The Cybersecurity and Infrastructure Security Agency (CISA) has frequently identified virtual private network (VPN) solutions that have been involved in many recent high-profile incidents, both with cyber criminals and nation-state actors. CISA has discovered over 22 Known Exploited Vulnerabilities (KEVs) related to VPN compromise, leading to broad access to victim networks. These incidents and associated vulnerabilities are prompting some to consider replacing their legacy VPN solutions with modern network access solutions. The shift of more services into the cloud also points to the value of Secure Access Service Edge (SASE) instead of a traditional security stack located in an on-premises data center. While some VPN solutions are inherently more secure than others—and not always the cause of major cyber incidents—current hybrid networks require adopting modern network access security solutions to help organizations protect corporate resources. Moreover, these network access solutions provide opportunities to integrate granular access control not inherent to traditional VPN approaches. CISA encourages a careful analysis of how your security needs have changed in light of increased use of cloud services and leveraging any technology updates to progress in your Zero Trust journey.
Organizations that embrace these newer practices will reach an overall outcome closer to zero trust (ZT) principles.
This report provides an overview of modern approaches to network access security for executive leaders, network defenders of critical infrastructure, and government organizations. The report is specifically intended for organizations wanting to shift from traditional broad remote access deployments and move toward more robust and fine-grained security solutions (i.e., Secure Service Edge [SSE] and Secure Access Service Edge [SASE]). By using risk-based access control policies to deliver decisions through policy decision engines, these solutions integrate security and access control, strengthening an organization’s usability and security through adaptive policies. This report provides best practices for users and organizations transitioning from traditional architectures to the cloud and furnishes primarily cloud-based solutions that can support hybrid and on-premises deployments in pursuit of zero trust goals. This report outlines protections for IT and operational technology (OT) networks across a spectrum of network sensitivities and worst-case consequences of compromise. CISA, the Federal Bureau of Investigation (FBI), New Zealand’s Government Communications Security Bureau (GCSB), New Zealand’s Computer Emergency Response Team (CERT-NZ), and the Canadian Centre for Cyber Security (CCCS) (hereafter referred to as the authoring organizations) urge business owners—regardless of size—to review this report to better understand the vulnerabilities, threats, and practices associated with traditional remote access and VPN deployment, along with the inherent business risk posed to an organization’s network by remote access misconfiguration. The authoring organizations are releasing this report to provide leaders with guidance to help prioritize the protection of organizations’ remote computing environment security while operating under the fundamental principles of least privilege.
Views: 6
