Why IT Leaders Should Forget the Old Ways of Doing Cybersecurity
In a remote-first world, businesses are rapidly replacing virtual private networks with zero trust deployments. Dor Knafo, CEO and co-founder, Axis Security shares why it is time to apply the lessons learned during COVID-19 and embrace the zero-trust approach, designed to meet the needs of the new world order.
Economist John Maynard Keynes once retorted to a critic, “When the facts change, I change my mind. What do you do, sir?”
In modern business, debating whether to change seems like a quaint notion. Businesses are transforming at a pace we have never seen before. When people like Satya Nadella say that they are seeing two years of progress made in digital transformation in two months, you can imagine what that means inside each of those individual IT teams. Chaos. Internal battles over budgets and priorities. It is time for action.While IT teams are used to rapid rates of change, from the cloud to Kubernetes, it is not often that they have the opportunity to apply lessons learned during a crisis while that very crisis is still going on. Yes, it speaks volumes about the longevity of the crisis itself. It also shows a business’s ability to continuously adapt and innovate. With a small number of users, devices, and private apps, the legacy approach to access was somewhat manageable. IT leaders had come to accept what traditional network-based solutions could and could not do. They were safely in the “good enough” category. When COVID-19 hit and suddenly every employee required remote access along with third parties, the weaknesses of legacy approaches became clear. The need for immediate scale was met with roadblocks, such as licensing issues; and operational challenges, such as hardware upgrades, adding agents to endpoints, and other scalability issues.
No company was immune, no matter how technology savvy or deep-pocketed. For example, Cisco was forced to ration VPN access for its staff as the “strain of 100,000+ home workers hit its network.” If that was Cisco’s experience, imagine what the situation was like for the less savvy and well-resourced organizations.
In addition to the operational challenges of scaling VPN infrastructure quickly, there is the issue of increasing enterprise risk. The recent Twitter hack was yet the latest reminder that insiders and outsiders should be treated the same from a security standpoint, with zero trust. Traditional VPN solutions increase risk by taking the opposite of a zero-trust approach. They rely on a single binary decision point at the beginning of a session. Once a user, insider, or third party gains access, VPNs are overly permissive allowing users too much access to the network and bringing users to the doorstep of inherently insecure and vulnerable applications.
Learn More: Zero Trust (Not VPNs) Can Solve Remote Access Crisis
A Better Way Forward
The challenge of providing secure application access is not specific to any one industry, rather it is a key capability for any organization that relies on remote employees and numerous third parties to support their daily operation. In the current environment this is not a nice-to-have capability, it is foundational to efficient business operations.
“It is application access, not network access, that is a major pain point for organizations today. Business applications must be available anywhere, anytime, to any user, on any device,” said John Grady, cybersecurity analyst at ESG Research.
“This market is ripe for disruption. Existing approaches to secure application access are network-focused and primarily use a VPN — posing a lot of difficulties when connecting and managing partners.
The ability to circumvent the network to access applications makes a lot more sense for third parties, employees, and security teams”, says Richard Stiennon, founder and principal analyst at IT-Harvest.
In June, three months after the mass WFH orders upended enterprise IT, Gartner laid out a roadmap for a better way forward in their Market Guide for Zero Trust Network Access (ZTNA).
“Gartner defines zero-trust network access (ZTNA) as products and services that create an identity and context-based, logical-access boundary encompassing a user and an application or set of applications.
The applications are hidden from discovery, and access is restricted via a trusted broker to a collection of named entities. The broker verifies the identity, context and policy adherence of the specified participants before allowing access and minimizes lateral movement elsewhere in the network. ZTNA removes excessive implicit trust that often accompanies other forms of application access.”
Learn More: Oops! Is Your Personality Getting in the Way of Building a Secure Remote Work Environment?
Zero Means Zero
In a zero-trust approach, there should be no exception for the network itself, nor should there be any distinction between an insider and an outsider. The notion of zero trust must be extended to include continuous security monitoring of every user and every request. No movement or request should be trusted. Those who gain access, be it insiders or third parties, should have every move monitored, analyzed, recorded, and authorized before the request is sent to the application.
This is clearly a better, more secure approach to enterprise access, with a growing number of vendors and differentiated solutions for enterprise organizations to consider. The establishment of ZTNA as a distinct market represents a step-change forward in enterprise access that now, in retrospect, has been long overdue.
COVID-19 has shed light on the weaknesses of traditional enterprise access solutions such as VPNs.
As a result, secure application access is an area of increasing attention not only from industry
analysts but executives across all industries. By rapidly adapting to unforeseen circumstances, and applying lessons to forge a better path forward, enterprise IT leaders can truly drive digital transformation at a time of significant change and disruption. At a minimum, the path forward is clear.
Comment below to let us know if you liked this article or tell us on LinkedIn, Twitter, or Facebook. We would love to hear from you!
