ZTA is the next step in access management, using an integrated approach to deliver more complete and effective facility security than is possible with legacy access tools.
Next Gen Zero Trust Access (ZTA) uses a combination of identity management, automated segmentation, control rules, disaster recovery intelligence, and session recording, so known and unknown attacks can be immediately prevented clear device control can be maintained. ZTA is cloud-based, which allows it to be deployed in hours instead of months, and the burden of maintaining software, managing jump hosts, and updating user access windows is eliminated.
Next Gen ZTA vs Legacy Access
|
|
ZTA |
Legacy Access |
|
Protection against Advanced Persistent Threats |
✓ Uses a combination of identity & access management, granular access control list rules, moving target defense, and session recording. |
X Relies on VPN and set rules which are slow to update and ineffective against sophisticated attacks. |
|
Level of control and visibility |
✓ Combined cybersecurity achieves mutually complementary visibility down to time, user, device, port, and protocol access. |
X Access is unrestricted after the legacy access point and no session visibility is maintained. Updates are manual and slow. |
|
Time-to-value |
✓ Implementation takes hours. |
X Implementation takes months. |
In the early days of Legacy Access, IT teams actually used to allow a direct VPN into a network from an endpoint. This was because per-user access control list rules did not exist yet. The only other option was using numerous concentrators, which take a long time to set up and maintain. So IT teams used single-tenant VPN tunnels based on perimeter security. This meant an endpoint was trusted once it established a VPN connection, with relatively little control over it inside the network once they were in.
IT teams used Legacy Access from the 1990s through 2010s, and they worked well, except for when they didn’t. They had one key issue: when Legacy Access connected an endpoint to a device, there is direct bi-directional data transfer. When the endpoint is secure, this is okay. But even with a small amount of malware, each time you connect an endpoint the malware is trying to transfer across the perimeter and into the network and its devices. Combine that with the wide access once within the perimeter and limitations of detection, and Legacy Access tools were known to allow attackers into networks.
Protection against Advanced Persistent Threats
Legacy Access focuses on protecting the tunnel between a remote site and an endpoint. Legacy Access relies on encryption, such as VPNs, and manually configured user rules to secure the remote session. This approach has become obsolete as sophisticated attackers have found other ways around Legacy Access defenses, such as leveraging phishing attacks that use malware, ransomware, and human error to launch attacks. 80% of companies are estimated to have experienced a ransomware attack, with nearly 50% impacting OT/industrial control system (ICS) environments.
Legacy Access leaves companies constantly in a defensive mode, with static VPNs that are easily identified, mapped, and targeted. Companies using Legacy Access are only able to defend against attacks at human speed and without any visibility to know when one is happening. That approach was what was the best at the time but today, with threats and operational efficiencies, it is now inadequate.
Zero Trust Access eliminates these shortcomings by combining multiple cybersecurity capabilities—such as identity & access management, moving target defense, session recording, continuous monitoring, and request access windows—into one integrated approach to achieve mutually complementary effects that eliminates the entirely reactive posture Legacy Access put companies in.
Level of control and visibility
Legacy Access was designed to secure the connection from an endpoint to the network edge. Some Legacy Access tools go a bit beyond and allow IT managers to specify which protocols are allowed through the tunnel, such as SSH or FTP. That is where Legacy Access tools tend to stop though. They are, in essence, VPN tools. They do not drill down into the network, and they are not highly integrated cross-functional cybersecurity platforms. Modern ZTA gives extensive control and visibility down to designating exactly which IPs, ports, and protocols are permitted per device within the network. Moreover, Legacy Access did and does not isolate a connecting endpoint from the systems that endpoints talk to. This means malware and ransomware pass through during a session.
Next Gen ZTA solves the problems in control and visibility inherent in Legacy Access. With ZTA, administrators know exactly what is in their network; who has access to what; when they have that access; what they do during the session; and sandboxes all session to prevent malware attacks. ZTA platforms with moving target defense mitigate reconnaissance efforts.
Time-to-value
ZTA platforms automate the manual aspects of Legacy Access and thereby eliminate the need for maintaining VPN concentrators, jump boxes, manual VDIs, and bastions. Patching and continuous hardening are also maintained by Software-as-a-Service (SaaS) ZTA products.
ZTA tools can be deployed in minutes, not days, and require no manual upkeep. The time-to-value of Next Gen ZTA can therefore be measured in weeks not years. In these calculations, the total value must be defined by considering three items: the price of the product, the human time spent running it, and the cost of testing and compliance. Because they are at end-of-life, Legacy Access tools are generally inexpensive. But they must be manually managed by security teams—generally the most expensive piece—and many if not all do not come with modern compliance certifications such as SOC 2 Type 2 and ISO 27001 audit reports or alignment documentation against IEC 62443; NERC-CIP Section 5; and NIST CSF, 800-53, 800-82, or 800-160 Volume 2. Such certifications and assessments may cost several multiples of the base price of Legacy Access.
What to look for in a Next-Generation ZTA Solution?
An efficient Next Gen ZTA solution will leverage modern technologies to counter evolving tactics, techniques, and procedures utilized by adversaries to attack organizations, ranging from widespread malware and ransomware to sophisticated reconnaissance and lateral attacks. Here are the protection capabilities to look for:
Gaining visibility & control
- Identity & Access Management (IAM): IAM is responsible for identifying and authenticating users and devices and authorizing them to access resources. IAM includes components such as time-based access windows, multi-factor authentication, identity federation, and role-based access control.
- Asset Management: Asset management tools are responsible for registering and tracking all devices on the network. This includes assigning IP addresses, ports, and protocols permissible for network activity. Asset management tools give organizations visibility into their network, making it easier to identify and manage potential security risks. By tracking all devices on the network, organizations can ensure that only authorized devices are connected to the network, and that they are operating within the expected parameters. This helps to prevent unauthorized changes to the network and ensures that critical systems are protected from cyber threats.
Prevention of targeted attacks
- Moving Target Defense: A moving target defense (MTD) tool prevents vulnerability exploitation and target analysis by attackers. MTD networks significantly increase the cost of targeting and attacking OT systems by rendering reconnaissance intelligence obsolete and useless in an hourly or daily basis. MTD networks are also critical for dealing with ransomware, since they can automatically patch their components.
- Network Segmentation: Network segmentation is the process of dividing a network into smaller segments, each with its own security controls. Segmented networks limit the exposure of critical systems and reduce the risk of lateral movement by attackers.
Prevention of malware & ransomware
- Endpoint Isolation: Endpoint isolation involves securing devices and systems that are connected to the network, including computers and mobile devices. This disposable intermediate infrastructure, such as hardened, cycling virtual desktops.
- Network Encryption and Tunneling: Network encryption and tunneling secures traffic to and from the industrial control system over the public internet against intercepted data being read by unauthorized parties. In particular, a Virtual Private Network (VPN) or Software Defined-Wide Area Network (SD-WAN) can provide a secure and encrypted connection between multiple endpoints over a public network such as the internet.
Security monitoring integration
- Monitoring and Analytics: Monitoring and analytics tools provide visibility into network activity and detect anomalies and threats in real-time. This includes session recording, network activity logs, keystroke logging and integrations with tools such as Security Information and Event Management (SIEM) and User and Entity Behavior Analytics (UEBA).
- Security Operations Center: A security operations center (SOC) is a centralized unit responsible for monitoring and responding to security incidents. The SOC is staffed by security professionals who use advanced tools and techniques to detect and respond to security incidents.
How ZTA Works
A ZTA system is a security model that requires all users and devices to be authenticated and authorized before being granted access to a target system. It assumes that all users and devices, even those inside the network, are potentially a security risk and should not be trusted by default.
A complete ZTA platform should follow guidelines appropriate to the sector the enterprise is operating in, such as NIST CSF, 800-53, 800-82, and IEC 62443. Modern guidelines generally call for all the following components: IAM, network encryption and tunneling, moving target defense, network segmentation, endpoint isolation, monitoring and analytics, asset management, and a SOC. By following guidelines from various reference frameworks, organizations can ensure that their ZTA system is comprehensive and effective in attack prevention.
Compare and contrast
|
|
ZTA |
Legacy Access |
|
Identity & Access Management |
✓ |
|
|
Network Encryption & Tunneling |
✓ |
✓ |
|
Moving Target Defense |
✓ |
|
|
Network Segmentation |
✓ |
|
|
Endpoint Isolation |
✓ |
|
|
Monitoring & Analytics |
✓ |
|
|
Asset Management |
✓ |
|
|
SOC Integration |
✓ |
|
Integrated OT ZTA Solutions Are Significantly Faster
Using a fully integrated ZTA system, like Dispel, is significantly more efficient for operators and administrators because it provides a single, centralized platform for managing access security across the network. Instead of having to manually manage multiple disparate security tools and platforms, operators and administrators can use a single platform to automatically manage access, monitor network activity, and detect and respond to security incidents.
This saves time and reduces the likelihood of errors or oversights that can lead to security breaches.
Integrations also reduce the cost of ownership. Because they contain relatively few components and they are obsolete, Legacy Access tools have a low initial cost. Maintenance, oversight, and management costs drive the price of ownership up considerably because of the number of people needed to manually manage Legacy Access platforms at scale.
Security Standards Govern Access
Remote access is a critical aspect that needs to be properly secured. Fortunately, there are various modern security guidelines and requirements, including those that address remote access. Some of the most important ones are NIST, IEC 62443, NERC-CIP Section 5, and WITAF 503. These guidelines and requirements provide recommendations and best practices for securing systems and preventing cyberattacks. By following these guidelines and requirements, organizations can ensure that their networks prevent against cyber threats that could cause significant damage.
NIST
The National Institute of Standards and Technology (NIST) is a non-regulatory agency of the United States Department of Commerce responsible for developing and promoting measurement, standards, and technology. NIST provides cybersecurity guidance for organizations, including the Cybersecurity Framework (CSF) and various Special Publications (SPs). Among these SPs are 800-53 (Security and Privacy Controls for Information Systems and Organizations), 800-82 (Guide to Industrial Control Systems (ICS) Security), and 800-160 Volume 2 (Developing Cyber-Resilient Systems). These publications provide comprehensive guidelines for securing industrial control systems and protecting critical infrastructure against cyber threats.
IEC 62443
IEC 62443 is an international standard that provides guidelines for developing a comprehensive cybersecurity management system for industrial automation and control systems (IACS). It includes a lifecycle model that helps organizations manage cybersecurity from the beginning of a project through to the end of the system's life, and includes guidelines for secure development, testing, and deployment of IACS.
Replacing your outdated Legacy Access
Dispel Zero Trust Access is the new standard in control, delivering superior protection from malware, intrusion, advanced persistent threats, and insider attacks. Organizations gain an unprecedented level of control and visibility into each access session in an easy-to-read workflow map that provides the details and context necessary to understand what’s happening on the network and how to proceed effectively.