Page 115 - Cyber Defense eMagazine August 2023
P. 115
of SRA to a resource. Additionally, 67% of respondents felt that Advanced Persistent Threats (APTs) are
a growing concern and 72% viewed third-party connections as their biggest risk for any Remote Access.
Now, you may be asking why an OT targeted report is relevant to SRA across any organization and the
answer is simple. Many SRA solutions are shared, maintained, managed or controlled in some form by
IT resources within an organization. The threat of Ransomware as an example, is not just focused on
attacking specific company resources but is focused on being able to disrupt as many business
operations as possible to extract financial gain for the threat actors.
Navigating the Scope of Secure Remote Access Components
As for the human component of SRA, 59% of respondents were concerned about even trusted users with
direct access to resources. This is where the definition of SRA and trusted users gets murky.
In most organizations, SRA is not just used by third parties but is also used by remote workers, internal
users crossing organizational boundaries to connect to resources and a growing segment where SRA
and Software Defined Networking (SDN) are being used together as well. This brings us back to the
“lens” statement above.
To many organizations or technology vendors, a Virtual Private Network (VPN) is a form of Secure
Remote Access, and they are not incorrect in this statement. A VPN is encrypted (secure) and uses a
form of 2FA/MFA user / device authentication (ex. token, cert, key, etc.) prior to granting access (safe)
but that is where it ends generally. Some can enforce access policies, resource controls, connection time
but generally they place you on a jump / bastion host where applications are published to the multiple
users.
Things such as session recording, supervised access, shared credential vaulting and function restricting
are not available. Lastly this type of connectivity is at the Network layer (the letter N in VPN) not the
application layer so if the end device is compromised ransomware and other network layer threat vectors
can be attempted successfully.
Another form is the highly discussed and promoted ZTA / ZTNA, which for those of you who do not know
is based on NIST SP 800-207 (I highly suggest reading this Special Publication before using the term
freely). In this vision of SRA the premise is trusting nothing, hence the Z for Zero. It also practices the
principle of continuous validation which means inspecting the session to ensure everything is still safe
and secure. This form of SRA also is deeply rooted in policy which means granular control or people,
process, and the technology being used within the SRA session.
Unmasking the Weakest Link in Secure Remote Access
The point of this article is not to get into which technology model (and there are others as well) is the
best, but to discuss the real underlying problems of any SRA solution and those are proper configuration,
oversight, usage and management.
Cyber Defense eMagazine – August 2023 Edition 115
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.