Explore the shift from VPNs to Zero Trust Network Access (ZTNA) for enhanced cybersecurity. Learn how ZTNA ensures secure access with the principle of least privilege and continuous verification. Discover the steps to implement ZTNA and fortify your organisation against evolving cyber threats.
While virtual private networks had already been solving access problems for a generation, 2020 was their shining moment, when they enabled business continuity at scale during lockdowns across industries and nations. But while the benefits appealed to many, the downsides of VPNs took a lot of work to ignore. While they are easy to set up and use, VPNs are tricky to secure.
Sources vary on how many UAE workers regularly use VPNs, but one estimate puts the country and its GCC neighbours among the world’s top adopters, with rates between 35% and the UAE’s 61%. Before this scale-up, VPN technology was long seen as providing quick and secure access to corporate resources from remote locations. Little, if any, thought was given to the running of sessions over insecure links like home or public Wi-Fi networks.
VPNs create encrypted tunnels but preserve user data within them. They hide IP addresses and browsing history from Internet service providers and others, but these popular gateways have drawbacks. They are often directly accessible from the public Internet, which makes them vulnerable to network-scanning and brute-force attacks. This means they are a viable infiltration vector, and threat actors can exploit zero-day vulnerabilities and misconfigurations to sneak into the corporate environment and cause chaos.
The rethink
VPN vulnerability is not a fringe issue or a trivial concern. In 2020, the US National Security Agency went so far as to issue a notice on the configuration of VPNs, highlighting many of the concerns stated above and warning organisations that secure VPN tunnels are difficult to deliver and need constant maintenance. The agency’s bulletin was one of a series of “Oh, wait…” moments experienced by security leaders worldwide over the past few years. Once again, they must rethink their security and IT policies to phase out a legacy go-to because threat actors have found a way to use it to their advantage. The more remote workers you have (and trends seem to be heading in this direction), the more VPN tunnels you must manage. This implies escalating costs and time drains – the opposite of what VPNs were supposed to deliver.
Fortunately, there is an alternative to VPN tunnels – one that is more secure and easier to maintain. It is zero trust network access (ZTNA), a technology combo based on the strong foundation of the principle of least privilege. This approach ensures that users receive only those permissions that they need to get on with their job—no more, no less. And security ecosystems are configured to never automatically trust a user, process, or session when they try to authenticate themselves for access. Verification is done without exception, after which the principle of least privilege takes over.
ZTNA started life in 2009 when cybersecurity professionals ran with Forrester Research’s concept of “never trust, always verify”. The zero-trust standard now has a place within the US NIST framework. Zero trust, as the name suggests, encourages the SOC to trust nobody and no device by default. Every person, policy, machine, and application that is part of the cybersecurity infrastructure must work on the constant assumption that the enemy is already inside the gates and that the job of the security function is, quite simply, to go find it. This approach calls for continual evaluation of the risks to assets and operations. Organisations can move forward with ZTNA in four steps.
- Map the attack surface to ensure the security function knows all critical data and assets. Personally identifiable information, credit card data, and intellectual property are obvious contenders, as are applications, endpoints, and services. But, each organisation is unique, and only a comprehensive panel of stakeholders can compile a comprehensive list of assets.
- Identify all users that will contact the network or any mapped assets. To manage access, implement a single sign-on for all users. Not only will this be more convenient for them, but it will also enhance the visibility of activity for the security team.
- Enable multi-factor authentication (MFA) to require users to verify themselves via a secondary device after initial log-in from a primary device. There are various ways to accomplish this, but a one-time password (OTP) sent as an SMS to a phone is standard.
- Validate every endpoint device used by a credential-holder to access network resources. Any device used for primary login or MFA must be pre-registered, with a record retained of its device ID, serial number, model, and OS. Any unrecorded device should be automatically disqualified from the authentication process.
Leave nothing to chance
The attack surface is growing and SOCs are drowning in complexity. Remote users are on the rise, as is the number and variety of devices they use to access sensitive digital assets. The region’s B2B and B2C businesses are under increasing pressure from regulators and must be able to assure watchdogs that every box is ticked. Zero-trust network access is a box-ticking method, as it leaves nothing to chance and assumes a breach at any given moment. While point solutions are certainly one way to deliver it, complexity will linger under this approach. An all-in-one solution is quicker to deploy and puts less labour burden on the security team. Cometh the hour cometh a new hero: ZTNA.