by Leo Versola
Posted on August 26, 2021
Want to interview Leo?Contact
For many years Virtual Private Networks (VPNs) have been the dominant technology for enabling remote access. In this post we’ll explore why the time is right for most companies to make the switch from VPNs to a Zero Trust-based approach.
VPNs were first introduced in 1995, when a consortium of companies led by Microsoft released Point-to-Point Tunneling Protocol (PPTP), a protocol that allowed the creation of a secure network between users by establishing a tunnel over a Local Area Network (LAN) or Wide Area Network (WAN) to enable movement of encrypted data through the tunnel.
Businesses and governments quickly adopted VPNs as a way to provide users with remote access to an internal network via the internet. VPNs have found wide use for other purposes as well: Consumers often use VPNs to access the internet because it provides a greater level of security and allows users in countries that restrict internet access, such as China, to bypass government restrictions. They also allow users to bypass geolocation restrictions imposed by vendors and other website owners. For example, streaming services enforce content licensing restrictions by blocking access for users outside the geographical area to which their licenses apply. Users in those areas may use a VPN to mask their locations. By appearing to the streaming service as a local user, they (illicitly) gain access to the restricted content.
The corporate VPN was created long before cloud computing and software-as-a-service (SaaS) existed. VPNs were developed in an era when corporate data was stored primarily (if not entirely) on internal corporate networks. Remote working was somewhat rare, limited for the most part to salespeople while they travelled among customers and prospects. Companies used VPNs to provide remote access for these salespeople and other occasionally remote users to jump onto the corporate network and access network resources as if they were in the office. For the most part, software resided on users’ laptops. Typically, the only resources they accessed via the VPN was data.
Over the years, numerous VPN protocols have been developed beyond PPTP, including SSL and IPSec, the protocols that are used most commonly today. Secure Socket Layer (SSL) protects most websites on the internet today. When you shop online, for instance, an SSL VPN secures the transfer of sensitive information such as your credit card number to the vendor.
Another protocol commonly used in VPNs is IPSec. Using a four-step process, IPSec authenticates the origin of the data, encrypts it, checks the data, and finally manages its reception and decryption.
VPNs weren’t designed for today’s environment, which features many remote workers and extensive use of SaaS apps and cloud services. In fact, even before the pandemic-spurred mass move to work-from-home, VPNs were no longer able to serve the diverse remote access needs of today’s businesses and users.
Many issues inherent in VPNs make them insecure and inconvenient for organizations today.
VPN concentrators (the networking device that creates the VPN connections) rely on open ports that users access to establish VPN connections. Cybercriminals scan for these open ports and leverage them as a path to enter networks.
Users connect through the VPN client, but once they’re inside the perimeter, and in the absence of other security solutions in place, they have broad access to the network, which exposes it to threats. The same is true for cybercriminals if they gain access. This inherent architectural weakness places an organization’s data, applications, and intellectual property at risk.
VPNs rely heavily on user credentials. Thanks to poor password practices, VPNs are often successfully penetrated via brute force attacks. Often, however, even the effort involved in such an attack is not needed. Login credentials are primary targets of many phishing and social engineering attacks. As a result, criminals need not even bother to steal user credentials: millions of stolen user credentials are available for sale on the dark web. With an open port and a set of stolen credentials hackers can quickly and easily infiltrate a network. Even two-factor authorization codes can be captured.
Over the years, many leading VPN solutions such as FortiGate and Pulse Secure – the list is long – were found to have software flaws that cybercriminals were able to exploit. Far too many companies are negligent about installing software patches as soon as they come out, or delay installation of patches that are likely to “break” integrations. Unpatched VPNs thus leave organizations vulnerable to attack even when vendors issue patches promptly.
VPNs were designed to connect users to networks. In today’s hybrid cloud environment, where users both in the office and working from home work extensively with SaaS apps and cloud-based resources on public and private clouds, as well as resources on company servers, it’s difficult to provide consistent security to all destinations using VPNs. Routing all traffic through the VPN to apply security controls is cumbersome when much of the workload is not handled on the internal network.
VPN concentrators create chokepoints that can slow down performance, creating a poor user experience.
Beyond the slowdowns and unexpected disconnections that inconvenience users, VPNs are problematic for organizations’ IT staff as well.
The continuing onslaught of cyberattacks in recent years has overwhelmed conventional approaches to network security based on legacy technologies such as VPNs. In the wake of a growing number of very expensive, crippling cyberattacks it’s become clear that the conventional approaches to cybersecurity aren’t enough – and that in many cases, such as the Colonial Pipeline attack – VPN-related issues were key enablers.
Under the castle-with-a-moat security model, VPNs were valued as part of a strong perimeter, along with firewalls, antivirus and anti-malware software that defended the perimeter “walls.” VPNs served as a path to enable remote work and were secured with user credentials. Users who chose easy-to-break passwords, stolen credentials, software vulnerabilities (including zero-day exploits), sophisticated phishing and spear phishing attacks, however, opened gaps in those perimeter walls, resulting in data breaches and ransomware attacks.
More to the point, however, is the obsolescence of the perimeter concept which divides work surfaces into a dangerous “outside” and a safe “inside.” In keeping with the central role the web, SaaS apps, and both public and private clouds play for business today, Zero Trust eliminates the in/out distinction and views everything and everyone with suspicion. Zero Trust security treats internal traffic as potentially dangerous, along with traffic originating from remote workers.
While the basic Zero Trust security concepts were introduced over a decade ago, the more recent dissolution of the business perimeter has confirmed the value of the Zero Trust security model as the security paradigm of choice in only the last few years.
In contrast to VPN-based remote access, compliance with Zero Trust security concepts of least privilege access and “never trust, always verify” requires remote user access to be strictly limited to the specific resources each user needs. Moreover, Zero Trust security requires user authentication and validation for each individual resource.
Zero Trust Network Access (ZTNA) represents a new conceptual approach to remote access. In place of a perimeter based on the physical location of the company’s servers, ZTNA enforces virtual perimeters that are uniquely defined and leverage per-user policies to enforce least privilege access for each individual user. Least privilege access minimizes potential damage resulting from data breaches, brute force attacks and stolen credentials, in keeping with “assume breach,” the third principle of Zero Trust security.
Least privilege protections cover (at least) two different scenarios. In the event that someone does manage to hack into your environment, either with stolen credentials or in a brute force attack, the damage is limited to the applications that the user was permitted to access. It also provides some protection from “malicious insiders,” an employee or vendor who has legitimate access, but who may be interested in either stealing corporate data or harming the organization.
Ideally, ZTNA is used in a comprehensive manner, for both remote work and for users accessing the network while onsite, and to provide Zero Trust protection for apps and data wherever they are located, on company servers or in the cloud.
ZTNA can – and should – be implemented with multi-factor authentication. Ideally, to ease the burden on users, sign-on should be enabled via Single Sign On (SSO), a technology allowing users to log in once each day (or until they have been inactive for a significant period of time) with one set of credentials to gain access to all their apps. This enhances security by reducing the number of attack surfaces: reducing the number of occasions when credentials are entered reduces the opportunities for them to be compromised as well.
To summarize, ZTNA offers several benefits over VPN:
ZTNA is an essential element of a comprehensive Zero Trust solution. While security experts recommend migrating to a comprehensive Zero Trust solution, rather than implementing Zero Trust on a piecemeal basis, for organizations that prefer a more gradual approach, ZTNA is an ideal place to start.
ZTEdge’s ZTNA solution provides simplified remote application access along with all of the benefits of ZTNA mentioned above. As a SASE platform designed especially for midsize enterprises and small businesses, ZTEdge makes it easy to implement Zero Trust gradually, at the pace that is right for many organizations.
Contact us today to hear just how quick and easy it can be to ditch your vulnerable VPNs and move to a Zero Trust security approach, starting with ZTNA.
Identity & Access Management (IAM) and Zero Trust Network Access (ZTNA) work together for successful implementation of Zero Trust security controls.
Midsize enterprises (MSEs) are the preferred target for ransomware attacks. How are C-level execs are actively responding and what are their options?
Strong Identity and Access Management (IAM) needs to be at the core of any organization’s cyber-defenses. These 9 security best practices depend on it.