As hybrid work is here to stay for a vast majority of organizations, there are three secure user access scenarios that most affect an organization: remote employees; branch offices; and accommodating new, contingent, or traveling workers.
Every remote employee is essentially an internet gateway. With remote access services transitioning to identity-based controls, attackers will be opportunistic by targeting credentials. And why not?
Let’s think about digital access the same way we think about physical access to a building. What’s easier for gaining access into a building: Stealing an employee’s ID badge, or a brute force break-in that will potentially trigger alarms, be caught on surveillance cameras, and can be stopped by roaming patrols? Clearly, it’s much easier to gain access by using an employee ID badge that won’t raise any flags within the physical security systems.
Similarly, I see no letup with insider threats, which expose a greater risk than credential theft. Why? Because a remote access “broker” that sees valid device posture and user context will have no reason not to allow policy-based access, even if the user’s intent is malicious. Access brokers not (yet) being mindreaders is exactly why ZTNA needs to include the ability to block malicious behavior with inline threat (known and 0-day) and data loss prevention. Otherwise, you’re relying on host or app security alone if credentials are stolen or abused…not a desirable position.
Now let’s look at the branch. Hybrid work means the “thin branch” approach is increasingly desirable. Most branch offices will remain at partial capacity for the foreseeable future, accelerating trends toward curtailing hardware and expensive private line connectivity. Continued adoption of SD-WAN as an alternative will continue and accelerate by bringing networking under the security umbrella, an approach that’s become the mainstay of true secure access service edge (SASE) solutions.
As branch infrastructure is streamlined, it’s easy to get lax with security. Extending ZTNA to the branch mitigates the risk of security posture erosion due to simplification while providing access policy and user experience consistency with remote working scenarios, a win-win.
The Great Resignation is at hand. As companies struggle with high employee turnover and managing a growing rank of contract and mobile workforces, we need to put a premium on the simplified scale and usability for ZTNA solutions. This means agentless deployment options for temporary employees and non-employee users.
Covid restrictions subsiding means employee travel will resume, as it has for some already. In this dynamic environment, organizations will need to continuously monitor employee access attempts and sessions as behavioral baselines will be constantly shifting. It won’t always be easy to pick up on red flags of compromised accounts.
For example, login times, session durations, and locations will be changing. These variables need to be factored into real-time trust decisions that trigger a response, like additional authentication challenges or breaking off access to specific resources. And this is especially pertinent given the increased risk of compromised credentials and snooping in certain geographical areas.
If this year is anything like the last, it will be far from predictable. Don’t let it overwhelm you. We have the ability to prepare ourselves better by ensuring we take a broader approach to ZTNA through the application of consistent policy and security controls for users working from anywhere, to any resource that they try to access.
Find out how ZTNA from Palo Alto Networks can help you meet your 2022 secure remote access goals, wherever your employees and resources are located.