Full Report
What recent cyberattacks on retailers taught us about VPNs and information security
Analysis Summary
# Best Practices: Transitioning from VPNs to Zero Trust Network Access (ZTNA) and Data Loss Prevention (DLP)
## Overview
These practices address the critical security gap left by outdated, perimeter-based VPNs, which are frequently exploited in cyberattacks (especially impacting sectors like retail dealing with customer data). The core recommendation is the integrated adoption of Zero Trust Network Access (ZTNA) with Data Loss Prevention (DLP) to enhance security for modern, distributed work environments (WFH) while maintaining business continuity and regulatory compliance (e.g., GDPR).
## Key Recommendations
### Immediate Actions
1. **Recognize VPN Obsolescence:** Acknowledge that traditional VPNs grant overly broad network access, which is a primary attack vector.
2. **Prioritize Data Location:** Begin immediate efforts to map and identify all locations where sensitive data resides (e.g., PII, customer databases, loyalty programs across cloud, SaaS, and on-premises systems).
3. **Prepare for Change Management:** Begin planning for a phased infrastructure migration to ZTNA to avoid productivity disruption.
### Short-term Improvements (1-3 months)
1. **Deploy DLP for Asset Identification (Step 1):** Roll out DLP solutions across all environments to accurately scan, classify, and inventory high-risk sensitive assets. This inventory will directly guide the ZTNA implementation roadmap (Output of Step 1: Prioritized asset inventory).
2. **Secure High-Risk Assets with ZTNA (Step 2):** Apply ZTNA controls immediately to systems identified by DLP as containing the highest risk (e.g., e-commerce backend, primary customer databases). Enforce Multi-Factor Authentication (MFA) and device compliance checks for access to these systems.
3. **Integrate with SIEM:** Integrate both DLP and ZTNA feeds into existing Security Information and Event Management (SIEM) tools to enhance visibility and accelerate incident response capabilities.
### Long-term Strategy (3+ months)
1. **Scale ZTNA Coverage (Step 4):** Expand ZTNA deployment across the entire user base and all internal applications, ensuring all user access follows the "never trust, always verify" principle.
2. **Continuous Policy Refinement:** Use ongoing monitoring data from DLP (new data creation/movement) and ZTNA (access patterns) to continuously refine and tighten access controls (microsegmentation).
3. **Policy Enforcement based on Context:** Mature ZTNA policies to dynamically revoke access instantly if DLP detects risky data behavior (e.g., mass download attempt to a non-compliant personal device).
4. **Future-Proof Remote Work:** Fully transition WFH access from legacy VPNs to ZTNA to maintain secure access across hybrid teams without sacrificing user productivity or exposing the entire network to threats.
## Implementation Guidance
### For Small Organizations
- **Focus on CASB/DLP First:** Due to resource constraints, prioritize a unified tool (or inexpensive CASB/DLP solution) to gain immediate visibility into where PII is stored, as this dictates the highest security priority.
- **Phased ZTNA Pilot:** Adopt ZTNA for a small group of critical external users (e.g., necessary remote contractors or executives) who access the most sensitive cloud applications first.
### For Medium Organizations
- **Execute Phased Rollout:** Rigorously follow the four-step plan outlined (DLP identification -> ZTNA on critical assets -> High-Risk User Pilot -> Scale).
- **Dedicated Pilot Group (Step 3):** Select high-risk internal groups (e.g., Customer Support, Finance) for the ZTNA pilot (1–2 months) to rigorously stress-test user training and identity verification processes before a wider rollout.
### For Large Enterprises
- **Microsegmentation Focus:** Leverage ZTNA deployment to enforce detailed microsegmentation around specific application perimeters, eliminating implicit trust zones that currently exist within the traditional corporate network.
- **Vendor Management:** Explicitly scrutinize third-party vendor access pathways. Use ZTNA to ensure vendors only reach the exact applications required for their contracted work, verified by continuous context checks.
- **Audit and Compliance Mapping:** Map ZTNA/DLP controls directly against specific regulatory requirements (like required controls for GDPR data handling) to streamline compliance audits.
## Configuration Examples
The document implies the configuration focus should be on:
1. **ZTNA:** Enforcing access based on **Identity, Device Compliance, and Context**, leading to application-level access rather than network access.
2. **ZTNA Revocation:** Setting up triggers where anomalous data handling detected by DLP immediately results in the ZTNA access token being revoked for that user session.
3. **DLP Tagging:** Configuring DLP to accurately tag data categorized as PII or regulated data (e.g., GDPR-covered customer data) to prioritize ZTNA overlay protection.
## Compliance Alignment
- **GDPR (General Data Protection Regulation):** ZTNA/DLP directly supports these requirements by ensuring that PII is identified (DLP) and access controls are strictly enforced based on necessity, reducing the risk of unauthorized processing or exposure.
- **NIST (Implied):** Aligns with Zero Trust Architecture principles (NIST SP 800-207), focusing on identity verification, least privilege, and continuous monitoring.
## Common Pitfalls to Avoid
- **Panic Shutdowns:** Avoid halting all IT operations as a knee-jerk reaction to an attack; this cripples business continuity far more than prepared modern security tools.
- **Relying on Blended Trust:** Do not continue to rely on implicit trust once a user authenticates onto the main network perimeter (the core failure of legacy VPNs).
- **Ignoring Data Location:** Attempting to secure access (ZTNA) before fully understanding *where* the sensitive data is located and what it entails (DLP). DLP must guide ZTNA.
## Resources
- **Frameworks:** Zero Trust Architecture (ZTA) principles (verify explicitly, use least privilege access, assume breach).
- **Tools Mentioned:** ZTNA Solutions, DLP Solutions, SIEM Tools (for integration).
- **Guidance Provided:** The phased implementation structure (Steps 1-4) serves as the primary step-by-step guide.