Critical Questions to Ask RBI Vendors – Click Here! Subscribe to Dr. Zero Trust's Weekly Newsletter - Click Here! New! Zero Trust Market Dynamics Survey - Click Here!

It’s Time to Ditch VPNs and move to Zero Trust Network Access for Remote Access

Author Avatar

by

Posted on August 26, 2021

Want to interview Leo?

Contact

For many years Virtual Private Networks (VPNs) have been the dominant technology for enabling remote access. In this post we’ll explore why the time is right for most companies to make the switch from VPNs to a Zero Trust-based approach.

VPN Basics

VPNs were first introduced in 1995, when a consortium of companies led by Microsoft released Point-to-Point Tunneling Protocol (PPTP), a protocol that allowed the creation of a secure network between users by establishing a tunnel over a Local Area Network (LAN) or Wide Area Network (WAN) to enable movement of encrypted data through the tunnel.

Businesses and governments quickly adopted VPNs as a way to provide users with remote access to an internal network via the internet. VPNs have found wide use for other purposes as well: Consumers often use VPNs to access the internet because it provides a greater level of security and allows users in countries that restrict internet access, such as China, to bypass government restrictions. They also allow users to bypass geolocation restrictions imposed by vendors and other website owners. For example, streaming services enforce content licensing restrictions by blocking access for users outside the geographical area to which their licenses apply. Users in those areas may use a VPN to mask their locations. By appearing to the streaming service as a local user, they (illicitly) gain access to the restricted content.

The corporate VPN was created long before cloud computing and software-as-a-service (SaaS) existed. VPNs were developed in an era when corporate data was stored primarily (if not entirely) on internal corporate networks. Remote working was somewhat rare, limited for the most part to salespeople while they travelled among customers and prospects. Companies used VPNs to provide remote access for these salespeople and other occasionally remote users to jump onto the corporate network and access network resources as if they were in the office. For the most part, software resided on users’ laptops. Typically, the only resources they accessed via the VPN was data.

Over the years, numerous VPN protocols have been developed beyond PPTP, including SSL and IPSec, the protocols that are used most commonly today. Secure Socket Layer (SSL) protects most websites on the internet today. When you shop online, for instance, an SSL VPN secures the transfer of sensitive information such as your credit card number to the vendor.

Another protocol commonly used in VPNs is IPSec. Using a four-step process, IPSec authenticates the origin of the data, encrypts it, checks the data, and finally manages its reception and decryption.

The Downsides of VPNs

VPNs weren’t designed for today’s environment, which features many remote workers and extensive use of SaaS apps and cloud services. In fact, even before the pandemic-spurred mass move to work-from-home, VPNs were no longer able to serve the diverse remote access needs of today’s businesses and users.

Many issues inherent in VPNs make them insecure and inconvenient for organizations today.

Open ports

VPN concentrators (the networking device that creates the VPN connections) rely on open ports that users access to establish VPN connections. Cybercriminals scan for these open ports and leverage them as a path to enter networks.

Network-level access

Users connect through the VPN client, but once they’re inside the perimeter, and in the absence of other security solutions in place, they have broad access to the network, which exposes it to threats. The same is true for cybercriminals if they gain access. This inherent architectural weakness places an organization’s data, applications, and intellectual property at risk.

Weak authorization

VPNs rely heavily on user credentials. Thanks to poor password practices, VPNs are often successfully penetrated via brute force attacks. Often, however, even the effort involved in such an attack is not needed. Login credentials are primary targets of many phishing and social engineering attacks. As a result, criminals need not even bother to steal user credentials: millions of stolen user credentials are available for sale on the dark web. With an open port and a set of stolen credentials hackers can quickly and easily infiltrate a network. Even two-factor authorization codes can be captured.

Software vulnerabilities

Over the years, many leading VPN solutions such as FortiGate and Pulse Secure – the list is long – were found to have software flaws that cybercriminals were able to exploit. Far too many companies are negligent about installing software patches as soon as they come out, or delay installation of patches that are likely to “break” integrations. Unpatched VPNs thus leave organizations vulnerable to attack even when vendors issue patches promptly.

Inflexible architecture

VPNs were designed to connect users to networks. In today’s hybrid cloud environment, where users both in the office and working from home work extensively with SaaS apps and cloud-based resources on public and private clouds, as well as resources on company servers, it’s difficult to provide consistent security to all destinations using VPNs. Routing all traffic through the VPN to apply security controls is cumbersome when much of the workload is not handled on the internal network.

Poor performance

VPN concentrators create chokepoints that can slow down performance, creating a poor user experience.

Inconvenient

Beyond the slowdowns and unexpected disconnections that inconvenience users, VPNs are problematic for organizations’ IT staff as well.

  • VPNs are expensive and time-consuming to scale
  • They have poor interoperability with IT, security, and business systems
  • They create complexity in firewall and policy management
  • They typically require clients to be installed on each laptop and personal user device, which is both inconvenient and a security vulnerability

The Zero Trust Model

The continuing onslaught of cyberattacks in recent years has overwhelmed conventional approaches to network security based on legacy technologies such as VPNs. In the wake of a growing number of very expensive, crippling cyberattacks it’s become clear that the conventional approaches to cybersecurity aren’t enough – and that in many cases, such as the Colonial Pipeline attack – VPN-related issues were key enablers.

Under the castle-with-a-moat security model, VPNs were valued as part of a strong perimeter, along with firewalls, antivirus and anti-malware software that defended the perimeter “walls.” VPNs served as a path to enable remote work and were secured with user credentials. Users who chose easy-to-break passwords, stolen credentials, software vulnerabilities (including zero-day exploits), sophisticated phishing and spear phishing attacks, however, opened gaps in those perimeter walls, resulting in data breaches and ransomware attacks.

More to the point, however, is the obsolescence of the perimeter concept which divides work surfaces into a dangerous “outside” and a safe “inside.” In keeping with the central role the web, SaaS apps, and both public and private clouds play for business today, Zero Trust eliminates the in/out distinction and views everything and everyone with suspicion. Zero Trust security treats internal traffic as potentially dangerous, along with traffic originating from remote workers.

While the basic Zero Trust security concepts were introduced over a decade ago, the more recent dissolution of the business perimeter has confirmed the value of the Zero Trust security model as the security paradigm of choice in only the last few years.

In contrast to VPN-based remote access, compliance with Zero Trust security concepts of least privilege access and “never trust, always verify” requires remote user access to be strictly limited to the specific resources each user needs. Moreover, Zero Trust security requires user authentication and validation for each individual resource.

Zero Trust Network Access (ZTNA)

Zero Trust Network Access (ZTNA) represents a new conceptual approach to remote access. In place of a perimeter based on the physical location of the company’s servers, ZTNA enforces virtual perimeters that are uniquely defined and leverage per-user policies to enforce least privilege access for each individual user. Least privilege access minimizes potential damage resulting from data breaches, brute force attacks and stolen credentials, in keeping with “assume breach,” the third principle of Zero Trust security.

Least privilege protections cover (at least) two different scenarios. In the event that someone does manage to hack into your environment, either with stolen credentials or in a brute force attack, the damage is limited to the applications that the user was permitted to access. It also provides some protection from “malicious insiders,” an employee or vendor who has legitimate access, but who may be interested in either stealing corporate data or harming the organization.

Ideally, ZTNA is used in a comprehensive manner, for both remote work and for users accessing the network while onsite, and to provide Zero Trust protection for apps and data wherever they are located, on company servers or in the cloud.

ZTNA can – and should – be implemented with multi-factor authentication. Ideally, to ease the burden on users, sign-on should be enabled via Single Sign On (SSO), a technology allowing users to log in once each day (or until they have been inactive for a significant period of time) with one set of credentials to gain access to all their apps. This enhances security by reducing the number of attack surfaces: reducing the number of occasions when credentials are entered reduces the opportunities for them to be compromised as well.

VPN vs ZTNA, In Short

To summarize, ZTNA offers several benefits over VPN:

  • More secure – sets the perimeter around apps and users, not physical hardware
  • Comprehensive – cloud-based as well as internal server-based resources for both remote workers and users onsite
  • Simpler to manage – designed from the ground up for today’s network topologies for high performance and easy integration
  • Better performance – cloud-based ZTNA solutions, such as ZTEdge, bring authentication enforcement close to the user, eliminating chokepoints associated with VPNs
  • Simpler to scale – Cloud-based ZTNA requires no equipment and scales instantly

Implementing ZTNA

ZTNA is an essential element of a comprehensive Zero Trust solution. While security experts recommend migrating to a comprehensive Zero Trust solution, rather than implementing Zero Trust on a piecemeal basis, for organizations that prefer a more gradual approach, ZTNA is an ideal place to start.

ZTEdge’s ZTNA solution provides simplified remote application access along with all of the benefits of ZTNA mentioned above. As a SASE platform designed especially for midsize enterprises and small businesses, ZTEdge makes it easy to implement Zero Trust gradually, at the pace that is right for many organizations.

Contact us today to hear just how quick and easy it can be to ditch your vulnerable VPNs and move to a Zero Trust security approach, starting with ZTNA.


Share this on:

Author Avatar

About Leo Versola

For over 25 years, Leo has executed on strategic business vision and technical leadership with a wide range of start-ups and established cybersecurity companies in various senior leadership roles. Leo’s expertise in enterprise, cloud and SaaS security enabled him to build and lead high-performance technical teams driving product development, technical innovation, and sales for a number of companies including VMware, Lastline, Zscaler, Barracuda Networks, Forcepoint, RedSeal Networks, Fortinet, Juniper, and NetScreen.

Recent Posts

Identity & Access Management and ZTNA – Best Buddies (Which is Why ZTEdge Contains Both)

Identity & Access Management (IAM) and Zero Trust Network Access (ZTNA) work together for successful implementation of Zero Trust security controls.

What was the Median Size of Businesses Attacked by Ransomware in Q1 2021?

Midsize enterprises (MSEs) are the preferred target for ransomware attacks. How are C-level execs are actively responding and what are their options?

Nine Best Practices that Depend on Cloud Identity and Access Management

Strong Identity and Access Management (IAM) needs to be at the core of any organization’s cyber-defenses. These 9 security best practices depend on it.