Transnational cybersecurity agencies released guidance on Tuesday recommending that businesses of all sizes adopt more robust security solutions—like zero trust, Secure Service Edge (SSE), and Secure Access Service Edge (SASE)—to enhance network activity visibility. This guidance aids organizations in improving their network access security by understanding the vulnerabilities, threats, and practices linked to traditional remote access and VPN (virtual private network) deployments, emphasizing the business risks associated with misconfigurations in remote access to organizational networks.
“By using risk-based access control policies to deliver decisions through policy decision engines, these solutions integrate security and access control, strengthening an organization’s usability and security through adaptive policies,” according to the guidance titled ‘Modern Approaches to Network Access Security,’ published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the Federal Bureau of Investigation (FBI); New Zealand’s Government Communications Security Bureau (GCSB); New Zealand’s Computer Emergency Response Team (CERT-NZ); and the Canadian Centre for Cyber Security (CCCS).
The network access security guidance provides comprehensive protection strategies for IT and OT (operational technology) networks, addressing various network sensitivities and the potential severe consequences of breaches. Issued to assist leaders in prioritizing the security of remote computing environments, it emphasizes adherence to the principle of least privilege. Additionally, it offers best practices for transitioning from traditional architectures to cloud-based systems and supports hybrid and on-premises deployments aiming to achieve zero trust objectives.
Identifying that current modern solutions such as zero trust, SSE, and SASE, provide remote access to applications and services based on a granular access control policy. This type of policy rejects access to users who are not explicitly authenticated and authorized for a particular application or service. This gives organizations a more secure approach to network access by implementing ZT principles and continuously monitoring user activity, thereby promoting data security in transit. By not exposing internal applications to unnecessary risk, the organization can reduce the overall threat of compromise—further securing data at rest.
“The effectiveness of any proposed modern security solution greatly depends on how the organization’s network and infrastructure is postured,” the network access security guidance said. “Adhering to ZT principles to any degree will enhance your organization’s ability to secure information, keeping it safe from threats and data loss. Current modern solutions—ZT architecture, SSE, and SASE—adhere to ZT principles and provide remote access to applications and services based on a granular access control policy.”
ZT is a collection of concepts and ideas that aid organizations with enforcing accurate per-request access decisions based on the principles of least privilege in information systems and services. ZT operates under the assumption that no user or asset should implicitly be trusted, requiring each user, device, and application to continually re-authenticate and reauthorize throughout the transaction.
To develop zero trust strategies and implementation plans, organizations should adopt CISA’s Zero Trust Maturity Model (ZTMM). The ZTMM presents a gradient of implementation across five distinct pillars, where advancement in maturity can be made over time. The model also presents ways in which various CISA cybersecurity programs support ZT solutions.
Addressing SSE, the network access security guidance said that it is a collection of cloud security capabilities that enable safe browsing, more secure software as a service (SaaS) application, and an easy approach to validating users accessing network data. “Moreover, SSE is a comprehensive approach to network security, combining networking, security practices and policies, and services to a single platform. This approach allows organizations to ensure application security and access to data regardless of a user’s device or location. SSE security capabilities consist of Zero Trust Network Access, Cloud secure Web Gateway, Cloud Access Security Broker, and Firewall-as-a-Service,” it added.
While SSE operates by converging security functions into a single cloud service, Secure Access Service Edge (SASE) is a cloud architecture that combines network and security as a service capability, including software-defined wide area networking (SD-WAN), SWG, CASB, next-generation firewall (NGFW), and ZTNA.
“Cloud service providers (CSPs) can provide organizations with networking and security as a service in lieu of implementing security solutions on-premises or being directed to data centers,” according to the network access security document. “This allows network administrators to have visibility of all ports and protocols and applications provided by the CSP or the organization. The SASE model offers a secure management interface, reduces complexity, and deploys security appliances that foster robust and more secure policies.”
The network access security guidance also identified that SASE, SSE, and hardware-enforced network segmentation provide organizations the potential to replace traditional VPNs and security features and foster policies that offer a zero trust approach to modern security implementation. It also encourages entities to assess security posture and perform a risk analysis before implementing any/all solutions to determine if these approaches fit their organization.
In addition to implementing ZT, SASE, SSE, and hardware-enforced solutions, the authoring organizations strongly encourage entities to apply the best practices listed below. These best practices align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and NIST. The CPGs provide a minimum set of practices and protections that CISA and NIST recommend organizations implement.
The network access security guidance recommends, among various proposed measures, that organizations implement a centralized management solution, network segmentation, and Security Orchestration, Automation, and Response (SOAR) by implementing an automated response to certain security events. It also focused on developing, maintaining, updating, and regularly drilling IT and OT cybersecurity incident response plans for both common and organizationally specific scenarios and procedures, while also automating and validating vulnerability scans on public-facing enterprise assets.
It also suggests regularly backing up all systems that are necessary for daily operations, conducting annual training on basic security concepts, implementing a strong identity and access management solution that verifies identity with phishing-resistant multi-factor authentication (MFA), establishing an adoption roadmap and deployment strategy, and using ZTNA to limit user access and applications through a trust broker.
Additionally, organizations are advised to implement several key measures when transitioning from VPN solutions to SSE/SASE, bearing in mind that migration requires careful planning and phased implementation. These measures include restricting access to the control plane, using a dedicated management interface, and regularly patching, generating, and analyzing network telemetry associated with the VPN solution. Other recommendations include pre-authenticating users, employing MFA, and employing version control for monitoring changes in device configurations.
Recently, cybersecurity agencies from the ‘Five Eyes’ alliance provided updates on the evolving risks to critical infrastructure and described how the nations within the Critical 5 partnership are updating their strategies to protect critical infrastructure. The narrative highlighted shared methods to enhance the security and resilience of the critical infrastructure within their borders. Additionally, it emphasized the necessity for collaborative and coordinated efforts internationally, acknowledging the interconnected nature of critical infrastructure.
This post was originally published on the 3rd party site mentioned in the title of this this site