According to Gartner, spending on network security equipment decreased 12.6% from 2019 to 2020 as cloud-based security solutions increased to facilitate remote work. At the same time, the pandemic and massive increase in cloud spending are resulting in an unprecedented 33.3% growth in cloud security spending. Securing applications on premises and services in the cloud require adoption of new tactics and technology.
Given the disruption caused by millions of remote workers, it’s no surprise that 2020 was a record year for security breaches leading to data exfiltration. Risk Based Security recently revealed that the number of records exposed has increased to a staggering 36 billion in 2020. There were 2,935 publicly reported breaches in the first three quarters of 2020, with the three months of Q3 adding an additional 8.3 billion records to what was already the “worst year on record.”
In just the last two years there has also been a dramatic increase in serious breaches connected with VPNs. And while VPNs are not inherently flawed, serious security issues are arising from poor patching that has become infinitely more difficult as dynamic, cloud-centric applications continue to expand exponentially. The vast majority of remote workers are accessing their companies’ systems via a VPN using NAC technology. With a VPN, they log into an online portal and establish a secure connection to their home office network using encrypted tunneling techniques. NAC controls who can log in via the VPN. It was designed to confine users to role-based access while also fingerprinting their endpoints. Unfortunately, in today’s environment, VPNs represent a huge attack surface that security operations are unprepared to police or protect.
Bad actors are now “routinely” exploiting unpatched VPNs, according to an alert issued by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). The agency designated two VPN vulnerabilities, an “arbitrary code execution” flaw in Citrix VPNs and an “arbitrary file reading” vulnerability in Pulse Secure, as most likely for bad actors to exploit. These flaws were not one of the top 10 common vulnerabilities and exposures from 2016-2019.
CISA also provides guidance on what flaws to prioritize and suggests that Zero Trust could mediate application access, reserving VPN use for specific cases. CISA explains that Zero Trust could serve as a “tactical mitigation” for overloaded VPNs in the new remote workforce dominated by devices outside the corporate network.
But Zero Trust, the model, won’t protect applications and services without implementing a software defined perimeter as an overlay for the legacy network perimeter.
An article in CIODive, “The new cybersecurity priorities of 2020” examined how the secure network perimeter of offices has disappeared. Companies are having to scale or buy more technologies and tools for a remote workforce.
The article emphasizes that security tools can only do so much to defend against non-technical employees and an emphasis on user behavior and awareness is more important now than ever before. “Security is more about protocols of behavior than it is just about the technical things,” Lenley Hensarling, chief strategy officer of Aerospike, told CIO Dive. But “that’s pretty much always been the case.”
“The chance of misdirecting an email or sending the wrong data to the wrong person is probably as big a problem if not a bigger problem when people are sitting at home,” Neil Larkins, CTO and co-founder of Egress, told CIO Dive.
We see Zero Trust is moving to forefront as a new security model but Zero Trust, without software defined perimeter (SDP) is incomplete.
SDPs are designed with flexibility, scalability, and security at the forefront. They offer many advantages over access-enablement technologies such as VPNs and NAC and are critical to effective implementation of the Zero Trust Model.
SDP allows enterprises to use a single solution to standardize remote access security for all users and platforms, scale them more economically while reducing the potential attack surface. With SDP, users have a cloud-like user experience, and admins remain in control of their environment.
To achieve zero trust or “never trust, always verify” organizations must adopt processes and technology to make their “trust but verify” network security architectures more resilient. The RESILIANT SDP provides an overlay to an in-place network security architecture. The RESILIANT SDP introduces the trust zone, capable of protecting services in the zone from attacks, literally hiding them from the internet.
RESILIANT SDP features a service specific gateway – an internet scale, deny all packet filter- which dynamically enforces policies controlling which authenticated users using a validated device, located anywhere, may access a service. The RESILIANT controller, is the policy decision point informing the authentication and authorization of users and their devices. The gateway, unique in its design, dynamically enforces the policy and admits only credentialed users into the trust zone.
Unlike other solutions, the RESILIANT SDP architecture enables the separation of the control plane from the data plane or policy decision from enforcement. Policies that cannot be enforced cannot protect services. Protected services, in RESILIANT’s trust zone, are effectively hidden from the internet, leaving attackers and unauthorized users abandoned outside the gateway.
The “never trust, always verify” architecture of the RESILIANT SDP is like having a private application VPN – but without the vulnerabilities associated with VPNs.
To learn more about RESILIANT and SDP as a pillar of your Zero Trust model check out the whitepapers HERE.
To download the specifications for the Cloud Security Alliance Open-Source SDP visit www.waverleylabs.com.
Let me know what you think. Leave me a comment or reach out to me via LinkedIn to connect and have a discussion.