Don’t put your trust in anyone or anything —- that is the fundamental evolution of cybersecurity. The latest security model, which takes a novel approach in which no users or devices are to be trusted without continuous verification, is gaining traction as organisations strive to stay ahead of security breaches that can cause losses to the tune of millions of dollars.
At the corporate level, as they move to the cloud, more and more businesses are pivoting and implementing zero trust. ET Insights spoke with Yazan Salti, Regional Director, Commercial Team iMEA, BeyondTrust, to get an overview of zero-trust protocols and the overall cybersecurity scenario in India.
While Virtual Private Networking (VPN) and Remote Desktop Protocol (RDP) have been two of the go-to remote access solutions for enterprises for decades, their shortcomings have long been recognized. With the massive shift to remote work since the early days of the COVID-19 pandemic, their increased use exposed and magnified the significant security faults and other issues that were there all along.
The problem is that, while tools like VPN and RDP have their valid use cases, they are often treated by IT teams as the default ways to provide access, rather than understanding the specific use cases and then matching those use cases with the appropriate technology.
In recent years, we’ve seen dozens of VPN vulnerabilities exploited in major business and government breaches. Hackers recognize that, if they can breach a VPN, they can often smoothly bypass a thick stack of traditional, perimeter-based security controls (firewalls, etc.) for complete access to a company’s network. In 2020, ransomware exploded, and 52% of the time it leveraged publicly accessible RDP servers to gain an initial foothold. With threat actors increasingly focusing their efforts on remote workers and weak remote access pathways, there is urgency for organizations to better grasp their remote access risk and course correct.
VPN Misconceptions Come at a Security Cost
There is a common misconception that VPNs are a security tool. More accurately, VPN is a business enablement tool, which was developed to extend access and protect data in transit outside the traditional company network.
Inability to enforce granular access controls or the principle of least privilege, lack of remote access session monitoring and management capabilities, complex to securely implement these are only a few of the VPN shortcomings that enterprises should consider.
Aligning Remote Access with Zero Trust Principles
Over the past couple of years, the concept of zero trust has gained considerable momentum. Increasingly distributed environments, coupled with the acceleration of cloud migrations and digital transformation in response to the pandemic, have prompted IT teams to look at how to implement and mature zero trust security controls.
A zero-trust security model advocates for the creation of zones and segmentation to control sensitive IT resources. This also entails the deployment of technology to monitor and manage data, users, applications, assets, and other resources between zones, and, more importantly, authentication within a zone(s). Zero trust requires secure and authenticated access to all resources and the enforcement of least privilege access. A zero trust architectures treats all access requests as potentially malicious — a stark departure from the all-or-nothing access granted by VPNs.
Here are 7 tips for maturing your zero trust security controls for remote access:
- Disable remote access protocols (RDP, SSH, VNC, etc.) as a default on computing devices.
- Implement a remote access solution that doesn’t require inbound Internet connections.
- Inject managed credentials to initiate the remote access session, always obfuscating the credentials from the end user.
- Enforce least privilege across all remote access sessions with privilege elevation strictly controlled.
- Apply just-in-time access policies.
- Implement application-level micro-segmentation that prevents users from discovering apps they are not authorized to access.
- Fully monitor, manage, and audit every privileged remote access session. Alerts should be issued around inappropriate commands typed, for instance.
Privileged access management (PAM) is a key piece of the zero trust approach. PAM solutions can help organizations accomplish the above list, and everything from securing remote access for privileged users and vendors, to enforcing least privilege across all users, sessions, and assets, to managing all privileged credentials and secrets. This also means replacing the inappropriate use of VPNs, RDP, and other remote access tools and protocols.