The sudden shift to remote work in the wake of the COVID-19 pandemic has caused many companies to invest significantly in their secure remote access infrastructure. However, in many cases, this involved doubling down on legacy solutions that do not meet the needs of the modern enterprise.
This has created both network performance and security issues for these organizations. A modern distributed enterprise needs secure remote access solutions designed to meet their needs, such as zero trust network access (ZTNA).
Legacy Solutions Cause Security Headaches
In response to the COVID-19 pandemic, many organizations deployed or expanded virtual private network (VPN) infrastructure or the use of the remote desktop protocol (RDP). While this enabled remote workers to access corporate resources and do their work from home, the same is true of cybercriminals. These legacy remote access solutions have significant security issues that have made them the primary attack vector used by cybercriminals since the start of the COVID-19 pandemic.
Unpatched Vulnerabilities Provide an Entry Point
According to the FBI, the vulnerabilities that are most commonly targeted by cybercriminals are VPN vulnerabilities. An unpatched VPN is an ideal target for an attacker for a few reasons, including:
- Public Exposure: VPNs must be accessible from the public Internet in order to do their jobs.
- Unrestricted Access: VPNs often act as the sole gatekeeper to the network, providing full unrestricted access to authenticated users.
- Critical Infrastructure: With the surge in remote work, VPNs are a critical resource, making it difficult to take them down for updates and patching.
In 2021, cybercriminals are searching for and exploiting even old vulnerabilities in VPN software, taking advantage of the fact that these solutions are now widely deployed, often by companies with little experience using them. Since many of these vulnerabilities provide the ability to achieve remote code execution (RCE) or privilege escalation, they provide an attacker with an initial foothold on the enterprise network.
Lack of Access Controls Enables Lateral Movement
Legacy remote access solutions like VPNs and RDP are not designed to restrict a user’s access to the corporate network. A VPN should provide an experience similar to a direct connection to the network, and an RDP session enables a user to remotely control a system within the corporate perimeter.
This means that, unless an organization has implemented additional layers of security behind their VPN or implemented internal network segmentation, an attacker who has gained access via a VPN or RDP can move freely throughout the network. This makes it easier to access and steal sensitive data without detection and is the reason why RDP and VPNs are some of the most common attack vectors for ransomware campaigns.
Zero Trust Network Access Provides True Secure Remote Access
The zero trust security model is designed to minimize cyber risk by addressing some of the main issues with legacy remote access solutions. Instead of providing authenticated users, devices, applications, etc. with unrestricted access to corporate assets, zero trust mandates that access be granted on a case-by-case basis determined by role-based access controls and contextual information.
VPNs and RDP cannot implement a zero trust policy without deploying additional security solutions. ZTNA, on the other hand, is designed specifically to enforce zero trust access controls for secure remote access.
With ZTNA, all requests for corporate resources go through a controller that makes the decision whether or not the request is authorized and legitimate. If so, access is granted only to the requested asset for the duration of the session.
This approach to secure remote access makes it much harder for cybercriminals to exploit vulnerabilities to gain access to corporate networks and to move laterally through them after gaining a foothold. Deploying ZTNA throughout the corporate network is a vital step towards minimizing cyber risk for the distributed enterprise.
Deploying ZTNA at Scale with Secure Access Service Edge
One of the biggest challenges with implementing a zero trust strategy is enforcing it consistently across an enterprise’s entire IT environment. A wide range of corporate assets distributed across on-premise data centers, cloud deployments, and remote workers’ offices can force tradeoffs between network performance and security with the wrong solution.
Secure Access Service Edge (SASE) makes it possible to deploy zero trust and ZTNA at scale while maintaining high network performance. SASE is implemented as a network of cloud-based points-of-presence (PoPs) that combine the network optimization of SD-WAN with a fully converged network security stack.
This combination ensures that all traffic flowing over the corporate WAN undergoes full security inspection and is optimally routed to its destination. Additionally, since ZTNA is one of the built-in features of a SASE solution, secure remote access with zero trust support comes with SASE out of the box.
The lessons learned from the COVID-19 pandemic have made it obvious that remote work is here to stay. Supporting it securely requires investing in modern secure remote access solutions.