FBI Director Christopher Wray speaks at an event in Washington, D.C. Security pros knew that attacks on VPNs had become serious when the FBI and CISA issued a warning last fall. Today’s columnist, Dor Knafo of Axis Security, says companies have to think of remote access as a high-priorty business continuity issue. FBI CreativeCommons (Credit: CC PDM 1.0)

A little more than a year ago I had the opportunity to interview 40 CISOs about their enterprise access challenges. They understood the limitations of virtual private networks (VPNs), yet not one IT leader had the appetite or intention of replacing their legacy access approach.

They weighed the weaknesses of these approaches, from operational issues to end-user experience and poor security against other priorities related to digital transformation and cloud migrations. The universal decision was that they could live with what they had. As it turned out, that was a bad idea.

One of the painful lessons executives, IT, and security teams learned during the pandemic last year was that they have to think of secure remote access as a business continuity issue as much as DDoS attacks, natural disasters, or nation-state attacks.

During the pandemic last year and into 2021, delivering secure remote access has become a top priority for companies across all industries. With everyone working remotely all at once, significant issues quickly arose with legacy solutions such as VPNs and virtual desktop infrastructure (VDI). Even the largest, most sophisticated organizations had challenges scaling their legacy access infrastructure and had to ration access to important enterprise assets.

Here are four lessons from last year about remote access security teams need to take seriously:

  •  Remote access should not take this much effort.

Executives were left wondering how something so foundational to basic business operations had become so archaic, difficult to use, deploy, and manage. To scale the legacy access infrastructure, IT teams had to deal with licensing issues, hardware, and network changes, not to mention adding agents on endpoints. Providing access to critical enterprise assets should not take weeks, yet here they were, facing significant and ongoing disruption to business operations.

  • User experience matters.

For years employees have complained about the difficulty of using legacy access solutions. They often went around the VPN, for example, using convenient but unsanctioned and insecure cloud and web apps instead of corporate-sanctioned and secured applications. That’s the exact opposite behavior that an access solution should create and many companies spent the better part of last year trying to police shadow IT and give people the access they need in a secure way.

  • Security is business continuity.

With more users than ever using these legacy solutions for access, from employees to third parties, attackers took immediate advantage. They began targeting VPN infrastructure, leading to a cybersecurity advisory from the FBI and CISA. When VPN infrastructure goes down, that’s the equivalent of a natural disaster or power outage. Business stops.

Attackers also turned their attention to remote desktop protocol (RDP) machines. These machines are vulnerable by design and are designed for use inside the enterprise firewall. Suddenly, employees were using these vulnerable machines to access the network from insecure home networks. Almost immediately, attackers feasted.

  • We need Zero Trust.

C-Suite dismay only grew as they learned how legacy access solutions are far from Zero Trust. In fact, they are overly permissive with too much inherent trust. Legacy access solutions create a dedicated tunnel and bring users directly onto the network and to the doorstep of vulnerable applications. IT administrators have little visibility and control over the user behavior once they are granted access.

Throughout 2020 many have marveled at the accelerated pace of digital transformation. For many in IT that was the priority at the beginning of the year and remains so to this day. In between, some painful lessons were learned about secure remote access. It’s not a “nice to have” or something companies can take for granted. We have to think of remote access as a business continuity issue. If employees, partners and third parties cannot gain access to enterprise apps, business stops. It’s that simple.

Dor Knafo, co-founder and CEO, Axis Security