Beyond the VPN: how zero trust leads to a SASE future

Any business relying on Virtual Private Networks (VPNs) in 2020 will have seen the technology's capabilities stretched to breaking point. What was designed to deal with a few staff temporarily outside the physical perimeter has suddenly been asked to funnel traffic for an entire workforce. At the same time, attacks on corporate systems are at an all-time high. And those same VPNs that were there to protect have become a vulnerable target for attacks by malicious actors, as highlighted in a recent  Australian Cyber Security Centre (ACSC) reportthat references multiple VPN vulnerabilities as initial access vectors targeted by malicious actors.

According to a study by Microsoft and Frost & Sullivan2, cyber incidents cost Australian businesses up to $29 billion each year. And that was before the pandemic. In Q1 2020, phishing and malware attacks were up 600%3, including many trying to leverage the coronavirus fears in the community.

With so much at risk, and more attacks than ever, many have found themselves at a critical juncture. According to a Forrester report, 66%4 of IT decision makers didn’t feel their organisation’s infrastructure was prepared for a heavily remote workforce. Changes must be made to prepare for work beyond the office front door.

The VPNs played their role, but it's time to accept that a perfect storm has delivered the fatal blow to enterprise VPN. The future of the modern enterprise has already been moving toward a faster and more flexible architecture that removes the idea of an 'inside' and an 'outside' altogether.

The corporate network is now the entire Internet

Zero trust is not a product, but rather it is an evolving vision for enterprise security. Zero Trust Network Access (ZTNA) is a technology component and enabler for zero trust that sits within the Secure Access Service Edge (SASE) technology group, which encompasses a variety of technologies that deliver enterprise network and security functions through a cloud-based service that makes user identity the focus of access control.

Enterprises are already adopting SASE technologies like ZTNA, which not only can help transition many VPN use cases to a cloud based service, but also enable the zero trust paradigm, which is a common long term objective for many CISOs.

In today’s cloud-based working environments and with widely distributed teams, the potential corporate attack surface has expanded. In the new environment where access needs to be available from anywhere at any time, it becomes critical to shift to a paradigm where no device or location is treated as inherently ‘secure’.

Following a zero trust model, the attack surface is reduced as there is a shift from network based access to identity based access, where users are authenticated and authorised only to specific applications enforcing the principal of privilege.

We've all heard stories of the companies that found it was simple for staff to pick up their laptops, go home and keep working. For those who had already moved their environment to a zero trust model, the benefits have been evident during COVID-19 lockdowns.

It works because trust has been decoupled from location, making 'work from anywhere' just as valid to the network as working from an office desk. Indeed, nothing inside the corporate head office is inherently trusted more than any mobile device either. What matters is that authentication and authorisation happen before any access to data or services is allowed, consistently and continuously, regardless of location.

Zero trust is part of a true transformation journey that in many ways parallels the journey to the cloud that companies have already embraced, and it’s a journey that will be further enabled by wider emerging technology trends such as SASE.

Your transformation journey has already begun

Many companies are already a long way into the zero trust journey, and some may not even realise how far they have already come. For example, businesses adopting ‘modern’ access control techniques will likely already be underpinned by zero trust concepts. For those investigating a zero trust approach, here’s a few things to consider.

  • Know your enterprise: Take inventory of your assets, work teams, digital services, workloads, processes, network traffic flows and critical dependencies. Tools can be used to automate the discovery process here and even create real-time visibility which can help immensely. Without this knowledge in place you can make planning errors that lead to failure during later steps of the transformation, so knowing your enterprise is vital.
  • Identify targets and risks: With the enterprise mapped clearly, perform risk assessments to determine what should be transformed first. Examine low hanging fruit opportunities for a zero trust access approach, such as cloud-based resources and remote workforces. Legacy systems on-premises can often be more complex and time consuming, requiring a risk based approach and the potential implementation of tactical controls as an interim step to zero trust.
  • Calculate costs, evaluate options: Analyse risk reports and the potential for data breaches under highly vulnerable legacy systems. Compare potential annualised loss expectancy calculations against implementing a security modernisation program, and then shortlist potential solution providers to deliver zero trust concepts, cloud-first and other SASE solutions where you want to implement them first.
  • Run a pilot: Zero trust is a significant shift and it can impact existing business processes significantly, so a pilot program will ensure apps are supported correctly or that migration plans can be made for apps that won’t work. This is also the right place to discover design or process flaws ahead of a wider rollout.
  • Revisit regularly: Business needs change, especially in the current environment. Continuous assessment is essential to ensuring your choices remain in line with business goals.

Enabling the future

SASE components like Zero Trust Network Access (ZTNA) provide great potential for enhancing the security of your enterprise. But there are many competing priorities in this year's difficult terrain that might make it feel like zero trust is another project to send to the 'someday' file.

It's important to reflect again on what is at risk by choosing to stand still and maintain the status quo with increasingly vulnerable VPNs. Attacks and exploits on legacy networks have cost enterprises millions in lost revenues, remediation efforts, and incident response work. Zero trust concepts aren’t all that new, but technology and cultural silos have hamstrung many efforts to deliver on their promise.

Network and security requirements have often been addressed discretely, and by different operational teams. This is where the SASE model shows great promise, converging many traditionally fragmented aspects of network and security into a unified service platform.

A security transformation can be approached positively. It is an enabler of new business opportunities. When approached in the right way, zero trust concepts and SASE technology components can protect critical data systems while easing friction for users and ultimately enhance productivity. With everything working successfully in this way it can make it easier to explore new opportunities and adapt to change.

As risks and attacks are increasing those who can demonstrate their commitment to world-class security will proactively enhance their reputations with customers and partners. If we can take any lessons from 2020, it’s that secure connectivity over the Internet is what keeps our community together, by allowing us to be apart, and that cannot be taken for granted.

Learn more on why SASE is the heart of the transformed enterprise here.

Principal Security Consultant

Ed Chow

Ed Chow is a cyber security leader at Telstra Purple, the largest Australian-owned technology services business. A SABSA enterprise security architect, CISSP and ISO27001 lead auditor, he has worked in the industry for over 15 years, collaborating with some of Australia's most trusted enterprise clients on the execution of their critical security infrastructure projects. Ed is a continuous improvement advocate, and has a unique perspective to share.

Make a real difference

Speak to an expert

References

1 ACSC report - Tradecraft summary of tactics, techniques and procedures for 2019-2020
2 Microsoft and Frost & Sullivan (2018), Understanding the Cybersecurity Threat Landscape in Asia Pacific: Securing the Modern Enterprise in a Digital World
3 “Q1 2020 Coronavirus-Related Phishing Email Attacks Are Up 600%,” KnowB4, April 9, 2020
4 Forrester Act Now: Your Five Immediate Priorities To Secure A Hybrid Workforce, 2020