We all heed the gospel of patching, but as recent incidents made clear, even cutting-edge disruptors struggle to patch everything, everywhere, and all the time.
Maybe this is associated with the growing volume of common vulnerabilities and exposures (CVEs). As they say, there is only one way and that’s up.
Or maybe it’s because large enterprise security and IT teams are getting crushed by the complexity of their environments and its associated security controls. Whatever the reason, something clearly needs to change.
Let’s start with the obvious.
How do I reduce complexity, my threat surface, and the required patching that goes with it?
For starters, reducing your threat surface isn’t just about your workloads — although Akamai can help you there, with virtual patching for your web apps or isolating your corporate apps from the Internet.
It’s clearly also about your infrastructure and what you use to access your corporate workloads. In other words, every single thing you have in your enterprise that the outside world can reach via IP carries with it the operational burden of keeping it up to date to reduce your risk. Shodan anyone?
Now, there are many reasons to isolate your infrastructure from the Internet. Minimizing the number of exposed things not only reduces risk, it also reduces operational complexity. VPNs are counter to this. VPNs make it so you aren’t exposing all of your applications publicly in a DMZ, which is good. But for the most part, they still provide access to the corporate network to get access to corporate apps. Definitely bad. At this point, I think we all agree that moats and castles belong in the past.
Add to that the fact that the VPN gateway itself is exposed and you can quickly see where this is heading. No need to guess that a few of the 12,000 CVEs in 2019 came from your favorite VPN gateway vendors. There’s a talk at Blackhat USA this year titled “Infiltrating Corporate Intranet Like NSA – Pre-auth RCE on Leading SSL VPNs” that makes this pretty clear. The speakers even rebrand VPNs to be “Vulnerable Point of your Network”.
Let’s get to the bottom line — why not remove applications AND the VPN gateway from being reachable over the Internet by using an Identity Aware Proxy?
That way, you can reduce risk by providing application versus network access and rely on Edge platform vendors like Akamai to keep your access infrastructure up to date for you. Less operational overhead. Less CVEs to worry about. And best of all, less risk. Seems like a no-brainer.
To learn more about how to isolate your workloads and access infrastructure from the Internet, visit akamai.com/zerotrust.
*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Lorenz Jakober. Read the original post at: http://feedproxy.google.com/~r/TheAkamaiBlog/~3/NnQEuqRSyug/time-to-transfer-risk-why-security-complexity-vpns-are-no-longer-sustainable.html