constant innovation and change to help reduce production costs, boost margins, discover more agile production methods, improve customer success, find new markets to enter and maintain a competitive edge.

IT teams must also prepare for digital resiliency and be able to recalibrate and evolve their infrastructure because after a certain point legacy infrastructures will break, become inefficient, or irrelevant. Let’s explore the major hurdles IT teams will have to jump in the coming years.

New Demands and Challenges Arise From Technological Evolution

Even if a major IT disaster or a security incident doesn’t occur, the network will face new challenges brought on by cloud migration, remote working, the Internet of Things (IoT), and new cyber threats. Legacy infrastructure will have to be updated to accommodate evolving technologies, future business requirements, and opportunities.

More Applications Migrate To The Cloud

The public internet has become an extension of the conventional network, with more and more applications moving to the cloud. Organizations will need an efficient way to monitor and manage access to these applications and deal with shadow IT risks. Legacy networks will lack native connectivity, so enforcing policy, controlling, and monitoring these cloud applications and services will become increasingly challenging. 

MPLS Bandwidth Costs Continue To Consume IT Budget

As applications generate more traffic and users consume more bandwidth through latency-sensitive applications like video streaming, MPLS costs will continue to rise and consume a significant portion of the corporate IT spend. Moreover, MPLS technology was not originally engineered to offer the direct-to-cloud performance required by SaaS applications or to support connectivity for mobile and home users. As organizations keep adding locations and workers over time, MPLS becomes cost-prohibitive and complex to maintain and secure.

Widespread WFH Makes Connectivity And User Experience Challenging

As the work-from-anywhere (WFA) trend continues to grow, delivering a consistent user experience becomes increasingly challenging. Sustaining WFH and mobile users adds a major burden on IT compared to supporting conventional users at the office.

The New Hybrid Workforce Introduces New Security Challenges

Organizations must provide remote users, including outsourced consultants and contractors, with network access. This requires implementing secure remote access to only necessary applications and resources with only the required level of permissions to ensure productivity.  Additionally, as ransomware and other threats continue to rise, adequate threat prevention tools must protect users and applications from cyber threats. Legacy networking and security approaches will be unable to deliver that granular level of protection.

Expansion Into New Regions Creates Issues

Growing organizations are expected to open offices in new geographical regions in the next few years. With major expansions, mergers and acquisitions taking place, IT teams are under significant pressure to integrate new locations and employees as quickly as possible. MPLS connectivity may not be ideal because it requires months to deploy, and some locations may not support it. 

New Demands Mean New Expenditures

More sites mean more users and more users mean more bandwidth. Eventually, networking and security infrastructures will reach capacity limits, necessitating costly upgrades and replacements. Organizations will also need the additional skills, time and resources to deploy, secure and maintain the incremental infrastructure that will be deployed over the years. This also means training existing staff in new use cases, hiring new staff with the knowledge, or outsourcing tasks to outside partners.

The Telco Headache

Working with major carriers has historically presented challenges, which are unlikely to dissipate anytime soon. Lengthy delays in opening and closing support tickets, the lack of transparency within these large organizations, and the ongoing frustration of holding individuals accountable are issues we’ve experienced. IT departments may encounter mounting frustrations when attempting to have their feature requests fulfilled by telcos prioritizing product reselling over taking ownership of software and hardware design.

Future-proofing Connectivity

The industry is rallying around SASE (Secure Access Service Edge), a cloud-based networking and security approach that converges SD-WAN with Security Service Edge (SSE) functions like secure web gateway (SWG), data leakage prevention (DLP), zero-trust network access (ZTNA), cloud access security broker (CASB) and other security controls, to meet the challenges introduced by the cloud, mobility and shifting network traffic. Here’s why and how SASE helps overcome these challenges:

Meeting Hybrid User Demands: The SASE architecture converges networking and security into a single cloud service for secure, optimized traffic delivery.  It enhances network performance by choosing the most optimum path for the fastest packet delivery. Whether users are on the road, at the office in Japan or Spain, they receive consistent performance and secured access to any enterprise resource, including cloud applications and the internet.

Gaining Visibility and Control Over Cloud: A cloud-native architecture delivers a broad range of security capabilities that work in concert with each other. SASE allows enhanced visibility and control for all WAN and cloud traffic flows, enabling better security and streamlined management.

Although SASE represents a major shift in IT strategy, its implementation should not be disruptive. Adopters can gradually integrate SASE, expanding their deployments as service contracts expire or when new requirements dictate. Whether organizations make the move now or later, cloud computing and WFA have already altered network traffic patterns. Organizations must take a closer look at approaches that can adapt and evolve or risk being left behind. 

The post The ROI of Doing Nothing: What to know as new demands are placed on networks appeared first on Cybersecurity Insiders.

The way we work has drastically changed over the last few years. Our data, users, devices, and applications are now everywhere. Just look at the hybrid workforce. According to the Society for Human Resource Management, by next year, 82% of businesses worldwide will have implemented a hybrid work model.

When you consider that number alone, it’s clear that traditional, office-centric models are no longer fit for purpose. In their place is a new hybrid landscape in which employees seamlessly access resources from anywhere and on multiple devices, including personal and corporate-owned phones, laptops, and more.

This digital transformation, coupled with the aforementioned explosion of hybrid work, the continued growing use of Internet of Things (IoT) devices, and Operational Technology (OT) systems, demands a comprehensive security overhaul, and this is where Universal ZTNA steps in.

The Genesis of Universal ZTNA

While ZTNA (Zero Trust Network Access) has been around for some time, Universal ZTNA represents a more holistic approach. Its roots lie in the limitations of traditional network security. Perimeter-based defenses, designed for a centralized workforce and static infrastructure, are struggling to adapt to the dispersed nature of today’s work environment and the ever-growing number of connected devices, which is leaving businesses susceptible to potential cyber-attacks.

A key turning point came in 2022. That’s when Gartner analyst Andrew Lerner authored a blog post titled “ZTNA Anywhere (Re-thinking Campus Network Security).” In his article, Lerner exposed the disparity between security solutions for traditional networks and those needed for the modern, remote-access world dominated by ZTNA. 

This sparked a conversation within the industry, highlighting the need for a more unified ZTNA approach that could secure not just remote users but the ever-increasing attack surface of devices.

Universal ZTNA: A Unifying Force for a Connected World

Universal ZTNA builds upon the core ZTNA principles of least privilege access and continuous verification. However, it extends these principles to encompass all users, devices, and applications, regardless of location or type. Imagine a single, unified security policy governing access for a marketing team member in New York, an engineer working remotely in London, a fleet of delivery vans with route optimization software, and even industrial robots on a factory floor – that’s the power of Universal ZTNA.

Use Cases: Unleashing the Power of Universal ZTNA

Universal ZTNA goes beyond securing just remote users and their devices. Here are some compelling use cases that showcase its versatility in today’s interconnected world:

  • Securing IoT Devices in Manufacturing: Factory floors are teeming with sensors, controllers, and robots that collect and transmit critical data. The impact of these IoT devices is significant, helping address everything from quality control and asset tracking to product optimization and worker safety, all while reducing downtime and increasing efficiency. But they can also introduce security concerns. Universal ZTNA ensures that only authorized devices can access essential systems, reducing the risk of unauthorized modifications or data breaches that could disrupt production.
  • Protecting OT Systems in Critical Infrastructure: Power grids, water treatment plants, and other OT systems offer greater operational flexibility and worker safety but, among other things, introduce new entry points for hackers. Universal ZTNA provides granular access control, ensuring only authorized personnel can manage these critical systems, preventing cyberattacks that could cripple infrastructure.
  • Enabling Secure Remote Maintenance for Industrial Equipment: Field technicians often need to remotely access industrial equipment for maintenance purposes, which can reduce costs and increase efficiencies. Naturally, this can come at a price, including new vulnerabilities. Universal ZTNA allows secure remote connections, eliminating the need for teams to physically visit each site, which can help to reduce downtime.

The Benefits of a Universal Approach

Universal ZTNA offers a compelling value proposition for organizations navigating the complex world of IoT and OT security:

  • Enhanced Security: Least privilege access and continuous verification significantly reduce the attack surface and potential breaches, even for non-traditional devices.
  • Improved Operational Efficiency: Rather than having multiple entry points, it delivers a single, secure remote access point to industrial equipment and systems, streamlining maintenance and troubleshooting processes. 
  • Simplified Management: A unified ZTNA policy simplifies security administration for a vast and diverse device landscape by eliminating the need to manage separate policies and utilize multiple enforcement mechanisms and tools for different user groups.
  • Future-Proof Scalability: As your digital ecosystem expands with more connected devices, Universal ZTNA easily scales to accommodate them, which, among other things, delivers significant cost savings.

Universal ZTNA: Building a Secure Foundation for the Future of Work

It’s no surprise that the way people and businesses operate today has changed dramatically, and in this ever-evolving work environment, Universal ZTNA is vital. With Universal ZTNA, organizations can secure their digital assets effectively, encompassing not just employees but the ever-growing web of devices. By adopting a zero-trust approach that transcends location and device type, you can empower your workforce, streamline security operations, and build a robust foundation for a secure digital future in the age of IoT and OT.

The post The Rise of Universal ZTNA appeared first on Cybersecurity Insiders.