Find the right approach to browser security
Traditional security approaches are flawed, costly, and overwhelming for security teams. Menlo Security is different. It’s the simplest, most definitive way to secure work—making online threats irrelevant to your users and your business.
Our platform invisibly protects users wherever they go online. So threats are history and the alert storm is over.
Traditional network security wasn’t built to address today’s complex enterprise environments. SASE fixes that problem.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise. The collective is made up of elite security researchers that put a spotlight on the threats you know and don’t know about.
Menlo Labs provides insights, expertise, context and tools to aid customers on their journey to connect, communicate and collaborate securely without compromise.
Mark Guntrip | Jan 18, 2022
Share this article
If Zero Trust was simply aspirational before 2020, it’s become a must-have methodology after the onset of the pandemic. But could it be that Zero Trust is already an idea whose time has come and gone, and past its prime before it truly got off the ground?
Actually, it’s more likely that security professionals are realizing — some painfully so — that not all approaches to Zero Trust are created equal. They’re beginning to subscribe to a Zero Trust approach that places a premium on security while giving remote workers access to the applications and data they need to do their jobs.
No doubt, the pandemic accelerated the embrace of Zero Trust Network Access (ZTNA) — pre-COVID, Gartner predicted a 14 percent adoption rate by 2025. But after the mad rush to support a mostly remote workforce, the predicted rate of adoption skyrocketed in a compressed time frame — to 50 percent by 2023.
As an initial answer to the question of how to support the new remote workforce, first-gen ZTNA held quite the lure for many organizations. This cloud-delivered solution was not tied to hardware, it was easy to turn on, and it gave everybody what they needed — access to applications without touching the network, slowing things down, or compromising previous investments.
But those early implementations also quite often required companies to maintain two sets of solutions for the same intended outcome — otherwise they would have to choose between staying with their trusted VPN or moving over to a whole new approach.
In fact, those earliest ZTNA implementations at the beginning of the pandemic, when VPNs were overwhelmed and their shortcomings exposed, were all about connectivity. And security got the short shrift. Many organizations were willing to forego security to keep business up and running under those most trying of times. After all, if people couldn’t connect, then the business would go down. The same was not true for security — it could falter without taking the business down with it. At least, until a wily threat actor decided to exploit a vulnerable company with employees who were connecting to corporate resources from any device available to them — a smartphone, a spouse’s laptop, and so on — or perhaps they were bypassing security measures to get to the tools they needed to do their jobs.
That’s when the much-vaunted VPN’s shortcomings became glaringly apparent. COVID proved that VPNs simply could not scale from supporting roughly 10 to 20 percent of an organization’s workers to a full 100 percent. The solution literally toppled over, and the bandwidth suck that VPNs require made performance appear slow. And the major security problem with VPNs — in a nutshell — is that once a threat actor is in, they’re in.
After access rights to the network are established, the VPN solution doesn’t distinguish who might be at the controls and trying to access apps or sensitive data. VPNs connect a person to a location and an entire network, not just a resource. Once in through a VPN, a bad actor can move laterally in an environment, accessing applications and data without raising an eyebrow.
But not with Zero Trust, which trusts literally no one and further enhances security by improving visibility into connections across even multi-cloud environments. Security teams not only see a connection, but also what’s going on within that connection.
Now that the “hair on fire” urgency of providing connectivity to apps and other resources while abruptly moving entire workforces home has passed, the “why” tied to ZTNA has changed, too, with the focus shifting to security. Organizations have reverted back to security, visibility, and policy — and putting all these elements in place between users and apps. In fact, Menlo’s research shows that 75 percent of companies that have gone through a hair-on-fire approach are coming back and reevaluating their strategies for secure remote access.
If in the heyday of the pandemic the focus was about 95 percent on access and 5 percent on security, a decided swing of the pendulum has nudged the focus toward security (now about 55 percent, compared with about 45 percent for access). Perhaps spurred on by the sheer number of endpoints that would require updating in a VPN-oriented strategy or the daunting uptick in cyberattacks during the last two years, organizations are no longer willing to sacrifice security for connectivity.
The move from the VPN to ZTNA is clearly a step in the right direction, but it is only the beginning of the Zero Trust journey. The next step is developing a given set of functions for ZTNA. VPNs are good for segmenting and providing access to networks and resources. But to maximize security and support the rigors of remote work, security teams must stretch Zero Trust to all ends of communications — employees and devices, apps and data, and everyone else who can connect back into an environment, such as partners or even apps that can connect to other apps. Organizations must look at all points that communicate in an environment. While ZTNA without that kind of bilateral flow is the right step to establishing Zero Trust, users can still be attacked.
The best way to implement full-throated Zero Trust is to adopt a solution that is agnostic to the way an organization uses policy, visibility, reporting, and control mechanisms. ZTNA is not bulletproof but creating an intelligent model that can build on a single platform will satisfy end users and administrators alike.
Such a model also keeps the user experience consistent and moves IT away from having to push clients out to thousands of endpoints. Instead, everything can be implemented without touching every endpoint — a huge plus. This “clientless first” approach uses a browser without enabling clients, covering the vast majority of an organization’s users.
Of course, making the move to an enriched ZTNA model is a process. Depending on an organization’s starting point, following these steps can make the move that much easier.
ZTNA’s time has clearly not come and gone — but the focus solely on access rather than on access plus security is most definitely a thing of the past. Shaking off the confines and limitations of the VPN in favor of a clientless-first approach to Zero Trust will maximize security while giving users access to the resources they need. Many organizations have taken a solid first step toward this new strategy. Now it’s time to apply Zero Trust to all facets of communications across an organization’s environment.
Posted by Mark Guntrip on Jan 18, 2022
Tagged with Blog, Remote Working, SAA, SASE, Web Security
Securing Remote Access
To talk to a Menlo Security expert, please complete the form.