Evaluating Security Risks for Government VPNs
The shift to an almost entirely remote workforce requires all state and local governments to modernize or create a new risk evaluation models. IT administrators need to ask themselves the following:
- Who needs access to what assets? VPN concentrators inherently have an inbound listening port and allow east-west traffic on the network. This can open the network to malicious intent from both insiders and outsiders. It also allows users to gain access to applications they were not intended to reach.
- What devices are users accessing sensitive government data and applications from? Even with the right security and access policies in place, it is difficult for IT administrators to manage employee security for users connecting to government networks from their own devices, especially when connecting through VPNs. IT administrators have less visibility and control over what potentially harmful applications employees might download onto personal devices, introducing further security risks.
- Where are there potential gaps or openings that adversaries could take advantage of? Traditional appliance-based remote access solutions, like VPNs, can create more gaps in security by expanding the attack surface and opening more appliance-based capabilities through ports, protocols and IP spaces. This increases the risk of external attacks.
- How do we ensure the security of both our employees and the data that is now distributed across data centers, cloud and mobile? State and local governments need to securely connect the right employees to the right applications as they work from home on both government-issued devices and personal devices. So, what’s an alternative remote access solution to VPNs?
How Zero-Trust Network Access Helps Security
To provide a seamless user experience, gain visibility and control, and reduce the attack surface, state and local governments should adopt zero trust.
The initial assumption of zero trust is that organizations do not inherently trust any user, and access solutions must verify and authorize all users before granting access. State and local governments can develop granular policies to provide context-based access to sensitive resources regardless of the user, device or location.
Zero trust is inherently complex, but if governments start with clear rules and policies based on mission goals and their IT environment, a zero-trust network access (ZTNA) service can be quickly adopted and scaled to meet the workforce needs of today and tomorrow.
Once the necessary policies and access controls are in place, user management will be simple. From a central control plane, administrators will have full visibility into the distributed environment to provide authentication, authorization and accounting for all users, on both managed and unmanaged devices.
While data and applications may be hosted in multiple environments and users may connect from diverse locations, the user experience can still be consistent and transparent. Administrators can link users directly to the applications without ever placing them on the network. The right users will have the right level of access for an improved user experience, and the attack surface will be greatly decreased. A ZTNA solution will provide all users, including BYOD users, with secure access to internal web applications, without requiring a traffic-forwarding client on their device.
The bottom line is that malicious actors are never let onto the network, so they will never have access to government’s most sensitive information.
A Short- and Long-Term Solution for VPN Security
Many government agencies already have aspects of zero trust in place through identity and access management controls, endpoint management, application and data categorization, and microsegmentation.
The next step will be to adopt a Secure Access Service Edge (SASE) model with zero-trust capabilities and direct-to-cloud access. This will push all security capabilities as close to the user, data and device as possible. A SASE cloud-based zero-trust service will allow governments to scale instantly and eliminate the need for constant firmware and software updates. Governments will be able to meet immediate security and access needs and have the ability to scale up and down for future needs.
The CISA VPN alert points out that “as VPNs are 24/7, organizations are less likely to keep them updated with the latest security updates and patches.” Instead of constant patching, governments that enable cloud-based zero-trust networking can focus on improving policies and other mission-critical work.
Additionally, while a solution authorized by the Federal Risk and Authorization Management Program (FedRAMP) is not required for state and local governments, organizations that are FedRAMP-authorized, especially at the high baseline level, will have undergone a rigorous, in-depth audit for critical security controls. This ensures their solutions can protect government’s most sensitive classified data in a cloud environment.
Federal, state and local governments can feel assured that their data, users and overall IT environment have comprehensive security with a FedRAMP High Baseline Joint Authorization Board zero-trust cloud solution.
State and local agencies need to rethink their approach to VPN security as they continue to support remote workers. Zero trust and SASE offer a path forward.