man typing on a laptop computer
PHOTO: Thomas Lefebvre on Unsplash.

With so many now reliant on a remote workforce, the use of virtual private networks, or VPNs, is at an all-time high as businesses look to keep proprietary information and sensitive communications secure. But some security experts express concern over what they consider an outdated technology and are turning to a Zero Trust model for corporate network access.

Here we take a look at the inadequacies of VPN and why it may be in an organization's best interests and the best interests of customers, to switch to a Zero Trust model of security.

What Is Zero Trust?

The Zero Trust model is basically just like it sounds — never trust and always verify. Rather than assuming that everything that occurs behind the corporate firewall is safe and secure, the Zero Trust model assumes that breaches happen and verifies each request, no matter where it originates, as though it is coming from an open network. Every access request is authenticated, authorized and encrypted before access is granted. This is the opposite of traditional security models such as the VPN, whose motto could be said to be “trust but verify.”

Scott Gordon, CISSP and chief marketing officer at Pulse Secure, said Zero Trust differs from the traditional VPN model of security in the way it continually authenticates all users or devices that attempt to access the network, whereas VPN uses a one-time authentication process and assumes all is well if the user is within the network. 

“Zero Trust is a security framework rooted in the concept of the verification of all users, devices and applications attempting to access corporate networks, and continually assessing the security posture of those entities throughout the session," he said. "VPN is more IP-based, with control and security data passing through a VPN concentrator, which then directs traffic to a specific network, network segment or application.”

A recent report by Pulse Secure and Enterprise Management Associates (EMA) revealed that 60% of organizations have accelerated Zero Trust projects in response to COVID-19. The report also indicated that enterprise businesses were positive about their Zero Trust networking, with 50% saying they were successful and 44% reporting they were somewhat successful.

Related Article: The Growing Importance of Data Management in the Digital Workplace

What Is Wrong With VPN?

The perimeter methodology that VPN relies on makes it particularly vulnerable to attackers, said Steve Tcherchian, chief information security officer at XYPRO, a cybersecurity analytics company, by giving users and devices unfettered access to the network once they have been identified and authenticated at the perimeter. “Attackers love this," he said. "Once they’re in, they can spend as much time as they need to move around from device to device. In some cases, once authenticated to the VPN, this could mean access to thousands of devices.” 

Tcherchian said several recent data breaches can be attributed to this methodology of trust, and it enabled attackers to gain access to everything the vendor or contractor had done in the past. “This is no longer a sustainable security strategy," he said. "Moving to a Zero Trust model removes that layer of perimeter security. Every user and device, whether outside the VPN or inside no longer has access to devices. Even if they’re inside the VPN, there is no access unless explicitly granted on an as-needed basis.”

Tarun Desikan, COO of Banyan Security, said VPN is an outdated technology that was developed over 20 years ago to expand trusted networks with a goal of connecting corporate officers into a unified network. VPN technology was later expanded to support a relatively small percentage of users that had specific remote access needs. 

Because cloud-based enterprise data and applications are often separate from that network and many employees and contractors are now working remotely using a variety of devices, including corporate, BYOD and unmanaged devices, a VPN exposes them to potential security threats. “In the end, VPNs were not meant for such environments and hackers are exploiting VPN flaws every day," Desikan said. "VPN vulnerabilities pose a serious security risk with a tangible business impact.” 

This forced businesses to take a hard look at more secure technologies that support remote workers and multiple devices. “Enterprises are moving away from the traditional VPN to modern alternatives based on Zero Trust Network Access (ZTNA)," he said. "The core principle of Zero Trust is to reduce the reliance on network security by enforcing stronger user, device and application posture."

How Does a Zero Trust Network Work?

The Zero Trust network extends the single security boundary of the VPN to include “additional dimensions of protection and detection around network-based connectivity, the endpoints doing the connecting, the applications being served up, the user accounts themselves, and the data itself,” said Chris Williams, cyber solution architect at Capgemini North America.

There are several core principles of Zero Trust methodology:

  • Revisit all default access controls. There are zero trusted sources either inside the network or outside the network.
  • Use a variety of preventative techniques. Multi-factor authentication, least-privilege access and micro-segmentation are all used proactively.
  • Use real-time monitoring to identify malicious activity immediately. Real-time monitoring enables brands to react immediately to the initial breach.
  • Security at the core of business practices. The brand must be built around a 360-degree approach to security strategy.

Since we exist in a world with hyper-connected networks, network trust is critical for establishing Zero Trust, said Nigel Thompson, vice president of product marketing at BlackBerry. Rules-based perimeter definitions are no longer good enough to maintain secure networks with so many companies moving to the cloud and using mobile and Wi-Fi networks. The network itself should be viewed as a dynamic and ever-evolving entity.

“Moreover, the outdated concept of people and devices being trusted simply based on permission to access the network has proven time and again to be the weakest point in network security,” Thompson said. “Ironically, traditional VPN gateways can make this problem worse by bringing traffic from BYO devices that are destined for the cloud inside the enterprise perimeter, exposing internal networks to lateral traversal threats only to send it back out again anyway.” 

Thompson said next-generation secure web gateways and service-based network segmentation technologies become a foundational element of Zero Trust architecture because of the need to adapt to the dynamic network concept and deal with the continually changing risks that come with the use of cloud services, mobile devices, Wi-Fi networks and BYOD policies.

“This is based on their ability to dynamically adapt not only to the risk of the network itself but also the people, devices and apps accessing and using it, both at the time of initial access and throughout the app usage lifecycle,” he said.

Related Article: Is Your Business Data Safe in Slack and Microsoft Teams?

The Challenges of Zero Trust

The complexity of achieving Zero Trust is its greatest challenge, especially because it is a methodology, not a technology, and involves many different technologies that all need to work in conjunction with one another. 

"Even a simple Zero Trust implementation requires robust underlying Identity and Access Management (IAM) and enterprise monitoring infrastructures," Williams said. "A comprehensive Zero Trust solution that includes network, endpoint, application, user account and data protection can involve a dozen technologies or more, all working together.”

In the Pulse Secure survey, 33% of those polled that were in Zero Trust task forces and partnerships struggled with cross-team skills gaps. One-third cited a lack of tools and processes that might facilitate collaboration, and budget conflicts affected another 31%. Other challenges include:

  • Multiple types of users, including both in-office and remote employees.
  • A myriad of devices.
  • Multiple types of applications.
  • Many varieties of data storage devices and services.
  • Legacy system incompatibilities.
  • Current peer-to-peer and distributed systems.
  • Siloed data that needs to be properly segmented.

Gordon said the process of moving to a Zero Trust model begins by considering the extent a business will be moving applications and services to the cloud along with investment and process details which need to be decided upon. Many businesses already have a serious investment in VPN and virtual desktop infrastructure solutions because they knew it would be convenient to manage and support their existing applications and security ecosystem.

“Furthermore, that investment decision is also aligned within their budget and depreciation expectations," he said. "As such, the majority of organizations will need to determine how to offset the investment.”

The most pragmatic approach is to look for Zero Trust solutions that can co-exist with existing secure access investments, Gordon said. This would provide greater deployment flexibility as the business migrates applications to the private and public cloud. 

In today’s customer-centric climate, companies can't afford to take security risks that may open doors to corporate and customer data theft. The traditional VPN has security vulnerabilities that enable hackers to gain access to all of a company's systems and data. By using Zero Trust Network Access, they can ensure that every attempt to access corporate networks and applications will be verified and authenticated in real time, whether they come from inside or outside the network.