Deploying Zero Trust Network Access for Secure Application Access? Don’t Forget to Secure Your Employees
In 2021, we saw a number of virtual private network (VPN) security vulnerabilities used in attacks against organizations. In April alone, we observed that the CVE-2018-13379 vulnerability in Fortinet’s FortiGate VPN solution was used to launch several ransomware attacks, and a CVE-2021-22893 vulnerability in the Pulse Connect Secure VPN solution was used to bypass authentication and gain access to a number of defense, government, and financial organizations’ networks around the world.
Malicious actors using VPNs is nothing new
Exploiting VPN security weaknesses is not a new phenomenon; malicious actors have been using VPNs to gain unauthorized network access for many years. That has led to many companies replacing their VPN solutions with Zero Trust Network Access (ZTNA) solutions.
With a ZTNA approach, users are no longer given access to the entire network, but only to the specific applications that they require to perform their jobs. Most importantly, the applications aren’t exposed to the public internet. This Zero Trust approach dramatically decreases the risk of attackers gaining access to a company’s network.
But there’s another critical component that also represents a risk and needs to be secured: the employees. Let me explain why you need to secure your workforce, why that is a critical component of further securing application access, and how you can use multi-factor authentication (MFA) as a quick and easy way to achieve this.
Employee credentials are under attack
Just as in the consumer world where attackers have used techniques such as password stuffing to take over customer accounts, the last few years have seen the same approach being used to take over employee accounts. And this approach is successful: the 2021 Verizon Data Breach Investigations Report stated that almost 80% of reported data breaches involved the use of compromised employee credentials.
The bottom line is that many companies place too much faith on single factor authentication for employee login based on employee username and password. Unfortunately, employees are still using passwords that can be easily compromised with a simple dictionary-based attack, for example. In addition, employees are still recycling passwords among their personal and company logins. That’s important because attackers simply will buy leaked consumer credentials and use them to target workforce logins. Once an attacker has compromised an employee account, they have the keys to the front door.
Compared with VPN access that potentially gives unfettered access to your entire network, ZTNA is a big step up in security. But given that many companies use single sign-on (SSO) with ZTNA, a compromised user account gives access to all the applications to which the SSO is linked. That’s still a big security risk.
How MFA can help
MFA is a simple but effective way to dramatically decrease the risk of employee account takeover. MFA adds a second (or even a third) factor to the basic username and password approach. There are many different factors that a typical MFA service can use, including short message service (SMS), one-time password (OTP), biometrics (such as facial or fingerprint recognition), and physical security keys.
Adding MFA to your authentication stack makes sound security sense, but ensuring that you also use MFA when deploying ZTNA is almost a given. You have to ask yourself why you would lock the front door by eliminating network level access through a ZTNA service, but then leave the back door poorly protected with a $5 burglar alarm that provides as much protection as an easily guessed password.
Find out more
To learn how the FIDO2-based phish-proof authentication factors of Akamai MFA can help you further secure your workforce when you have deployed — or are thinking about deploying — a ZTNA service, please visit akamai.com/mfa. Still thinking about or evaluating a ZTNA solution? Check out Akamai Enterprise Access.