The Home of the Security Bloggers Network
Home » Security Boulevard (Original) »
When COVID-19 sparked the surge of work-from-home (WFH) employees, VPNs became a must-have enterprise staple. In fact, since COVID-19, nearly 70% of companies increased their business VPN usage while nearly 30% of other companies leveraged VPNs for the first time.
How reliable are most VPNs? According to the NSA, some ill-equipped VPNs may be highly vulnerable to cyberattacks, which are more pervasive than ever, resulting in more than $4 billion in U.S. losses last year. Every organization is vulnerable and 20% of cybersecurity issues stem from WFH users.
But while nearly everyone has transitioned to distributed work, not everyone carries sensitive information across their VPN, where an exploit could harm their business. So, there are cases where VPNs make a lot of sense. For example, let’s say you’re a developer who works on open source software and uses VPN to access it—do you really care if your data gets breached? Probably not.
But what if you’re managing highly sensitive data? That’s a completely different ballgame and a VPN may not be the right fit. From high-profile data breaches to foreign cyberespionage activity, VPN security issues persist and you don’t want to become another statistic.
What’s causing these breaches? VPNs authenticate users by simply confirming their username and password. However, once a VPN’s “single fence perimeter” is crossed, entire classes of users have unfettered access to countless apps by just connecting to the enterprise network. Think of it as passing by a building’s security guard—once you’re in, you can roam the entire building.
What’s a better way to manage access? Leverage a zero-trust network access (ZTNA) framework. ZTNA enforces the concept of least-privilege. So, users, by default, aren’t granted access to resources until ZTNA knows who they are, their risk behaviors and the risks of the device they use to access company resources.
How does ZTNA grant access to apps? First, it provides conditional app access—which can be very wide or very narrow—depending on their identity, risk profile and device risk. This reduces the surface of attack because ZTNA users have no visibility into the apps they don’t have access to.
Additionally, ZTNA implements per-app VPN access. Here, only specified apps on a user’s endpoint device can send traffic to enterprise resources. For example, if a device becomes compromised with malware, ZTNA detects that the malware isn’t an authorized app and therefore blocks it from connecting with the enterprise resource.
As you gear up to launch your ZTNA journey, let’s explore three ways it’ll take your network security access to the next level.
Deep policy definition based on user identity, end device posture and user and device behavior—Think of ZTNA as your network’s ultimate bodyguard, which asks the critical question: Who—and which device(s)—is trying to access which app?
In this role, ZTNA delivers conditional access to apps based on user identity. For example, it’ll recognize that someone works within a particular HR group or possesses a certain role within HR, potentially giving them access to sensitive applications.
ZTNA also assesses risk by observing and assessing user behavior. And because risk itself is dynamic, it needs to be constantly evaluated, leading to actions that must be immediately enforced. For example, if an employee logs in at odd hours or logs in from five different locations simultaneously, then different measures may be taken depending on the policy.
Besides looking at user identity and user behaviors, ZTNA also checks the cybersecurity posture of end devices to ensure they’re updated with the latest patches, have antivirus and firewall activated and a wide range of other parameters, such as checking if the device is jailbroken or if there is screen capture software installed.
Conditional access based on differing context—After ZTNA checks for user identity, behavior and endpoint posture, it only grants access to the resources that you need.
For example, if you try to access company resources through a jailbroken, unsecured iPhone, your access will be severely limited. Conversely, if you use a company-managed device that has the latest security patches and required software, you’ll have access to far more company resources.
Implementing per-application VPN access—ZTNA further safeguards traffic by granting per-app VPN access, which allows specific apps on your company-issued laptop to access certain apps in the cloud.
By incorporating client-side restrictions, ZTNA designates specific laptop apps for accessing company-sensitive apps. For example, it may only allow Chrome for connecting to restricted company apps.
While ZTNA offers a cutting-edge envelope of capabilities, it cannot solve every access issue alone. However, when ZTNA is integrated with cloud-based security products and services such as secure web gateways and cloud access security brokers (CASBs), these secure access service edge (SASE) components provide end-to-end protection for users.
There’s little doubt that cyberattacks will continue and there’s no security measure that’s 100% bulletproof—unless you unplug everything altogether and put it in a safe. That’s just not practical; ZTNA provides a great option for significantly elevating your network security. From assessing user ID and behavior to managing device risk to implementing client-side controls and transaction restrictions, ZTNA provides a pivotal edge for defending your network from those who might harm it.
Craig Connors is currently VP and CTO for Service Provider and Edge at VMware. Previously, Craig served as the CTO for SD-WAN and SASE at VMware. Prior to being named CTO, Craig served as the Chief Architect for VMware SD-WAN, both before and after VMware’s acquisition of VeloCloud. He came to VeloCloud from Cisco Systems, where he worked in the Corporate Development Technology Group’s Advanced Development Team. Prior to Cisco, Craig spent time as a Principal Engineer and Software Development Manager for Talari Networks. His programming work prior to Talari Networks was centered in the online gaming space which is what led him to networking. Craig is a veteran of the United States Army and holds a BS in Computer Science from North Carolina State University.
craig-connors has 1 posts and counting.See all posts by craig-connors
The Home of the Security Bloggers Network