Next Gen Zero Trust Access (ZTA) uses a combination of identity management, automated segmentation, control rules, disaster recovery intelligence, and session recording, so known and unknown attacks can be immediately prevented clear device control can be maintained. ZTA is cloud-based, which allows it to be deployed in hours instead of months, and the burden of maintaining software, managing jump hosts, and updating user access windows is eliminated.
|
ZTA |
Legacy Access |
Protection against Advanced Persistent Threats |
✓ Uses a combination of identity & access management, granular access control list rules, moving target defense, and session recording. |
X Relies on VPN and set rules which are slow to update and ineffective against sophisticated attacks. |
Level of control and visibility |
✓ Combined cybersecurity achieves mutually complementary visibility down to time, user, device, port, and protocol access. |
X Access is unrestricted after the legacy access point and no session visibility is maintained. Updates are manual and slow. |
Time-to-value |
✓ Implementation takes hours. |
X Implementation takes months. |
In the early days of Legacy Access, IT teams actually used to allow a direct VPN into a network from an endpoint. This was because per-user access control list rules did not exist yet. The only other option was using numerous concentrators, which take a long time to set up and maintain. So IT teams used single-tenant VPN tunnels based on perimeter security. This meant an endpoint was trusted once it established a VPN connection, with relatively little control over it inside the network once they were in.
IT teams used Legacy Access from the 1990s through 2010s, and they worked well, except for when they didn’t. They had one key issue: when Legacy Access connected an endpoint to a device, there is direct bi-directional data transfer. When the endpoint is secure, this is okay. But even with a small amount of malware, each time you connect an endpoint the malware is trying to transfer across the perimeter and into the network and its devices. Combine that with the wide access once within the perimeter and limitations of detection, and Legacy Access tools were known to allow attackers into networks.
Legacy Access focuses on protecting the tunnel between a remote site and an endpoint. Legacy Access relies on encryption, such as VPNs, and manually configured user rules to secure the remote session. This approach has become obsolete as sophisticated attackers have found other ways around Legacy Access defenses, such as leveraging phishing attacks that use malware, ransomware, and human error to launch attacks. 80% of companies are estimated to have experienced a ransomware attack, with nearly 50% impacting OT/industrial control system (ICS) environments.
Legacy Access leaves companies constantly in a defensive mode, with static VPNs that are easily identified, mapped, and targeted. Companies using Legacy Access are only able to defend against attacks at human speed and without any visibility to know when one is happening. That approach was what was the best at the time but today, with threats and operational efficiencies, it is now inadequate.
Zero Trust Access eliminates these shortcomings by combining multiple cybersecurity capabilities—such as identity & access management, moving target defense, session recording, continuous monitoring, and request access windows—into one integrated approach to achieve mutually complementary effects that eliminates the entirely reactive posture Legacy Access put companies in.
Legacy Access was designed to secure the connection from an endpoint to the network edge. Some Legacy Access tools go a bit beyond and allow IT managers to specify which protocols are allowed through the tunnel, such as SSH or FTP. That is where Legacy Access tools tend to stop though. They are, in essence, VPN tools. They do not drill down into the network, and they are not highly integrated cross-functional cybersecurity platforms. Modern ZTA gives extensive control and visibility down to designating exactly which IPs, ports, and protocols are permitted per device within the network. Moreover, Legacy Access did and does not isolate a connecting endpoint from the systems that endpoints talk to. This means malware and ransomware pass through during a session.
Next Gen ZTA solves the problems in control and visibility inherent in Legacy Access. With ZTA, administrators know exactly what is in their network; who has access to what; when they have that access; what they do during the session; and sandboxes all session to prevent malware attacks. ZTA platforms with moving target defense mitigate reconnaissance efforts.
ZTA platforms automate the manual aspects of Legacy Access and thereby eliminate the need for maintaining VPN concentrators, jump boxes, manual VDIs, and bastions. Patching and continuous hardening are also maintained by Software-as-a-Service (SaaS) ZTA products.
ZTA tools can be deployed in minutes, not days, and require no manual upkeep. The time-to-value of Next Gen ZTA can therefore be measured in weeks not years. In these calculations, the total value must be defined by considering three items: the price of the product, the human time spent running it, and the cost of testing and compliance. Because they are at end-of-life, Legacy Access tools are generally inexpensive. But they must be manually managed by security teams—generally the most expensive piece—and many if not all do not come with modern compliance certifications such as SOC 2 Type 2 and ISO 27001 audit reports or alignment documentation against IEC 62443; NERC-CIP Section 5; and NIST CSF, 800-53, 800-82, or 800-160 Volume 2. Such certifications and assessments may cost several multiples of the base price of Legacy Access.
An efficient Next Gen ZTA solution will leverage modern technologies to counter evolving tactics, techniques, and procedures utilized by adversaries to attack organizations, ranging from widespread malware and ransomware to sophisticated reconnaissance and lateral attacks. Here are the protection capabilities to look for:
A ZTA system is a security model that requires all users and devices to be authenticated and authorized before being granted access to a target system. It assumes that all users and devices, even those inside the network, are potentially a security risk and should not be trusted by default.
A complete ZTA platform should follow guidelines appropriate to the sector the enterprise is operating in, such as NIST CSF, 800-53, 800-82, and IEC 62443. Modern guidelines generally call for all the following components: IAM, network encryption and tunneling, moving target defense, network segmentation, endpoint isolation, monitoring and analytics, asset management, and a SOC. By following guidelines from various reference frameworks, organizations can ensure that their ZTA system is comprehensive and effective in attack prevention.
|
ZTA |
Legacy Access |
Identity & Access Management |
✓ |
|
Network Encryption & Tunneling |
✓ |
✓ |
Moving Target Defense |
✓ |
|
Network Segmentation |
✓ |
|
Endpoint Isolation |
✓ |
|
Monitoring & Analytics |
✓ |
|
Asset Management |
✓ |
|
SOC Integration |
✓ |
|
Using a fully integrated ZTA system, like Dispel, is significantly more efficient for operators and administrators because it provides a single, centralized platform for managing access security across the network. Instead of having to manually manage multiple disparate security tools and platforms, operators and administrators can use a single platform to automatically manage access, monitor network activity, and detect and respond to security incidents.
This saves time and reduces the likelihood of errors or oversights that can lead to security breaches.
Integrations also reduce the cost of ownership. Because they contain relatively few components and they are obsolete, Legacy Access tools have a low initial cost. Maintenance, oversight, and management costs drive the price of ownership up considerably because of the number of people needed to manually manage Legacy Access platforms at scale.
Remote access is a critical aspect that needs to be properly secured. Fortunately, there are various modern security guidelines and requirements, including those that address remote access. Some of the most important ones are NIST, IEC 62443, NERC-CIP Section 5, and WITAF 503. These guidelines and requirements provide recommendations and best practices for securing systems and preventing cyberattacks. By following these guidelines and requirements, organizations can ensure that their networks prevent against cyber threats that could cause significant damage.
NIST
The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the United States Department of Commerce responsible for developing and promoting measurement, standards, and technology. NIST provides cybersecurity guidance for organizations, including the Cybersecurity Framework (CSF) and various Special Publications (SPs). Among these SPs are 800-53 (Security and Privacy Controls for Information Systems and Organizations), 800-82 (Guide to Industrial Control Systems (ICS) Security), and 800-160 Volume 2 (Developing Cyber-Resilient Systems). These publications provide comprehensive guidelines for securing industrial control systems and protecting critical infrastructure against cyber threats.
IEC 62443
IEC 62443 is an international standard that provides guidelines for developing a comprehensive cybersecurity management system for industrial automation and control systems (IACS). It includes a lifecycle model that helps organizations manage cybersecurity from the beginning of a project through to the end of the system's life, and includes guidelines for secure development, testing, and deployment of IACS.
Dispel Zero Trust Access is the new standard in control, delivering superior protection from malware, intrusion, advanced persistent threats, and insider attacks. Organizations gain an unprecedented level of control and visibility into each access session in an easy-to-read workflow map that provides the details and context necessary to understand what’s happening on the network and how to proceed effectively.
“If you are looking for a robust product for accessing…assets securely and reliably, this is it.” - IT Security Manager |