VPNs, Zero Trust Network Access, and the Evolution of Secure Remote Work

Do virtual private networks (VPNs) slow your work down? When it comes to remote access, there are some tough decisions to make. However, they all boil down to the following:

  1. Simplify access as much as possible for your own users.
  2. Maximize access restrictions for unauthorized parties.

Until now, many organizations have relied on the traditional perimeter-centric network security model and used VPNs.

Read more: Best Threat Intelligence Platforms & Tools for 2021

VPNs Are Irrelevant

The main idea behind a VPN is to surround the network with a virtual perimeter, or in other words, a barrier to keep intruders out. However, in today’s decentralized environment, such a model is becoming increasingly difficult to manage.

Very few users need an equal level of access across the network. For example, third-party users (such as consultants) do not need access to the same applications or the same level of permissions as administrators.

Very few users need an equal level of access across the network.

VPNs are losing relevance as organizations move applications from the corporate network to the cloud, and the number of employees working remotely continues to grow. These changes affect the decision to use a VPN.

Let us look at several scenarios where traditional VPNs can fail. We’ll also touch upon a new security model that is easier to manage and provides more options for securing your network.

VPN Limitations

Many organizations have already realized that traditional VPNs and access controls designed to protect a closed perimeter are not enough in today’s environment, where remote employee access to internal company resources is prevalent.

Corporate networks are striving for decentralization. Remote and hybrid work models, as well as the need for third-party access, are spawning numerous help desk requests for remote network access.

In a perimeter-based, on-premises security architecture, passing all traffic through the data processing center can lead to increased response time and decreased productivity.

Read more: What Does a Next Generation Firewall Do?

BYOD Goes Beyond Control

Allowing access from unmanaged and non-corporate devices means your network and assets are accessed from unprotected endpoints that pose a risk and may be infected by malware and/or controlled by a hacker.

It is not always possible to identify and monitor such endpoints, ensure the installation of all necessary security updates, and eliminate the risk of infection. Having hacked such a device, an attacker can try to penetrate the network.

Lack of Secure Access to Cloud Applications

VPNs lack the flexibility they need in today’s IT environments. They are difficult to deploy in the cloud and generally do not fully provide secure access to cloud-based IaaS applications and solutions such as AWS, GCP, and Azure.

Excessive Access Rights for Third Parties

For third-party users, the use of a VPN can be completely prohibited by rules that prevent the installation of VPN clients on the devices of people who are not employees of the company.

Where such rules are missing, third-party users can get high privileges and thus gain an unreasonably high level of trust. This simplifies access to company assets and confidential information for malicious actors.

Read more: Top Cyber Security Threats to Organizations

Insufficient Network or Application Management Capabilities

The perimeter-based security model that a VPN offers is simple, but it takes away the flexibility. A VPN lacks granular access control options touching a number of key areas. This creates a lot of problems. Here are just a few of them:

  1. Authorization and access control at the network level does not allow for granular control to be set up.
  2. Potential risk of lateral movement and detection of confidential assets.
  3. Lack of centralized application management.
  4. Lack of built-in controls over user permissions.

Businesses Search for VPN Alternatives

Back in the day, when most users were in offices and almost all applications were hosted on local servers, VPNs were a great solution.

Hackers know that if they can bypass network defenses, they will face little resistance from internal systems.

However, data security is at serious risk today. Hackers know that if they can bypass network defenses, they will face little resistance from internal systems. Using VPNs and firewalls can create overconfidence in network security.

According to Gartner’s forecast, by 2023, up to 60% of enterprises will abandon VPN in favor of Zero Trust Network Access.

Adopt a Zero Trust Approach

VPN issues have raised awareness of the need for a security model that prevents trusted users from freely roaming the corporate network. The Zero Trust security model aims to meet this need.

Approved by influential organizations such as the US Department of Defense, the Zero Trust model implements the “Never Trust, Always Check” principle.

This model makes it possible to implement a scenario in which the required minimum of access rights to the application for the particular role are granted only to the appropriate persons. Ideally, this provides controls built into the applications themselves, as well as the ability to track user activity after logging in.

Read more: Why You Should Implement Zero Trust Security in 2021

The Zero Trust model is more of a mindset, or a new paradigm, than a specific tool. There is no standalone solution to implement Zero Trust principles. Zero Trust encompasses the following:

  • Limited access at the level of individual applications
  • Authentication of each device and user

The Zero Trust model is difficult to deploy, but nevertheless, most organizations will switch to it sooner or later. The Zero Trust model can be implemented incrementally, group by group or application by application, but you should always consider the end-user experience.

Zero Trust Network Access

Choosing the right tools can greatly simplify and accelerate the transition to a Zero Trust architecture. Gartner has extended the concept of Zero Trust by defining an architecture called Zero Trust Network Access (ZTNA). The company defines ZTNA as “a product or service that creates an identity- and context-based, logical access boundary around an application or set of applications.”

Simply put, ZTNA replaces network-level permissions with application-specific permissions. It uses identity-based access control and contextual authentication. It considers user groups or roles, multi-factor authentication, IP addresses, locations, and time factors.

Simply put, ZTNA replaces network-level permissions with application-specific permissions.

Gartner’s definition continues: “The applications are hidden from discovery, and access is restricted via a trust broker to a set of named entities.” This can be implemented in a cloud-based ZTNA-as-a-service solution that makes the network invisible from the public internet segment.

Such a solution acts as a cloud demilitarized zone that “hides” the data center. The trust broker allows or denies access to specific applications on a case-by-case basis.

“The broker verifies the identity, context and policy adherence of the specified participants before allowing access and prohibits lateral movement elsewhere in the network,” Gartner says. By providing access only to the requested resource, the risk of a lateral movement attack is eliminated, because users only see the applications they are allowed to access.

All other applications are hidden for them. It can be implemented, for example, through a personalized portal that makes available only those applications that a particular user has access to. As Gartner notes, “This removes application assets from public visibility and significantly reduces the surface area for attack.”

Accelerate the Transition to Zero Trust

There are many reasons to accelerate the transition to the Zero Trust model. Companies are already struggling with VPNs as they grow and move to hybrid cloud environments, especially now that working from home has become commonplace.

Many of them are already contemplating a transition to a Zero Trust model for security and compliance reasons, seeking to enhance the protection of the organization’s assets.

Read next: How To Implement Zero Trust Security: Learn 7 Key Technologies & Strategies

David Balaban
David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity and Privacy PC, two projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with a recent focus on ransomware countermeasures.

Latest Articles