On June 8, 2021, Joseph Blount, President and Chief Executive Officer of Colonial Pipeline, appeared before the United States Senate Committee on Homeland Security and Governmental Affairs regarding the breach that injected ransomware into their servers and disrupted the company’s gasoline distribution network for over one week. In his testimony, Blount stated that the likely entry point of the breach was a “legacy virtual private network (VPN) profile that was not intended to be in use”.
This type of breach points to the need for a unified approach for granular access to both cloud and on premises corporate data resources based on a number of criteria. The Bitglass Secure Access Service Edge (SASE) solution addresses this need.
Limitations of traditional VPN solutions
Many VPN solutions will grant a user visibility to all resources on a private network and require reliance on additional authentication schemes to restrict access to individual applications. Once on the network, a bad actor can use various techniques to gain access to those applications, move though the corporate network unhindered, and compromise multiple systems.
Multifunction Authentication (MFA) ensures that compromised credentials cannot be used by themselves to grant access to a system. Instead, the user can be prompted for additional information to ensure they are who they say they are. This other information could be a token generated by software on the authorized user's device, a token sent to the user’s email address, a token sent via text message to the user's mobile phone, or requiring the user to answer one or more security questions. Apparently, in the Colonial Pipeline breach, MFA was not turned on for the account in question for that VPN.
Migrating from VPN access to ZTNA
While VPN solutions grant access to a corporate network, a Zero Trust Network Access (ZTNA) solution can be used to grant granular access to individual applications on the corporate network and hide all other applications from the user. This prevents the user from browsing the corporate network and searching for resources that could be compromised. In addition, a ZTNA solution can apply other controls such as blocking download of sensitive data and blocking upload of malware, including ransomware.
Using a system that integrates ZTNA with CASB and UEBA
Bitglass began its journey building a Cloud Access Security Broker (CASB) that allows granular access to public SaaS applications, data leakage protection (DLP) and malware protection for data at rest in the cloud, and DLP and malware protection for data in motion between cloud resources and user devices. In step with Gartner’s recommendations for SASE solutions, Bitglass has developed our ZTNA solution as an extension of our CASB technology. This lets Bitglass offer secure access to privately hosted applications using the same types of policies used to control access to public SaaS applications.
One aspect of our SASE solution relative to the Colonial Pipeline breach is our granular contextual access control based on login policies. A Bitglass login policy can block user access or require the use of MFA based on a number of contextual data points such as user location, device type, user group, time of day, and user and entity behavior analytics (UEBA). More specifically, access can be blocked or MFA required based on detection of “impossible travel”, a user logging into their Bitglass single sign-on portal from two different geographies in a short period of time, or based on detection of a user logging in from a previously unused device. Had Colonial Pipeline replaced their legacy VPN with Bitglass ZTNA, Bitglass would have detected the login attempt as coming from a new device and blocked it or required MFA which would have failed.
To avoid the type of breach experienced by Colonial Pipeline, migrate your legacy VPN access to a SASE solution like that of Bitglass, which combines CASB and ZTNA, and uses contextual access control powered by UEBA to enforce MFA.
To see how Bitglass can fit into your zero trust access strategy, request your free trial account today.