The most common tools used are VPNs, VDI and Zero-Trust Network Access (ZTNA). Since these solutions were not built for a cloud-centric world, they are riddled with problems. Some of these shortcomings are:
1. Access that does not conform to principles of least privilege access
The solutions listed above were built for a network- centric approach and not a cloud-centric world. The granularity of access built into these solutions is overly permissive and not capable of restricting access to specific resources or applications. This wide-open access creates security gaps. For example, they do not have the ability to grant application-specific access.
Enforcing principles of least privilege access is a core tenet of zero trust. Since legacy solutions cannot provide the granular access control needed in a cloud context, they cannot be considered zero trust solutions. In addition to the wide-open access, they are not built to continuously monitor access and tune it to limit or eliminate permission abuse.
These solutions work on the principle of validating access when the initial connectivity is established between the user and the resource. This coarse level of control does not account for what happens after the initial connectivity is established. Nor does it consider the context of the specific access request.
2. Operational complexity
Most of the applications listed above require deployment of onerous agents on the endpoints. Some require the devices owned by the contractor or third party to be managed by the enterprise. This adds cost and operational overhead to understaffed IT and security organizations.
Without the ability to manage the devices directly, organizations lack the visibility into all the access activities that originate on the device. This lack of visibility blinds them to any malicious access. Furthermore, traffic between the endpoint and the resources might be encrypted, which limits the organization’s ability to determine the nature of the access. Often, organizations deploy intrusive and complex decryption mechanisms to examine traffic. These methods introduce cost and complexity.
3. Lack of data loss protection and prevention
Traditional solutions operated, for the most part, in a binary mode. Access or no access. The levers to control and manage access to data were not built into those legacy solutions. Nor were they designed to prevent the movement of malware from the end point into the enterprise infrastructure. These are the key reasons that legacy solutions cannot prevent the loss of data. In fact, it is the very nature of these legacy technologies that is often leveraged to obfuscate mechanisms and gain access to critical resources and infrastructure.