Government agencies in the US, New Zealand, and Canada have published new guidance for organizations to adopt more robust security solutions to improve their visibility into network activity.
Titled Modern Approaches to Network Access Security (PDF), the document details modern security solutions – such as Secure Service Edge (SSE) and Secure Access Service Edge (SASE) – that organizations can transition to beyond VPNs to ensure secure access to their hybrid environments.
VPN solutions, the guidance shows, have been involved in multiple recent high-profile cyber incidents, and, while some of them are more secure than others, modern network access solutions provide granular access controls that traditional VPNs do not offer.
“Organizations that embrace these newer practices will reach an overall outcome closer to zero trust (ZT) principles,” the document reads.
Authored by CISA, the FBI, New Zealand’s Government Communications Security Bureau (GCSB) and CERT, and the Canadian Centre for Cyber Security (CCCS), the document outlines the vulnerabilities and risks associated with VPNs and remote access misconfigurations, and is meant to help organizations transition to more secure solutions.
“The authoring organizations are releasing this report to provide leaders with guidance to help prioritize the protection of organizations’ remote computing environment security while operating under the fundamental principles of least privilege,” the document reads.
VPN solutions, the authoring agencies say, are susceptible to vulnerabilities and misconfigurations, and, unless network segmentation and principles of least privilege and zero trust are implemented, do not protect against other network weaknesses, including device compromises and poor cyber hygiene.
“Vulnerabilities in VPN systems can lead to substantial impacts to organizations if exploited by threat actors because they may enable easy access across a large enterprise network after successful exploitation of the device,” the guidance shows.
Roughly two dozen security defects in CISA’s Known Exploited Vulnerabilities (KEV) catalog are related to VPN compromise – and leading to broad access to victim networks – including Ivanti gateway bugs (CVE-2023-46805, CVE-2024-21887, and CVE-2024-21893) and a Citrix appliance flaw (CVE-2023-4966, aka CitrixBleed).
“Current modern solutions – Zero Trust, SSE, and SASE – provide remote access to applications and services based on a granular access control policy. This type of policy rejects access to users who are not explicitly authenticated and authorized for a particular application or service,” the gov agencies say.
Organizations can implement zero trust principles and continuously monitor user activity to leverage a more secure approach to network access, and can reduce the risk of compromise and better secure data at rest by not exposing internal assets, the guidance notes.
Enabling safe browsing, more secure SaaS applications, and easier validation of user access to data, SSE includes cloud security capabilities such as Zero Trust Network Access (ZTNA), Cloud Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), and Firewall-as-a-Service (FWaaS).
Combining network- and security-as-a-service capabilities, SASE is a cloud architecture that includes Software-Defined Wide Area Networking (SD-WAN), Next Generation Firewall (NGFW), hardware-enforced network segmentation, SWG, CASB, and ZTNA.
“SASE, SSE, and hardware-enforced network segmentation provide organizations the potential to replace traditional VPNs and security features and foster policies that offer a zero-trust approach to modern security implementation,” the authoring agencies note, urging organizations to assess their security posture, perform risk analysis, and review the recommended guidance.
Related: US Government Releases Guidance on Securing Election Infrastructure
Related: US Government Issues New DDoS Mitigation Guidance
Related: NIST Finalizes Cybersecurity Guidance for Ground Segment of Space Operations
Related: Five Eyes Cybersecurity Agencies Release Incident Response Guidance
