Telecommunications (security) Act (TSA): are VPNs the right solution for secure remote access?

Insight

By Rob Pocock, Technology Director, Red Helix

The initial deadline for the Telecommunications (Security) Act (TSA) 2021 is fast approaching. Drafted in response to our growing reliance on communications technology, and to help protect our networks from an expanding threat landscape, the Act is set to have a major impact on the UK’s approach to security and resilience in the telecoms industry.

The first of the deadlines requires all network operators in the tier 1 category (those with an annual turnover in excess of £1 billion) to action ‘the most straightforward and least resource intensive measures’ by March 31^st, 2024. While there is no explicit guidance as to what this means, one of the easier measures to action is the implementation of secure remote access – a necessary measure which will help prevent unauthorised access to telecoms networks and systems.

There are a couple of different solutions that operators can put in place to try and achieve this. The traditional approach would be to use a VPN. In fact, as part of the code of practice, included with the guidance on regulation 4 ‘Protection of data and network functions’, there is a recommendation to use exactly that. Yet, while a VPN may address some of the requirements within the legislation, it is now quite outdated technology and could fall short of achieving others.

To avoid further work later down the line, and to benefit from far more robust network access control, operators ought to consider implementing a Zero-Trust Network Access (ZTNA) solution instead. It is widely recognised as the successor to VPN technology, offering increased security by working to the assumption that all requests have hostile intentions, and uses US military-grade AES-256 encryption to keep connections secure.

The shortcomings of a VPN

VPNs have been around for several years, and work by creating an encrypted tunnel between a user’s device and the network. This creates a point-to-point connection that, in theory, cannot be accessed by unauthorised users. They have, however, seen little change since they first came about in 1996, and their effectiveness in the context of modern cyber security threats is being increasingly questioned.

There are two key reasons for this. Firstly, authentication requirements for the VPN itself are often very basic, requiring little more than a username and password. Secondly, they can make it difficult to control or prevent any over-privileged lateral movement once inside the network. Therefore, if a cyber criminal were to bypass the authentication requirements, there is a chance they’ll be able to access systems and data across the entire organisation.

Of course, using a VPN is no doubt better than not having any access controls in place whatsoever, but it is far from the most secure choice. A VPN is also unlikely to help operators meet some other the more stringent security measures required in the TSA. For example, regulation 7 identifies measures needed to reduce supply chain risks, and regulation 8 outlines further details on the measures required for the ‘prevention of unauthorised access or interference’, both of which would be hard to achieve full compliance with using a VPN alone.

Additionally, there is a section included in the TSA code of practice that states providers should establish the principle of ‘assumed compromise’. This means assuming that network oversight functions are subject to high-end attacks that may not have been detected, and to ensure there are measures in place to make it difficult for the attacker. As lateral movement can be hard to prevent with a VPN, this is another area in which they are lacking.

Improved access control through ZTNA

In contrast, ZTNA has been designed with assumed compromise in mind, operating on the principle that the network is always hostile. Trust is never implicit, meaning users are only granted access to the specific applications and resources they need; with granular policies to determine what, where and when information can be accessed.

Not only does this meet with the requirements outlined in regulation 4 for which a VPN was recommended, but it can go a long way to complying with some of the other regulations as well. ZTNA’s comprehensive approach to network security ticks off most of the measures outlined in regulation 8, alongside many of those included in regulation 7 – by providing control over what third-party suppliers have access to, and limiting any potential damage should they be compromised.

ZTNA is also likely to become more of a significant factor in obtaining or maintaining cyber insurance. Owing to the rise in severity and frequency of cyber attacks, insurers have continued to increase the requirements needed to pass the risk assessment process. While the exact standards may vary between insurance providers, strong access control is one that appears to feature often, and the use of ZTNA will go a long way in demonstrating this.

Ultimately, ZTNA represents a more forward-looking approach to access control, aligning with the broader trend in cyber security of moving towards a more adaptive, dynamic, and user-centric security model. With its emphasis on continuous verification and granular access policies, it is a more robust solution that hits a number of the TSA regulations and will provide operators with stronger protection across their networks.

A future-proof solution

As the first deadline for the TSA approaches, network operators are faced with a choice. Either use traditional VPN technology to achieve secure remote access or to implement the more advanced ZTNA.

Despite their long-standing presence within the industry, VPNs fall short in addressing modern cyber security challenges, owing to their basic authentication processes and limitations in controlling internal network movements. ZTNA, on the other hand, offers a robust solution operating under the principle of ‘assumed compromise’, ensuring stringent access controls and aligning with several of the TSA’s requirements.

While continuing to use a VPN may seem like the most straightforward approach, and can help operators to meet the first ‘least resource intensive’ deadline, it is likely to be only a temporary solution. ZTNA is an easy to implement alternative that offers a more comprehensive, adaptable, and future-proof strategy – so why settle for something inferior when the option for better security is already present?