The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with US and international partners, released this Joint Report that urges organizations to move toward more robust security solutions, such as Secure Service Edge (SSE) and Secure Access Service Edge (SASE) that provide greater visibility of network activity. While this report does not cover the planning, architecture, or adaption needs for shifting to these solutions, it does call for organizations to shift away from traditional broad remote access deployments and provides best practices to help transition to modern solutions, such as SSE and SASE. Organizations are encouraged to carefully assess their security posture and perform a risk analysis before implementing any/all solutions to determine if these approaches fit their organization. Executive leadership, network defenders, and critical infrastructure organizations are provided with an overview and best practices of primarily cloud-based solutions that can support hybrid and on-premises implementation and incorporate a zero trust approach. Both information technology (IT) and operational technology (OT) network protections are provided in this report that covers a spectrum of network sensitivities and worst-case consequences of compromise. This report will help organizations better understand the vulnerabilities, threats, and practices associated with traditional remote access and VPN deployment, along with the inherent business risk posed to an organization’s network by remote access misconfiguration. Aligned with CISA’s cross-sector cybersecurity performance goals (CPGs), the best practices in this report will also help guide leaders with prioritizing the protection of their remote computing environment security while operating under the fundamental principles of least privilege. |