of SRA to a resource. Additionally, 67% of respondents felt that Advanced Persistent Threats (APTs) are
            a growing concern and 72% viewed third-party connections as their biggest risk for any Remote Access.

            Now, you may be asking why an OT targeted report is relevant to SRA across any organization and the
            answer is simple. Many SRA solutions are shared, maintained, managed  or controlled  in some form by
            IT resources  within an organization.  The threat of Ransomware  as an example,  is not just focused on
            attacking  specific  company  resources  but  is  focused  on  being  able  to  disrupt  as  many  business
            operations as possible to extract financial gain for the threat actors.



            Navigating the Scope of Secure Remote Access Components

            As for the human component of SRA, 59% of respondents were concerned about even trusted users with
            direct access to resources. This is where the definition of SRA and trusted users gets murky.

            In most organizations, SRA is not just used by third parties but is also used by remote workers, internal
            users crossing  organizational  boundaries  to connect  to resources  and a growing  segment  where SRA
            and  Software  Defined  Networking  (SDN)  are  being  used together  as well.  This  brings  us back  to the
            “lens” statement above.

            To  many  organizations  or  technology  vendors,  a  Virtual  Private  Network  (VPN)  is  a  form  of  Secure
            Remote Access,  and they are not incorrect in this statement.  A VPN is encrypted (secure)  and uses a
            form of 2FA/MFA user / device authentication  (ex. token, cert, key, etc.) prior to granting access (safe)
            but that is where it ends generally. Some can enforce access policies, resource controls, connection time
            but generally they place  you on a jump / bastion host where  applications  are published  to the multiple
            users.

            Things such as session recording, supervised access, shared credential vaulting and function restricting
            are not  available.  Lastly  this  type of  connectivity  is  at the Network  layer  (the  letter N  in VPN)  not the
            application layer so if the end device is compromised ransomware and other network layer threat vectors
            can be attempted successfully.
            Another form is the highly discussed and promoted ZTA / ZTNA, which for those of you who do not know
            is based on NIST SP 800-207 (I highly suggest  reading this Special  Publication  before using the term
            freely). In this vision of SRA the premise  is trusting nothing,  hence the Z for Zero. It also practices the
            principle  of continuous  validation  which means inspecting  the session to ensure everything  is still safe
            and secure.  This form of SRA also is deeply rooted  in policy  which means  granular control  or people,
            process, and the technology being used within the SRA session.



            Unmasking the Weakest Link in Secure Remote Access

            The point of this article is not to get into which technology  model  (and there are others as well) is the
            best, but to discuss the real underlying problems of any SRA solution and those are proper configuration,
            oversight, usage and management.






            Cyber Defense eMagazine – August 2023 Edition                                                                                                                                                                                                               115
            Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.