SDP solutions are true ZTNA solutions: They trust no one
In this interview with Help Net Security, Alissa Knight, cybersecurity influencer and partner at Knight Ink, explains why organizations should switch to SDP as opposed to VPN, and how this approach can help boost their cybersecurity posture.
As the pandemic forced companies to go remote, they increasingly relied on VPNs. How did this risky strategy impact them?
The fact of the matter is history has proven to us that VPNs are vulnerable to compromise – the VPNs themselves because of vulnerabilities in their code or traditional attacks like account takeover (ATO) when multifactor authentication isn’t enabled.
In addition, the pandemic forced companies to quickly issue VPN licenses to their entire workforce or, in the absence of VPNs in place, even deployed remote desktop protocol (RDP) servers, which is even worse. As a matter of fact, many of the breaches that made headlines since the start of the pandemic were largely due to RDP server usage, which is vulnerable to credential stuffing attacks (brute force attacks of passwords) from purchased password lists from dark web marketplaces.
In 2000, I published the first known vulnerability in hacking VPNs to open disclosure mailing lists, then published the second vulnerability in VPNs in 2001, which I spoke about at Blackhat Briefings that same year. Still, 21 years later, companies continue to rely on VPNs for secure remote access despite their vulnerabilities.
How is SDP an effective alternative to VPNs?
VPNs are not a true zero trust network access (ZTNA) solution. With VPNs, you must assume the device running the VPN client hasn’t been compromised, that split tunneling isn’t turned on, MFA hasn’t been compromised, and that the user’s password hasn’t been compromised. Furthermore, once you’re authenticated with the internal network behind the VPN, you typically have access to every host, printer, and networked node on that internal network.
Software defined perimeter (SDP) solutions are “true” ZTNA solutions where the device, infrastructure, user, and data aren’t trusted. Effectively enforcing “prove to me who you are, then prove to me that you SHOULD have access to the host or data you are requesting access to.” SDP solutions also don’t expose services to the outside world and implement what’s called software-defined microsegmentation.
Microsegmentation is taking a big flat network and “cutting” it up into communities of nodes where the administrator can define what hosts can talk to what and, more importantly, what users can talk to what. Just because you’re an authenticated node doesn’t necessarily mean you should be able to talk to any node on the network. SDP authenticates and authorizes everything and everyone.
Can SDP eliminate human error completely?
I don’t believe anything can completely eliminate human error, but many of the controls that SDP offers helps to “protect us from ourselves” that VPNs don’t offer. For example, some SDP solutions completely eliminate the user’s password and only rely on biometrics (facial recognition). This allows companies to no longer worry about account takeovers and enforces instead “something you are and something you have” since you must authenticate with your face using your cell phone. The password is finally going away!
Could you explain the process of the SDP approach?
Yes. SDP is quite simple. You have a client/agent that runs on a user’s host, which effectively helps enforce by policy what systems that user/host is allowed to talk to. This is the implementation of microsegmentation. Before software-defined microsegmentation, administrators used to do this at the switch level using VLANs (virtual local area networks) and VACLS (VLAN Access Control Lists).
It was entirely too cumbersome, which is why so many networks today are still flat (think the Target attack where the HVAC systems were on the same network as the point-of-sale systems). SDP handles all of the controls around who and what can talk to each other in addition to enforcing the authentication of users and devices along with the authorization for access.
How do you see SDPs evolving in the future?
I believe the future is the complete exodus away from hardware to software defined networking (SDN) – which is already here. I also believe it will help migrate organizations away from using passwords and relying only on MFA so account takeovers can finally be a thing of the past. I believe organizations are ready to eliminate the password in the enterprise but need the technology to help get them there.
As the vulnerability researcher who published the world’s first vulnerability in VPNs over twenty-two years ago, it’s unfathomable to think that VPNs are still in use today when more secure alternatives are available. Built on zero trust security principals, SDP solutions eliminate the ATO threat introduced by VPNs, RDP servers, and desktop sharing applications for secure remote access.