Do not trust your virtual private network.
That is the advice from the National Security Agency and the Cybersecurity and Infrastructure Security Agency. They recently recommended organizations “harden” their VPNs against hackers in light of cyberattacks that should give private equity pause.
VPNs became essential for the preservation of global business continuity during the pandemic, with the encrypted connections enabling remote employees to access enterprise networks. Eight-five percent of organizations relied on VPNs as primary access points as they migrated to remote work globally, according to a survey of 630 IT security leaders by software firm NetMotion. The survey also found that the financial sector was the second-most active category for VPN usage, trailing only the legal industry by a narrow margin.
At the same time, there has been a surge in cyber-crime, exposing the shortcomings of VPNs and other types of perimeter security technology meant to insulate private enterprise networks from the public net. The NSA has identified numerous vulnerabilities and exposures in leading VPN products from companies such as Pulse Secure, Palo Alto Global Protect and Fortinet FortiGate. One such attack resulted in the temporary shutdown of an organization’s industrial processes after a ransomware group encrypted its control servers.
“We exposed many new flaws in the traditional VPN solutions in the last 18 months,” said Ritesh Agrawal, chief executive of Airgap Networks, a cybersecurity vendor focused on ransomware prevention and mitigation.
VPNs work by assigning a system-approved IP address to credentialed users, empowering them with total network access. “[VPNs] were never designed as a primary means of enterprise access – and any such use is out of specification, obviously,” Agrawal said.
The problem with VPNs and other conventional perimeter security frameworks is that suspicious-activity filters inherently trust that a credentialed user is a legitimate sign-in. As the SolarWinds breach in December 2020 revealed, single-sign-on credentials can be hijacked in the cloud by sophisticated attackers to penetrate the perimeter and plunder enterprise networks.
Enter zero trust
The failures of perimeter security technology have led to the wider adoption of the “zero trust” model. Zero trust means “no network user, packet, interface or device – whether internal or external to the network – should be trusted,” John Kindervag, creator of the strategy, wrote in The Wall Street Journal this year.
“Some people mistakenly think zero trust is about making a system trusted, but it really involves eliminating the concept of trust from cybersecurity strategy,” said Kindervag, senior VP of cybersecurity strategy at ON2IT.
The National Institute of Standards and Technology describes zero trust as a set of principles that takes a “holistic view that considers all potential risks to a given mission or business process” and how those risks can be mitigated. There is no single “specific infrastructure implementation or architecture, but it depends on the workflow” being analyzed and the resources that are used in performing it, NIST said.
Considering “how attractive the asset management space is for attackers and the amount of breaches disclosing user accounts and sensitive personal information, I would say a ZT framework has become vital for protection of assets, communications and intellectual property in the asset management and investment advisory space,” said Grigoriy Milis, chief technology officer of cybersecurity provider RFA.
RFA’s clients include more than half of the top-10 largest PE firms by assets.
“Enterprises and finserv specifically are rapidly moving to a SaaS consumption model for data and application delivery,” Milis said. “It significantly diminishes the need for VPNs and I fully expect [VPNs] to become obsolete in enterprise in the next three to five years.”
Milis estimated that “at least 50 percent of the private funds have adopted ZTNA [zero trust network access] in some form with another 30-40 percent being in strategy mode.”
ZT products and services ensure “applications are hidden from discovery, and access is restricted via a trust broker to a set of named entities,” according to Gartner, a market researcher. “The broker verifies the identity, context and policy adherence of the specified participants before allowing access and prohibits lateral movement elsewhere in the network. This removes application assets from public visibility and significantly reduces the surface area for attack.”
Lateral movement refers to the “techniques that a cyber-attacker uses, after gaining initial access, to move deeper into a network in search of sensitive data and other high-value assets,” according to cybersecurity firm Crowdstrike.
“Once the attacker has breached an organization’s digital boundaries or perimeter, the attackers are free to roam around internally and cause as much damage as they wish,” said Agarwal. “It could take weeks or months before they are caught in the act and that’s enough time for any attacker to wreak havoc.”
One example of a ZT technology and emerging VPN alternative is a software-defined perimeter (SDP), which safeguards networks by establishing “1-1 connections between users and the resources that they need,” according to NetMotion. With SDPs, “users only get access to the application they requested and nothing more – preventing any kind of lateral movement, because connections are to the resource and not the whole network,” NetMotion said.
A ZT solution could also take the form of dynamic access rules based on changing network conditions, according to a Wall Street Journal CFO op-ed co-authored by Deloitte’s Andrew Rafla and Henry Li. Examples of network disruptions that could cause system-executed modifications to user-access permissions could entail the detection of malware on a network endpoint, Rafla and Li wrote.
Private equity firms are particularly exposed to VPN vulnerabilities during dealmaking, which is the “point of maximum weakness,” according to Neil Hampson, partner and global technology leader at PwC.
“You’re exchanging information with a large number of advisers and it’s all very sensitive, deal-critical, price-sensitive information and managing that flow is very difficult,” Hampson said in a PwC video.
Highlighting VPN risks here are scenarios where remote counterparties are using a VPN to log into virtual data room applications like iDeals or Intralinks to review confidential deal documents.
With the PE industry notching $839.6 billion in dealflow through Q3 of this year alone, threat actors have had nearly 11,000 transactions to sabotage, according to consultant Refinitiv. The most funded sectors so far have been technology, healthcare and retail.
Assuming an uptick in transformation initiatives that could require complex and clunky integration with other portfolio company IT systems, vendors and cloud environments in these hyperactive sectors, sponsors of these transactions may be most in need of ZT deployment.
Deloitte’s Rafla and Li recommend companies “develop a clear understanding of what they need to protect, determining where the assets that most need defending reside, who and what should be able to access these assets and under what conditions.”
Firms must also determine the importance of different data sets, the distinct classifications they want to implement, contextual access rules and specific user and device permissions for each class of data, Rafla and Li said. “Maturing zero trust capabilities should take a risk-based approach to enforcing ‘least privilege’ access, meaning that users and applications should be able to access what they need and nothing more,” they added.
“A majority of the costs and complexity in implementing ZT are in the design and implementation area rather than the cost of software,” said Milis of RFA. “This is unfortunately also a major contributing factor in slowing down the adoption of ZT.”
ZT solution providers favored by RFA include Microsoft and Google. However, RFA also works with other “vendors that create more wider-reaching solutions,” said Milis. “In particular I would recommend Zscaler, Palo Alto Networks and Axis Security.”
It is important to note that zero trust has become a marketing buzzword, and some vendors have misused the term to “imply improved security,” according to Gartner. Chief financial officers managing spend on ZT transformation initiatives must remember that ZT is fundamentally about aligning security products and services with their firm’s holistic IT risk posture.
The move to ZT will take some time. A recent NetMotion survey found that more than 85 percent of organizations are still “relying on the oft-maligned enterprise VPN, with nearly 50 percent suggesting that their company’s VPN usage would continue well into 2023 and beyond.”
Milis expects to see enterprises shifting to zero-trust as soon as they can, with the financial sector leading the way. “We are seeing an accelerated trend of adoption of ZT in at least a partial format across many companies in the financial sector and expect it to mature into a full implementation in the next 12 months.”