It’s no secret that the COVID-19 global pandemic radically changed the way we work. Virtually overnight, organizations worldwide went from a 10 percent virtual workforce to 100 percent working from home. IT teams scrambled to augment remote access and Virtual Private Networks (VPNs) and extend seamless application access to newly distributed employees.
And, you know what, it worked. Millions of companies–from retailers to banks–were able to pivot to meet changing expectations. The acceleration of digital transformation over the past 18 months has been unprecedented in modern economic history–highlighting our resilience and agility in a rapidly changing world.
But...the chickens are coming home to roost.While IT teams focused on accessibility, security concerns often took a backseat in the name of business continuity. Increasingly sophisticated threat actors are taking advantage of growing threat surfaces and lax security controls due to the acceleration of digital and cloud transformations to infiltrate unmanaged and unsecured devices. Once embedded on a device, they can lay in wait for days, weeks, or even months and then spread laterally through the network undetected until they can upload their payload, exfiltrate data or cause disruption.
The problem is that VPNs are inherently unscalable and unable to provide the protection distributed users need in today’s work-from-home corporate culture. Once authenticated by a VPN, threat actors have unlimited access to the entire network, creating a huge security gap. This security/accessibility disconnect is not going away anytime soon. According to a new study based on a survey by Menlo Security, security professionals in the U.S. and U.K. say that more than half of their users continue to work from home or have adopted a hybrid approach.
Security professionals are obviously aware of the security and accessibility disconnect. According to the survey’s findings, which polled 545 IT decision-makers with security titles from organizations with 1,000 or more employees, 83 percent of respondents are confident in their strategy for controlling access to applications for remote users. Still, nearly the same percentage (75 percent) are looking to re-evaluate their security strategy in the wake of new ways of working and the growth in cloud application use.
The shocking thing is that three-quarters of all organizations (and 81 percent of organizations of more than 10,000 employees) continue to rely on flawed VPNs, while only slightly more than a third (36 percent) have included a Zero Trust approach to controlling access. The silver lining is that 75 percent of respondents believe that hybrid and remote workers accessing applications on unmanaged devices poses a significant threat to their organization’s security.
Today, organizations can successfully undergo security transformations to catch up with the ongoing business transformations we’ve been seeing over the past 18 months and will continue to see in the foreseeable future. This requires implementing Zero Trust in a pragmatic, phased approach that doesn’t disrupt normal business operations. This just wasn’t possible in the early days of the pandemic. Still, organizations should take the time to really rethink how they want to protect their increasingly distributed workforce.
Many organizations are responding by deploying Zero Trust Network Access (ZTNA) solutions to replace or augment existing VPN environments. These ZTNA tools serve as highly scalable connections between applications and a highly distributed workforce based in the cloud.
Organizations should consider ZTNA tools that can serve as a central access point for policy management, ensuring that data center security policies are applied to all network traffic–regardless of physical location, underlying infrastructure, or connection type. This closes these critical security gaps in VPN infrastructure that threat actors could freely exploit during the early days of the pandemic while providing remote and hybrid users with the same application experience as if they were logging in from the office.
Clients or agents on the endpoint provide reliable application access but add additional responsibilities and operational costs to an already over-extended IT organization. On the other hand, a clientless architecture allows organizations to roll out application access with no need to touch the endpoints, enabling them to improve their security posture without adding network bloat or operational costs.
ZTNA tools must integrate seamlessly with an organization’s existing security stack, such as its Secure Web Gateway (SWG), Data Loss Prevention (DLP), and Cloud Access Security Broker (CASB), among others. This allows organizations to deliver on the promise of Secure Access Service Edge (SASE) security.
The new study shines a light on the uphill battle that IT professionals are in. Focusing on application accessibility without evolving their security strategies may have helped them pivot quickly and keep the business running during a pandemic, but threat actors certainly noticed. It’s time that security transformations catch up with business transformation. Organizations should consider ZTNA tools that extend data center experiences to users on the edge of the network. This includes accessibility, performance, and, yes, security.
Be sure to download this infographic that highlights all of the key findings from our survey. And if you’re interested to learn more about how our Menlo Private Access can help your organization provide fast, reliable, and secure web application access to users, click here.