Your ZTNA 1.0 solution left you longing for more?

 

The first generation of ZTNA struggled.

• Policies were too complex so you got stranded on “Wildcard Mode” island

• It doesn’t support access to RDP, VOIP, ICMP, or AS400 protocols

• It can’t inspect private traffic

That wasn’t cool of them, so we decided
to do something about it.

 

Learn how we can buyout your ZTNA contract, and give you up to 6 months free Atmos ZTNA service.

Join those who have already made the switch:

Join those who have already made the switch:

The post ZTNA 1.0 Buyout Offer PPC appeared first on Axis Security.

While the Internet continues to unlock new ways for businesses to increase routes to revenue, deliver great employee and customer experiences, and cut costs – cyber thugs have unleashed a slew of ransomware attacks that target legacy network architectures. Thus, these malicious attacks have been elevated to amongst the top of the list of business-level concerns. 

It’s the CISO who is tasked with defending the business from these threats. Hence why it’s no surprise, ransomware is one of the top 5 CISO priorities in 2023, as per a recent study from Evanta, by Gartner.

These attacks encrypt valuable data and hold it hostage, demanding a ransom for its release. The consequences of a successful ransomware attack can be devastating, resulting in not only financial losses, but also reputational damage, and significant operational disruption. 

Over the last few years, ransomware attacks have inflicted significant financial losses on companies across multiple industries. According to this recent report by Cybersecurity Ventures, the global cost of ransomware is projected to reach $265 billion by 2031. That number is massive. For comparison, that amount would rank #42 out of 190 in a list of GDP rankings by country. The report estimates that a new organization will fall victim to a ransomware attack every 11 seconds in  2023. 

These statistics highlight the urgent need for organizations to fortify their defenses against ransomware attacks. The rise in costs for ransomware damages over the last eight years is extremely alarming:

• 2015 – $325 Million
• 2017 – $5 Billion
• 2018 – $8 Billion
• 2019 – $11.5 Billion
• 2021 – $20 Billion
• 2031 – $265 Billion

Ransomware attacks use several techniques to infiltrate networks and compromise data including:

• Phishing Attacks: Phishing emails are crafted to deceive users into clicking on malicious links or downloading infected attachments, leading to the installation of ransomware.
• Remote Desktop Protocol (RDP) Exploitation: Attackers exploit vulnerabilities in RDP to gain unauthorized access to a system and deploy ransomware.
• Malvertising: The distribution of malicious advertisements redirects users to infected websites and triggers an automatic download of ransomware.
• Drive-by Downloads: Just visiting compromised websites can initiate the download and execution of ransomware without user interaction.

In my opinion, to protect against ransomware attacks effectively, IT security leaders should explore Security Service Edge (SSE) vendors that elegantly bring together three key services into a single platform:  Zero Trust Network Access (ZTNA), Secure Web Gateway (SWG), and Cloud Access Security Broker (CASB):

Zero Trust Network Access (ZTNA):
ZTNA is a security model that enforces strict identity verification and access controls before granting access to applications. By implementing ZTNA, organizations can significantly reduce lateral movement by preventing unauthorized access to critical resources and by connecting users directly to applications rather than putting them and their devices on the network.  Unlike legacy VPN tools,  ZTNA solutions do not need to punch holes in the firewall and expose inbound ports thus significantly reducing the attack surface.

Secure Web Gateway (SWG):
A SWG is a gatekeeper between an organization’s internal network and the internet. It filters web traffic, scans for malicious content, and blocks access to risky websites. SWGs use advanced threat intelligence to detect and prevent ransomware attacks originating from internet-based sources. SWG  enforces policies to prevent the downloading of suspicious files and actively block known malicious domains.

Cloud Access Security Broker (CASB):
CASB solutions provide visibility and control over data stored in cloud applications. With the increasing adoption of cloud services, it is crucial to secure cloud-based data from ransomware threats. CASBs enable organizations to monitor and protect data across multiple cloud platforms, enforce security policies, and detect anomalous user activities that could indicate a ransomware attack. CASBs also facilitate granular access controls to cloud applications, ensuring that only authorized users can modify or access critical data.

Take a look here to see what I mean. What you wind up with is the ability to effectively protect the business from ransomware. Below is the approach at Axis.

Ransomware attacks continue to evolve at an alarming rate and pose a severe threat to businesses worldwide. To mitigate this risk, businesses should adopt a proactive defense strategy that places SSE at the heart of it and combines ZTNA, SWG, and CASB into one elegantly delivered cloud service. 

By implementing these technologies, organizations can significantly reduce their vulnerability to ransomware attacks and minimize the potential damage caused by such incidents. 

Investing in the right measures is essential to protect valuable data, safeguard operations, and maintain the trust of customers and stakeholders in an increasingly Internet-connected digital landscape. Chief among them is SSE, the key to making the Internet safe for work.

Explore some of the new ways Axis Security is helping in our new 2023 Summer Release.

The post Making the Internet Safe for Work in a World Stricken with Ransomware appeared first on Axis Security.

The pandemic had led to a significant amount of innovation and evolution in the ZTNA market. To ensure I could make the best use of my time I made a requirements list of the things I wanted to have in the new product that the old product lacked, or that we had difficulties with. I used this as my basis when speaking to each of the vendors, dived into their technology, looked at some demos, and ticked off my requirements.

One of the things I wanted to avoid and made it to the top of the priority list was not having to use multiple user interfaces for the different parts of what I felt was a single product. I didn’t want to go to one place for remote access and another for the Secure Web Gateway. Having multiple user interfaces made it confusing for the IT team, as they had to navigate through different windows to access the information they needed. 

In fact, it made it impossible for the product team to hand it to the business-as-usual team because it was very easy to forget where you had to go to do which administration or troubleshooting task. This led to decreased efficiency and productivity, as everyone had to spend time searching for the right portal to make the right changes and in some cases, they had to make changes in multiple places before it would take effect. I wanted to remove as much complexity as possible and keep things simple.

Another thing that made it high up the list was wanting to avoid the product being sat on top of multiple data lakes. Having multiple data lakes led to lots of data fragmentation, which made it difficult for us to have a unified view of our security posture. This led to increased risk, as we did not have complete visibility into all of the security-related data across user access. It also made it difficult to automate any processes and share information between the IT and security teams. This led to duplication of effort, as the different teams ended up performing the same tasks multiple times, leading to decreased efficiency and increased costs.

Server-initiated flows were also on my requirements list. I needed to ensure that patches could be pushed from our patching server and this was an outbound flow instead of an inbound connection. This was a limitation with the current product which meant that we had to publish our patching server to the internet to push patches which actually added additional risk and was a step backward from our previous VPN solution. We either had to take this risk or stick with a traditional VPN for this use case.

A better agentless offering also made it onto the list. Being a manufacturing company we had contractors and 3^rd parties who needed access to our systems and although we could configure some access via a web browser it was very complicated, unstable, difficult to configure, and very limited on what applications were available. In many cases, we still had to get these users to install agents on their devices to give them the access they required so I needed a much wider range of ports and protocols available agentless in any new tool I decided to purchase.

Another thing I thought about for my requirements list was making sure the solutions within the platform were resilient and redundant and offered the best user experience. The current vendor sent secure web gateway traffic to one set of POPs and ZTNA traffic to another set of POPs that  were hosted in their own data centers on their own hardware. I wanted to find a solution that could easily expand and could use the power of cloud routing to ensure access to applications had the least possible latency but was also clever enough to switch paths if the routes being taken slowed down.

As I went out to the market and did my research and started to complete my requirements list I realized that there was only one vendor that met all these needs and had green ticks on the list of my requirements and that was Axis. I was so excited by what they were doing with their product, and the team was so friendly when I spoke to them, I ended up transitioning to the dark side!

Maybe you can relate to my story or maybe you’re not sure what to do next? If so I recommend a couple of things:

• Grab a (virtual) coffee with me! I would be happy to connect and hear more about the challenges you may be facing and provide recommendations for your business.

• If you’re considering a VPN alternative, check out this VPN Back Back Program from Axis. See if you qualify to get paid as you adopt a modern ZTNA solution.

The post The ZTNA Evolution – My Journey appeared first on Axis Security.

With the emergence of remote work, IT leaders have had to react quickly, many decide to simply buy more VPNs. Now years later, 77% of companies will make hybrid work a permanent fixture. They’re looking for better alternatives for application connectivity. The new reality is that user experience is key to productivity. Ransomware has grown 500% year over year, and VPNs are one of the largest culprits because they allow network access. The constant game of adding hardware appliances and managing that infrastructure is becoming more expensive from a CapEx and OPEX perspective.

So we decided to compare the Axis ZTNA services to your traditional VPN. Many users and employees only need access to certain applications. So let’s compare the Axis approach versus your VPN.

So with Axis, it’s as simple as opening up a link to get to the application using strong authentication with your existing identity, of course with MFA, if it’s enabled in your organization and that point, the user has application access.

This is without any VPN clients without having to worry about network access or knowing, “Is this an internal application or a public application?” It just simply works.

Now for the traditional VPN user, of course, the user has to download install the VPN client if they don’t already have the client. And we’ll go ahead just fast forward through that, just to show you that whole process. Now that the user has the VPN client, they’ll go ahead and authenticate. And here, our VPN also has MFA. And at this point they’re users’ devices now connected to the VPN to the network. And when they click that link, they are now able to access that private application. However, it took many more steps and here that user has network connectivity to your enterprise while the Axis user simply got application layer access without network access.

Here in the next scenario, we’re going to compare that network access between Axis as well as your VPN.

So keep in mind with a VPN, the users on the network, and depending on the ACL’s, they might be restricted to certain subnets, but they still have access to the network for them to explore. Now with Axis, for that application that we just showed that logistics app, there’s a public DNS record that points to the Axis cloud. That’s so users can access it client-less but that does not point to your enterprise network. Now, when it comes to other resources and the network, we just gave an example of trying to ping the domain controller that’s in our target network.

Well with Axis, that’s not even possible, there’s no connectivity. But with the VPN, you can see that it actually does elicit a response when we run a simple ping. So we know that the machine has connectivity. So now that we’ve done a basic connectivity test, let’s run a quick scan of those hosts to see what ports are open. So with Axis, there’s going to be no response except for that front end to the Axis cloud for that client-less web application, but there’s no connectivity at all to the domain controller.

Well, with your traditional VPN, that user has network access, and you can actually determine what ports are open on that machine and try to access that machine even though you’re not supposed to.

This next scenario, we’re going to talk about an acquisition. So you have an employee that was part of a company that was acquired by another organization.

Now IT needed to provide me access to certain logistics and HR applications. With Axis, there’s nothing that users really have to do differently. You can publish those applications through Axis, integrate their existing identity, even if you haven’t yet merged the two company organizations and identities together. And those users simply authenticate strongly to the Axis portal and they open up the application and they can submit their HR requests for time off for example.

With your VPNs, unless you merge the networks together, typically what the users have to do is either have two different VPN clients or have the same VPN client, but the user has to connect and disconnect to the different networks to their existing organization that they’re used to. But then if they need to access that HR application, for example, they’ll need to disconnect their existing VPN, connect to the other VPN at the acquire in-company in order to do that. So it’s not very efficient, it’s not very user-friendly and it loses productivity. Now with the VPN, the user will disconnect from their existing VPN and now connect to the other organization. In this case is just a secondary VPN profile. So the user will re-authenticate and enter their MFA if that’s required. The user is now connected to the acquiring company’s network and can open up the HR application and fill out that time off request.

So as you can see in comparison, this user had quite a few additional steps. So it’s not the best user experience, especially when needing to access resources at the two different organization’s networks. And of course you are putting that user and their potentially unknown device onto your network through the VPN.

Many organizations need to provide access for third party users. In this case, we have an IT engineer that manages some software on a windows machine on your network. Well, with Axis, you can provide a single server access through RDP with very limited controls.

So from a security perspective, this user doesn’t even know what the credentials are to the windows server. We’ve enabled web access only and the inability to map network drives local printers, anything like that. So it’s a very secure environment. Now with the VPN, again, you can create a very limited ACL to connect that contractor, that engineer to a certain network, but they’re still having network level access. So they’re able to potentially explore other areas of your network, aside from just the single server that they are here to manage.

Now let’s talk about visibility. One of the core fundamental values of Axis is providing that visibility and control at the application layer. So here, if we take a look at some of the example scenarios we went through earlier in this video. As the administrator, you’ll see for example, with that logistics application, you can see the page views, the files that were downloaded or uploaded by that user compared to your VPN, that will just show that this user was connected to the network and here’s their IP address, but you don’t really have that human readable understanding of what they were actually doing.

Now, similarly, with a contractor, you might have enabled an Axis or a ZTNA security profile that provides some additional auditing controls and visibility. So here you not only see that that contractor connected to that server, but did they transfer any files? Now of course, if you have a policy and Axis that does not allow the file transfers, you wouldn’t see those uploads and downloads. However, we provide that application layer visibility and optionally for some of these contractors, you might enable the screenshot auditing capabilities of Axis where every minute we’ll take a screenshot of that session. That way, if you need to understand what that contractor was doing, you have that data.

We hope you’ve enjoyed watching these scenarios of comparing the Axis ZTNA platform to your traditional legacy, VPN network access tools.

If you are interested in learning more about our ZTNA platform, feel free to speak with our team here at Axis!

We’d be happy to provide a quick demo of our platform

The post VIDEO: ZTNA vs VPN appeared first on Axis Security.