Transnational cybersecurity agencies issued new guidelines on Tuesday urging businesses of all sizes to adopt more robust security measures such as zero trust, Secure Service Edge (SSE), and Secure Access Service Edge (SASE) to enhance visibility into network activities. These recommendations aim to bolster network access security by addressing vulnerabilities, threats, and the pitfalls associated with traditional remote access and VPN deployments, underscoring the business risks linked to misconfigurations in accessing organizational networks.
The guidance titled ‘Modern Approaches to Network Access Security,’ jointly published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the Federal Bureau of Investigation (FBI), New Zealand’s Government Communications Security Bureau (GCSB), New Zealand’s Computer Emergency Response Team (CERT-NZ), and the Canadian Centre for Cyber Security (CCCS), advocates using risk-based access control policies delivered through policy decision engines. These solutions integrate security and access control, enhancing organizational usability and security through adaptive policies.
The guidance provides comprehensive strategies to protect both IT and OT (operational technology) networks, addressing diverse network sensitivities and the potentially severe consequences of breaches. It aims to assist leaders in prioritizing the security of remote computing environments, emphasizing the principle of least privilege. Moreover, it offers best practices for transitioning from traditional architectures to cloud-based systems, supporting hybrid and on-premises deployments to achieve zero trust objectives.
Highlighting the effectiveness of modern solutions like zero trust, SSE, and SASE, the guidance emphasizes their role in providing secure remote access to applications and services through granular access control policies. These policies deny access to unauthorized users, thereby adopting a more secure approach to network access based on zero trust principles and continuous monitoring of user activity, promoting the security of data in transit and at rest.
“The effectiveness of any proposed modern security solution greatly depends on how the organization’s network and infrastructure is postured,” the guidance states. “Adopting zero trust principles enhances an organization’s ability to secure information, safeguarding it against threats and data loss.”
Zero Trust (ZT) operates on the premise that no user or asset should be implicitly trusted, requiring continual re-authentication and re-authorization of each user, device, and application throughout transactions. Organizations are encouraged to implement CISA’s Zero Trust Maturity Model (ZTMM), which outlines a phased approach across five pillars to advance maturity over time, integrating various CISA cybersecurity programs to support ZT solutions.
Regarding Secure Service Edge (SSE), the guidance describes it as a collection of cloud security capabilities facilitating secure browsing and enhancing security for Software as a Service (SaaS) applications and user access to network data. SSE integrates networking, security practices, policies, and services into a single platform, ensuring application security and data access irrespective of user device or location. SSE security capabilities include Zero Trust Network Access, Cloud Secure Web Gateway, Cloud Access Security Broker, and Firewall-as-a-Service.
Secure Access Service Edge (SASE), on the other hand, combines network and security as a service capabilities, encompassing Software-Defined Wide Area Networking (SD-WAN), Secure Web Gateway (SWG), Cloud Access Security Broker (CASB), Next-Generation Firewall (NGFW), and Zero Trust Network Access (ZTNA). The model enables cloud service providers (CSPs) to deliver networking and security as a service, replacing on-premises security solutions and data center deployments.
The guidance underscores that adopting SASE, SSE, and hardware-enforced network segmentation offers organizations potential alternatives to traditional VPNs and enhances policy-driven zero trust security implementations. It urges entities to assess their security posture and conduct risk analyses before implementing these solutions to ensure alignment with organizational needs.
In addition to deploying ZT, SASE, SSE, and hardware-enforced solutions, organizations are advised to implement several best practices aligned with the Cybersecurity Performance Goals (CPGs) developed jointly by CISA and NIST. These practices include centralized management solutions, network segmentation, Security Orchestration, Automation, and Response (SOAR), automated vulnerability scans, regular system backups, cybersecurity training, strong identity and access management with multi-factor authentication (MFA), adoption roadmaps, and usage of ZTNA to restrict user access and applications through a trust broker.
The document also stresses the importance of careful planning and phased implementation when transitioning from VPN solutions to SSE/SASE, including measures like control plane access restrictions, dedicated management interfaces, patch management, network telemetry analysis, pre-authentication, MFA deployment, and version control for monitoring device configuration changes.
Recently, cybersecurity agencies from the ‘Five Eyes’ alliance updated the evolving risks to critical infrastructure and outlined strategies for enhancing security and resilience within their respective Critical 5 partnership nations. They emphasized the need for international collaboration and coordination to safeguard interconnected critical infrastructure effectively.
Source: industrialcyber.co
