Page 116 - Cyber Defense eMagazine August 2023
P. 116
The underlying problems above all are directly related to the weakest link in any SRA implementation
and that is the people component. We do not truly trust the end users or devices they are connecting
from or to (hence the Zero in ZTA / ZTNA) and for valid reasons. We also cannot trust that internal staff
(or external resources managing our SRA implementations) follow published best practices for creating
a safe and secure access infrastructure. From the auditor “lens” we all have found open VPN connections,
weak passwords, shared user accounts, ineffective policies and just overall poor security hygiene. We
also have found a lack of audit trails or that collaboration tool installed on a jump host so a third party can
easily get in to do urgent work after hours.
In conclusion, no matter what we define as an SRA solution we all must do a better job from both a
vendor and end user perspective in creating a more secure and risk reducing safety posture for SRA
implementations overall, which 55% of respondents stated was a concern as well.
About the Author
Kevin Kumpf has more than 20 years of IT security and compliance experience,
including over 10 years of cybersecurity, governance and critical infrastructure
experience working in the energy, medical, manufacturing, transportation and
FedRAMP realms. Kevin’s past roles include Director of OT Security (N.A.) for
Iberdrola, where he oversaw the security, and regulatory compliance of multiple
OpCo’s, and Principal Security and Regulatory Lead for interactions with the NY
and NE ISO’s, NERC, ISAC’s as well as state and federal entities. He has also
worked internally and as a vendor/consultant at multiple healthcare and
manufacturing entities to mitigate the threats they were under in relation to
ransomware, insider threats and malware infestation. Today Kevin works as the
OT Technical Lead at Cyolo. More information can be found at Cyolo’s website
here: https://cyolo.io/
Cyber Defense eMagazine – August 2023 Edition 116
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.