Black Hat insights: Will Axis Security’s ZTNA solution hasten the sunsetting of VPNs, RDP?

By Byron V. Acohido

Company-supplied virtual private networks (VPNs) leave much to be desired, from a security standpoint.

Related: How ‘SASE’ is disrupting cloud security

This has long been the case. Then a global pandemic came along and laid bare just how brittle company VPNs truly are.

Criminal hackers recognized the golden opportunity presented by hundreds of millions employees suddenly using a company VPN to work from home and remotely connect to an array of business apps. Two sweeping trends resulted:  one bad, one good.

First, bad actors instantly began to hammer away at company VPNs; and attacks against instances of Remote Desktop Protocol (RDP) spiked dramatically, as well. VPNs and RDP both enable remote access that can put an intruder deep inside the firewall. And attempts to break into them have risen exponential over the past 17 months.

Conversely, Zero Trust has gained some material traction. As Black Hat USA 2021 convenes in Las Vegas this week, consensus is quickening around the wisdom of sunsetting legacy remote access tools, like VPNs and RDP, and replacing them with systems based on Zero Trust, i.e. trust no one, principles.

One start-up, Axis Security, couldn’t be more in the thick of these trends. Based in San Mateo, CA, Axis publicly announced its advanced Zero Trust access tool in March 2020, just as the global economy was slowing to a crawl.

“We came out of stealth mode right at the beginning of all the big shutdowns, and we got a number of customers, pretty fast, who were looking for solutions to remotely connect users to systems,” says Deena Thomchick, vice president of product marketing at Axis. “These were users who never had remote access before.”

I had a chance to sit down with Thomchick to get into the weeds of these countervailing developments. For a full drill down on our lively discussion, please give the accompanying podcast a listen. Here are the main takeaways:

Enticing attack vectors

It’s a good bet that some elevated level of work-from-home is here to stay. A recent Flexjobs survey found 65 percent of remote workers prefer to keep working from home, mainly to save on commuting time and expenses.

VPNs aren’t going to cut it in environment where remote work predominates. VPNs work by installing a software agent on the user’s computing device. The user must sign in with a username and password and maybe also supply a one-time passcode or a fingerprint. VPNs then open an encrypted tunnel from the user’s device directly into the company network.

VPN tunnels are an irresistible attack vector – made more enticing than ever with millions more remote users providing direct paths into the guts of their company’s IT infrastructure.  VPNs simply were never designed to withstand the scale and scope of attacks directed against them in today’s environment.

To wit, security vendor FireEye this spring disclosed how it  found multiple malware families being leveraged to exploit vulnerabilities in Pulse Secure VPN. The attackers targeted defense contractors, financial institutions and governments from around the globe and stole account credentials that could be used in deeper attacks.

Thomchick

Many more VPN and RDP hacks today are being carried out in support of ransomware extortion. The deeper the intruders can get to encrypt critical systems, the more ransom they can try to extort by offering a decryption key. Log data from two popular company VPN suppliers show attempts to break in increased 1,916 percent against one (Fortinet) and 1,528 percent against the other (Pulse Secure) in the first quarter of this year.

“The classic VPN is spectacularly bad at making sure that access is restricted to just one application at a time, and that each connection is controlled and monitored,” Thomchick observes. “And it’s a pipe that opens a hole in your environment, so it’s under attack constantly.”

RPD presents a similar exposure. RDP is a system administrator’s remote access tool that’s built-into all Microsoft Windows networks. A compromised RPD instance opens the door to so-called “living-off-the-land” attacks by which an intruder takes control of numerous other embedded  admin tools to carry out malicious activities.

Anti-malware vendor Kaspersky disclosed that it tracked 377.5 million brute-force attacks targeting RDP in February of this year, as compared to 91.3 million observed in a year earlier period,

Brokered access

As company executives and security vendors alight in Las Vegas this week, these surging VPN and RDP attacks are helping make the case for accelerated adoption of Zero Trust, the notion of never trusting any network user and always verifying what each user doing.

Zero Trust as a security principle calls for meticulously keeping track of ever user’s attempt to access any company application, and following the principle of granting “least privilege” – only those access rights needed to perform a defined task. Zero Trust has been discussed in technology circles since the mid 1990s, but have only taken practical form in the past few years. One implementation that’s gaining steam is referred to as Zero Trust Network Access (ZTNA.)

As defined by Gartner, a ZTNA service creates boundaries around an application or set of applications, hides them from public discovery and then imposes access rules on any user seeking to access the application. The ZTNA service provider then serves as an access broker taking full control of access to the applications and, by doing so, shrinking the company’s attack surface.

Axis Security’s Application Access Cloud is a ZTNA cloud-based platform that does all of this while also eliminating the need to install any type of agent on a user’s computing device. The user simply logs on to access the Axis Application Cloud service, and never touches the enterprise network, or the application itself, everything is brokered through the Axis service.

“This can reduce an organization’s overall attack surface by probably 99 percent,” Thomchick says. “There’s no inbound traffic, so there’s no inbound hole in your firewall.”

Unspooling capabilities

By brokering each and every user access request, Axis Security can implement least privilege policies and build an audit trail. If and when someone using stolen credentials should succeed in gaining access to an application, that access would be limited and the imposter would never gain a foothold inside the company’s network.

“The humans trying to access your environment are fully brokered and managed through a Zero Trust Network Access service,” Thomchick says. “Every request is brokered and controlled . . . they never have that direct network access and they’re only allowed to see the things that they are allowed to see.

It’s very encouraging to see ZTNA being advanced by innovative cybersecurity vendors. There’s a lot of action going on right now. Gartner has designated ZTNA as a cornerstone of the Secure Access Services Edge (SASE) security framework that’s creating a lot of buzz. SASE – like ZTNA — is in a nascent stage; they are major pieces of an emerging roadmap for infusing privacy and security deeply into our laptops, smartphones, IoT devices and cloud infrastructure.

What Axis Security has in production today, focused on human users connecting to business applications, is just a beginning.

“Once you get users connected to applications, then the immediate next step is to address services accounts, and then service-to-service connections and access,” Thomchick says. “As you start to unspool the capabilities, and focus on where it’s possible to put this kind of visibility and control into a system, the opportunities and the options start to get really wide.”

Indeed, ZTNA, SASE and probably several more leading-edge initiatives will have to continue evolving and progressing to get us where we need to be. I’ll keep watch and keep reporting.

Acohido

Pulitzer Prize-winning business journalist Byron V. Acohido is dedicated to fostering public awareness about how to make the Internet as private and secure as it ought to be.


(LW provides consulting services to the vendors we cover.)

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone