IS THERE A BETTER WAY FOR CONNECTING REMOTE USERS THAN A VPN?

We all know VPNs and SSL-VPNs, for better and for worse, this is the way we make remote connections to internal apps and resources – Virtual Private Networks.

Since the goal is to achieve connection to an application, or a resource, why then are we connecting users to the entire network? Just to access an app…

Most critical business applications today, such as Office productivity (365,Gmail), CRM (Salesforce), Unified communications, and more are in the cloud, so a technology which routes users into the corporate network just to send it back out, simply does not make sense anymore.

TYPICAL USER-VPN FLOW

• A user needs access to company resources, so it uses the corporate VPN client to connect to the local VPN concentrator.
• Once connected, traffic must pass through additional security appliances, such as firewalls, intrusion-prevention systems, internal load balancers, and more.
• The user gains full network access to company resources, which poses potential security risks and could have regulatory implications.
• If the user connected to a remote office, the session must pass over the WAN to the data center, and then out to the Internet.
• The user is finally able to connect to Office 365, Amazon Web Services, or other cloud service required.
• That entire sequence then takes place in reverse when sending the data back to the user.

VPN IN A NUTSHELL

• Cumbersome to use 
• Places users on-network which increases risk
• Poor end user experience
• Inbound connections exposes for DDoS attacks
• Requires appliances, ACLs and FW policies
• No ability to provide application segmentation
• Lack of visibility into app-related activity

A BETTER WAY – ZERO TRUST SECURITY

Applications are being migrated to cloud and users moved off the network. This new world cannot be secured by legacy technologies. It requires zero-trust security, leading to enterprise adoption of the software-defined perimeter.

Software-Defined-Perimeter, is a network security method that stemmed from work of the Defense Information Systems Agency (DISA) in 2007. As such, this is a completely different network security method than the traditional DMZ. It provides zero-trust access to internal applications using software—on a need-to-know basis—by looking at two criteria: User device and User identity.

ZSCALER PRIVATE ACCESS

Zscaler Private Access (ZPA) delivers policy-based, secure access to private applications and assets without the cost, hassle, or security risks of a traditional VPN. ZPA provides all off the benefits of a traditional VPN but without any of its downsides and headaches.

With ZPA, when a mobile user attempts to access an internal application while on the road, their experience is completely seamless, and they never have to login to a VPN in order to access an application.

ZPA is very very much like SD-WAN in that instead of software defining the company network it’s applying the “SD” principals to access.

HOW DOES IT WORK?

We use our cloud to create a brokered connection between an authorized user and an internal application. Our Z-app agent connects the user to the Zscaler Security Cloud, without placing it on internal network. We then verify that user has appropriate level of access to application via zero-trust access policies set by IT admins, and securely stitch together the application to user connection within the cloud itself.

KEY BENEFITS

This solution is 100% software-based and requires no firewalls or appliances for the service to secure access to an app.

• Seamless, transparent and always connected to specific company resource 
• Connect users to applications without placing users on the network
• Never expose applications to unauthorized users
• Enable app segmentation without network segmentation
• Provide secure remote access without using VPN appliances
• Provide in-depth visibility into the corporate application environment

CONCLUSION

For years, VPNs is a frustrating pain for both IT and Users. Businesses use them because there was no other way of enabling workers to connect when off the company premises.

Zscaler has built ZPA from the ground up to connect workers to resources in a cloud- first world. ZPA is the first remote access technology able to finally put an end to legacy VPNs.

There is a better way for connecting users to internal applications. Zero-Trust access is a better way. Zscaler Private Access (ZPA) not only makes end-users life easier, but it also simplifies management aspects for IT, Increases security, and with no hardware required, it also saves on CAPEX and OPEX.

Awareness for Cyber Security is now higher than ever. The public is constantly exposed to reports in the media flashing cyber-attacks and the damages they cause. Security is everywhere and it is taking more and more resources to defend, and a lot more of IT budget.

Reports indicate that security takes significantly larger portions of IT spends every year in the last 5 years, and expected to continue growth in the next few years to reach nearly half of IT budget. ZDNet ‘Corporate IT Budget Survey’ reveals that over 50% of organizations has improving security as their number one priority for 2018.

Corporations now invest more in multiple security layers – Prediction, Prevention, Detection and Response, along with Security personnel costs, expenses are sky high. There is now a growing need for ways to justify expenses to the board, or to CFOs.

CSOs struggle finding the right language to reflects security economics and to justify – “what are we getting for this money?”. This topic is a very common discussion among CSOs on forums and communities.

Returning the investment here is basically preventing unexpected expenses as a result of an attack. This could be due to Damage to data, Extra expenses, Loss of income, Lawsuits, Extortion, Reputation, etc. CSOs challenge is how to reflect this to the board and “materialize” these entries in the budget datasheet as ROI.

IT’S ALL ABOUT RISK MANAGEMENT AND LOSS PREVENTION

Let us base the ROI calculations on direct financial loss prevention: if by spending $10 an organization can prevent a highly probable annual loss of $1000, management will surely allocate the $1000 budget. The challenge here for CSO is to be able to prove the true need for that $10, not less, and that the risks mitigated with the $100 would really cause a highly probable $1000 direct loss to the organization.

The expected financial loss caused by the attack is the Annual Loss Expectancy, or ALE – the number of incidents X potential loss per incident. In this case, let us say – six incidents may be expected in a year, so we are looking at an ALE of $6000 (Number of Incidents per Year) x (Potential Loss per Incident).

Part of risk management and assessment frameworks, this process is not very common when it comes to SMB and SME. Those do not always comply with regulations and may not be structured in a way to properly plan and execute cyber security frameworks in a directive way, for example, by utilizing a Cyber Security Director.

In such cases, the CSO role must classify assets and identify ones which are most valuable to the organization, and which protecting those would potentially produce the higher ROI for their protection investment. This means that compromising those would cost the company a great amount of money. Such assets would be critical by means of privacy (ie. Customer Information), Financial value (ie. Confidential data), Critical Processes (ie. Finance Processing) etc.

THE WEAKEST LINK

Business assets are constantly accessed by… business users. Here is why the ROI for securing users would have the highest return: Hackers have long realized that users are the weakest link in the organization and are the easiest way to infiltrate boundaries. Here is an example – phishing a user is relatively easy, and takes minimal investment of time and money from the attacker to execute. This means we can conclude that the lower the investment and the ROI for the attacker – the higher the ROI would be for the organization.

The equation is simple – organizations must fight to lower the hacker’s ROI in order to capitalize on theirs. The more the hacker invests in the attack, the higher the cost would be to defend, and the lower the ROI for the organization would be.

CONCLUSION

Projecting the return of investment when it comes to security is a challenge, especially when it is presented to c-level stakeholders which may not come from the technical worlds, and do not quite comprehend security. The way to start is by taking a step into understanding today’s threats and the specific business needs for protecting users and assets.

Organizations still feel safe and trust old, traditional security, when they are really not even near being able to deal with modern threats. Firewall UTM is your savior? counting on Security information and event management (SIEM) to let you know?

Traditional layers of security we all have on our network, such as Firewall, Antivirus, Intrusion prevention and detection systems – more and more fail to secure and are simply no longer effective dealing with the modern malware threats which are built to easily penetrate through old security.

Organization Users, Apps and Networks, are constantly transformed to the Cloud, and are out of traditional security perimeters. Network borders are becoming irrelevant, old school solutions are simply not capable of providing security in this architecture, and will keep losing battles to today’s threats. Someone once said it is like protecting your country only with a wall, not taking into account new threats such as air or sea attacks.

A few examples for scenarios where traditional security will very likely fail to protect:

INFECTIONS BY ENCRYPTED TRAFFIC

In the past few years, the majority of internet traffic became encrypted with SSL. Unencrypted web traffic is now less than half of internet traffic. Google, Facebook, YouTube, 365, Dropbox, Google Drive – all now run over SSL and this changes the way protection is to be made.

In order to scan encrypted traffic, you need to decrypt it. To decrypt it, you need resources… lots of it. Traditional Security is not built for decrypting 60% of passed through traffic, and with limited resources, they reduce loads by whitelisting destinations to save on resources. “Trusted” sites and CDNs will be the first to be bypassed.

INFECTIONS VISITING A “LEGITIMATE” SITE

Such infection is very common in the last few months. This method takes advantage of the fact that the site is supposedly clean and trusted, thus old school security does not scan this traffic, or fails to identify the specific module within the webpage page, which was hacked and contains the payload.

A firewall/UTM would obviously fail with access control, as outbound web traffic HTTP/HTTPS is permitted for users. DNS based solutions which are seen lately, will not be able to address this challenge either, as it relays on the site reputation and not its content.

INFECTIONS WHILE OUTSIDE CORP NETWORKS

This would be the biggest challenge for traditional security, as the user is outside the network, perhaps at home; perhaps letting his children use his work laptop.

Infecting in this case is easiest of all, as there is hardly any security system protecting the station. This is seen with Ransomware infections, which would explode on the local network when the user is back in office or connected via VPN.

DOWNLOADING A NEW/UNKNOWN/ZERO-DAY MALWARE

This method takes advantage of the fact that traditional security is using a database of file hashes when looking for malware; it does not scan the content. Such threats penetrate easily though FW and AV when the malware is unknown or just not “old” enough to be included in the latest update to all security appliances around the world.

If an organization is under a targeted attack (custom made), old security does not stand a chance to protect or event to detect.

GOT INFECTED?

In case of infection, how long does it take for IT to acknowledge they are compromised? Surveys claim nearly a year in average. Prevention is important, but it should be backed up with Detection and Response.

Visibility is key for identifying threats and threat patterns. Traditional solutions such as SIEM, are used for gathering logs but they are not really alerting IT about infections and their remediation, as they do create a lot of time consuming work for their complex management and non-focused, never-ending alerting. who’s monitoring the monitor?

CONCLUSION

In conclusion, Firewalls, AV, IDS, IPS and other old security layers are not enough to stop malware threats. Even monitoring these layers is no longer effective. A different way of thinking must be adopted.

Are you still relying exclusively on old school technologies to protect your organization?

To learn more about how we help fill these gaps and secure more efficiently, and to run a free security preview, click here.

1. Order an MPLS link from your branch office to your corporate. This solution takes much time and resources to fulfill and may not be optimal for most organizations who are not well prepared for it in advance.
2.  Register your VPN with the authorized telecom provider. Problems shall occur since the process of legitimately registering with Chinese telecom companies has yet to take shape, in addition to the fact that corporate traffic shall be monitored by the Chinese authorities
3. Use Internet Binat and Aryaka private network to bypass the traffic directly and securely to your headquarter or main office in just a few days.