Security

An Alternative to Legacy VPNs for State and Local Governments

Government agencies need to rethink their approach to network security as telework continues.

As area vice president at Zscaler, Ian Milligan-Pate brings over a decade of leadership experience in Software as a Service and cybersecurity to his current role. Previously, he was regional director of public sector sales, leading Zscaler’s team for state and local government and education.

Security and access solutions have been put to the test for state and local governments as bandwidth is stretched to maximum capacity to support telework. As IT teams have executed against their continuity of operations plans and scaled up remote access solutions, it’s become increasingly evident that VPNs cannot provide the necessary security to protect users and data at scale.

The Cybersecurity and Infrastructure Security Agency (CISA) released an Enterprise VPN Security Alert early on in the shift to telework to warn organizations that more VPN vulnerabilities are being found and targeted by malicious cyber actors.

As users connect through VPNs and other legacy appliance-based remote access solutions, the enterprise attack surface effectively increases, potentially exposing sensitive data to malware and ransomware attacks. The process to connect users through a VPN is also slow and inefficient, especially when users want to connect to the internet through the VPN. As a result, many remote employees bypass the VPN to surf the web — therefore bypassing all security policies in place.

In addition, prior to the pandemic, only a small portion of employees at many state and local governments had government-issued laptops. Instead, many government employees relied on BYOD to support the increase in remote work. However, connecting to government networks from employee-owned devices through VPNs or other appliance-based remote desktop tools has only increased security concerns and risks.

As outlined in the CISA alert, government agencies need to “adopt a heightened state of cybersecurity.” State and local governments should evaluate risks and look for VPN alternatives that can protect their infrastructure from external attack as they continue scaling to accommodate remote work.

Evaluating Security Risks for Government VPNs

The shift to an almost entirely remote workforce requires all state and local governments to modernize or create a new risk evaluation models. IT administrators need to ask themselves the following:

Who needs access to what assets? VPN concentrators inherently have an inbound listening port and allow east-west traffic on the network. This can open the network to malicious intent from both insiders and outsiders. It also allows users to gain access to applications they were not intended to reach.
What devices are users accessing sensitive government data and applications from? Even with the right security and access policies in place, it is difficult for IT administrators to manage employee security for users connecting to government networks from their own devices, especially when connecting through VPNs. IT administrators have less visibility and control over what potentially harmful applications employees might download onto personal devices, introducing further security risks.
Where are there potential gaps or openings that adversaries could take advantage of? Traditional appliance-based remote access solutions, like VPNs, can create more gaps in security by expanding the attack surface and opening more appliance-based capabilities through ports, protocols and IP spaces. This increases the risk of external attacks.
How do we ensure the security of both our employees and the data that is now distributed across data centers, cloud and mobile? State and local governments need to securely connect the right employees to the right applications as they work from home on both government-issued devices and personal devices. So, what’s an alternative remote access solution to VPNs?

How Zero-Trust Network Access Helps Security

To provide a seamless user experience, gain visibility and control, and reduce the attack surface, state and local governments should adopt zero trust.

The initial assumption of zero trust is that organizations do not inherently trust any user, and access solutions must verify and authorize all users before granting access. State and local governments can develop granular policies to provide context-based access to sensitive resources regardless of the user, device or location.

As a #StateLocal #IT leader, which #ITInfrastructure or support solutions have you invested in most to enable #telework?

— StateTech Magazine (@StateTech) June 3, 2020

Zero trust is inherently complex, but if governments start with clear rules and policies based on mission goals and their IT environment, a zero-trust network access (ZTNA) service can be quickly adopted and scaled to meet the workforce needs of today and tomorrow.

Once the necessary policies and access controls are in place, user management will be simple. From a central control plane, administrators will have full visibility into the distributed environment to provide authentication, authorization and accounting for all users, on both managed and unmanaged devices.

While data and applications may be hosted in multiple environments and users may connect from diverse locations, the user experience can still be consistent and transparent. Administrators can link users directly to the applications without ever placing them on the network. The right users will have the right level of access for an improved user experience, and the attack surface will be greatly decreased. A ZTNA solution will provide all users, including BYOD users, with secure access to internal web applications, without requiring a traffic-forwarding client on their device.

The bottom line is that malicious actors are never let onto the network, so they will never have access to government’s most sensitive information.

A Short- and Long-Term Solution for VPN Security

Many government agencies already have aspects of zero trust in place through identity and access management controls, endpoint management, application and data categorization, and microsegmentation.

The next step will be to adopt a Secure Access Service Edge (SASE) model with zero-trust capabilities and direct-to-cloud access. This will push all security capabilities as close to the user, data and device as possible. A SASE cloud-based zero-trust service will allow governments to scale instantly and eliminate the need for constant firmware and software updates. Governments will be able to meet immediate security and access needs and have the ability to scale up and down for future needs.

The CISA VPN alert points out that “as VPNs are 24/7, organizations are less likely to keep them updated with the latest security updates and patches.” Instead of constant patching, governments that enable cloud-based zero-trust networking can focus on improving policies and other mission-critical work.

Additionally, while a solution authorized by the Federal Risk and Authorization Management Program (FedRAMP) is not required for state and local governments, organizations that are FedRAMP-authorized, especially at the high baseline level, will have undergone a rigorous, in-depth audit for critical security controls. This ensures their solutions can protect government’s most sensitive classified data in a cloud environment.

Federal, state and local governments can feel assured that their data, users and overall IT environment have comprehensive security with a FedRAMP High Baseline Joint Authorization Board zero-trust cloud solution.

State and local agencies need to rethink their approach to VPN security as they continue to support remote workers. Zero trust and SASE offer a path forward.

dem10/Getty Images