According to Gartner, spending on network security equipment decreased 12.6% from 2019 to 2020 as cloud-based security solutions increased to facilitate remote work. At the same time, the pandemic and massive increase in cloud spending are resulting in an unprecedented 33.3% growth in cloud security spending. Securing applications on premises and services in the cloud require adoption of new tactics and technology.
Given the disruption caused by millions of remote workers, it’s no surprise that 2020 was a record year for security breaches leading to data exfiltration. Risk Based Security recently revealed that the number of records exposed has increased to a staggering 36 billion in 2020. There were 2,935 publicly reported breaches in the first three quarters of 2020, with the three months of Q3 adding an additional 8.3 billion records to what was already the “worst year on record.”
In just the last two years there has also been a dramatic increase in serious breaches connected with VPNs. And while VPNs are not inherently flawed, serious security issues are arising from poor patching that has become infinitely more difficult as dynamic, cloud-centric applications continue to expand exponentially. The vast majority of remote workers are accessing their companies’ systems via a VPN using NAC technology. With a VPN, they log into an online portal and establish a secure connection to their home office network using encrypted tunneling techniques. NAC controls who can log in via the VPN. It was designed to confine users to role-based access while also fingerprinting their endpoints. Unfortunately, in today’s environment, VPNs represent a huge attack surface that security operations is unprepared to police or protect.
Bad actors are now “routinely” exploiting unpatched VPNs, according to an alert issued by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA). The agency designated two VPN vulnerabilities, an “arbitrary code execution” flaw in Citrix VPNs and an “arbitrary file reading” vulnerability in Pulse Secure, as most likely for bad actors to exploit. These flaws were not one of the top 10 common vulnerabilities and exposures from 2016-2019.
CISA also provides guidance on what flaws to prioritize and suggests that Zero Trust could mediate application access, reserving VPN use for specific cases. CISA explains that Zero Trust could serve as a “tactical mitigation” for overloaded VPNs in the new remote workforce dominated by devices outside the corporate network.
But Zero Trust, the model, won’t protect applications and services without implementing a software defined perimeter as an overlay for the legacy network perimeter.
An article in CIODive, “The new cybersecurity priorities of 2020” examined how the secure network perimeter of offices has disappeared. Companies are having to scale or buy more technologies and tools for a remote workforce.
The article emphasizes that security tools can only do so much to defend against non-technical employees and an emphasis on user behavior and awareness is more important now than ever before. “Security is more about protocols of behavior than it is just about the technical things,” Lenley Hensarling, chief strategy officer of Aerospike, told CIO Dive. But “that’s pretty much always been the case.”
“The chance of misdirecting an email or sending the wrong data to the wrong person is probably as big a problem if not a bigger problem when people are sitting at home,” Neil Larkins, CTO and co-founder of Egress, told CIO Dive.
At Waverley Labs, we see Zero Trust is moving to forefront as a new security model but Zero Trust, without software defined perimeter (SDP) is incomplete.
SDPs are designed with flexibility, scalability, and security at the forefront. They offer many advantages over access-enablement technologies such as VPNs and NAC and are critical to effective implementation of the Zero Trust Model.
SDP allows enterprises to use a single solution to standardize remote access security for all users and platforms, scale them more economically while reducing the potential attack surface. With SDP, users have a cloud-like user experience, and admins remain in control of their environment.
To achieve zero trust or “never trust, always verify” organizations must adopt processes and technology to make their “trust but verify” network security architectures more resilient. Waverley Labs SDP provides an overlay to an in-place network security architecture. Waverley Labs SDP introduces the trusted zone, capable of protecting services in the zone from attacks.
Waverley Labs SDP features a service specific gateway – an internet scale, deny all packet filter- which dynamically enforces policies controlling which authenticated users using a validated device, located anywhere, may access a service. The Waverley Labs SDP controller, is the policy definition point to authenticate and authorize users and their devices. The gateway dynamically enforces the policy and admits only credentialed users into the trusted zone.
Unlike other solutions, the Waverley SDP architecture enables the separation of the control plane from the data plane or policy definition from enforcement. Policies that cannot be enforced cannot protect services. Protected services in Waverley’s trusted zone are effectively hidden from the internet, leaving attackers and unauthorized users abandoned outside the gateway.
The “never trust, always verify” architecture of the SDP is like having a private application VPN – but without the vulnerabilities.
For more info, check out this white paper on Waverley Lab’s deployment of SDP to support a Zero Trust strategy is documented in new CSA research that I co-authored. Titled Software Defined Perimeter (SDP) and Zero Trust the paper evaluates the use of SDP and illustrates how a Zero Trust implementation using SDP enables organizations to defend new variations of old attack methods that are constantly surfacing in perimeter-centric networking models.
Let me know what you think. Leave me a comment or reach out to me via LinkedIn to connect and have a discussion.