CISA’s recent guidance to shift from VPNs to SSE and SASE products strengthens data protections, but misses an opportunity to champion more robust, hardware-enforced, security controls to harden access points like web browsers.
Acting in the wake of several major vulnerabilities against VPN products at the beginning of this year, the US Cybersecurity and Infrastructure Security Agency (CISA), along with its Canada and New Zealand counterparts, released its recommendations on shifting from VPNs to Zero-Trust solutions such as Secure Service Edge (SSE) and Secure Access Service Edge (SASE) products. By creating architectures around Zero-Trust Network Access (ZTNA) principles, organizations can ensure that additional identity- and risk-based controls are in place to protect access to sensitive resources and data. These protections can make it significantly harder for adversaries to encrypt valuable databases for ransom, steal the information contained in those databases, or both, particularly once an adversary has evaded or subverted the security software designed to keep them out in the first place.
After all, there’s little evidence to show that the underlying software mechanisms of ZTNA platforms are less vulnerable than VPN software – a quick scan of CVEs in 2024 so far reveals no fewer than 10 vulnerabilities in supposed “Zero-Trust” security services, often with significant consequences including code execution and security bypass. Such vulnerabilities can provide adversaries using low-visibility techniques like “living off the land” with points of presence in organizations’ systems that long outlive the vulnerabilities themselves, even if maneuvering for effect within an organization’s network will be significantly more difficult in a zero-trust environment.
Even as they implement CISA’s guidance to minimize the potential impact of a breach, organizations should be asking a more fundamental question: how do we keep adversaries out of networks in the first place? One answer is found in CISA’s guidance, though only in a cursory way: the use of hardware-enforced network segmentation, such as unidirectional gateways and data diodes, to shield the most sensitive systems in the network. Because hardware-enforced segmentation technologies make it physically impossible for data and code to travel from risky environments to sensitive systems, the chance that an adversary will be able to leverage their current presence in the network or even throw code from outside the network to compromise one of these sensitive systems is near 0.
As a result of the high level of security that hardware-enforced solutions provide, CISA recommends them as a control for sensitive operational technology (OT) systems like the ones that form the backbones of utility networks. But as the 2021 ransomware attack on Colonial Pipeline demonstrated, attackers don’t need to make it into OT systems to have a massive impact on a utility – they simply need to have enough presence in IT networks to cripple operations or pose an unacceptable security risk. Minimizing this impact means thinking differently about using hardware-enforced isolation mechanisms and using them not only to secure the organization’s most sensitive systems, but also to shield the organizations from the riskiest networks and applications – for example, the Internet, with over 1 billion websites of largely unevaluated code, and web browsers, agile and feature rich yet insecure apps that had, on aggregate, 19 zero-day vulnerabilities in the last year alone.
Business priorities mandate that the vast majority of users have more or less unfettered access to the information hosted on the open Internet. In the energy industry, for example, traders may have to conduct Internet research on geopolitical, weather, and logistical conditions around the globe; in finance, analysts may have to conduct sensitive diligence operations to support mergers and acquisitions. The pace of these activities is so rapid that cybersecurity teams don’t have the time or resources to evaluate each site individually, so they instead rely on third party-generated lists of “known bad” sites and block them or, in the best case, third-party generated lists of “known good” sites that do not host malicious code to allow into the network. Yet both the “known bad” and “known good” lists rely on knowing what “bad” looks like – and, as evidenced by the nearly 20 zero-days against browsers in 2023, the definition of “bad” continually changes.
Instead of playing the cat and mouse game of identifying “bad” before it impacts the systems of major organizations, hardware-enforced browser isolation solutions keep all but the most explicitly trusted activities off an organization’s systems. Instead, risky browsing is conducted on cloud-hosted processors and converted to an interactive video stream and sends keystrokes and mouse movements back via the same types of one-way, fixed-function hardware that are used to protect OT networks. By applying this type of technology to web browsing, organizations can remove one of the least-secure points of access for malicious code and one of the hardest-to-secure points of egress for stolen data in one stroke.
CISA is right in recommending a shift to controls like SSE and SASE solutions to take a more granular approach to data access within corporate networks, and CISA is right to call for more robust controls like hardware-enforced segmentation for the most sensitive networks. But leaving protection against the largest, highest-threat network on the planet – the open Internet – to software-based solutions that can be subverted makes it a question of when, not if, that software too is compromised. Enforcing security using hardware at both the highest-risk and highest-sensitivity portions of the network provides a more assured option.
