The virtual private network has been a vital enabler of remote work for decades. But the technology, invented in 1996, is getting a bit long in the tooth. And when too many people are on a VPN simultaneously, as has been the case all summer with most businesses, issues with application latency are inevitable.
The good news is, there’s a better way for modern businesses to protect their networks no matter how many remote workers they have.
Tunnel to the Network
VPNs fit into the perimeter protection model of cybersecurity. Years ago, it was common for security professionals to describe the networks as having “hard outer shells and soft chewy interiors.” This phrase meant that businesses focused primarily on building walls around networks designed to protect the trusted resources on the inside from threat actors. This approach required robust firewalls designed to keep out virtually all traffic from the internet.
Of course, even in that world, some employees needed to work remotely. VPN technology stepped up to meet that need. Users who required access to internal systems would connect to the VPN and use encryption to build a secure tunnel across the internet into the corporate network, where they became part of the trusted interior and could go about their business.
But times have changed. In the current era, three forces have combined to render the perimeter protection approach outdated: the advent of cloud computing, the ubiquity of mobility and the rise of telecommuting. All these have chipped away at the idea of a sealed perimeter.
Think about it: Where should an organization draw its perimeter today? Sure, the systems located in the business’s office building would live inside the perimeter, but what about the vice president of sales who’s almost never in the office? What about the cloud-based enterprise resource planning solution that contains some of the organization’s most sensitive data? How about the smartphones used by the field engineering team?
The other major disadvantage created by VPNs is that they actually offer users too much access. The idea of having “trusted” and “untrusted” network zones paints every user and device with a broad brush. It’s either dangerous or safe, a completely trusted friend or a dangerous enemy. When any remote user connects to the VPN, they’re almost certainly granted far more access than they actually need. Thus, we’re brought to the fundamental flaw of relying upon VPNs to create zones of trust.
MORE FROM BIZTECH: Learn the facts from the myths surrounding zero trust security.
Zero Trust Is a Stronger Defense
The zero-trust model is the alternative to the network perimeter approach. Instead of placing all-or-nothing trust in devices based upon their network location, the zero-trust model begins with the assumption that nothing is trusted based solely upon its IP address and every action requires authorization. Zero trust increases our ability to create highly granular access control mechanisms that tailor the access granted to each user and device based upon role and business requirements.
This isn’t a new idea. Indeed, anyone who has ever studied cybersecurity knows about the least-privilege principle, which states users should be granted only the smallest set of permissions necessary to carry out their work. Similarly, the default-deny principle states that every action that is not explicitly allowed should be prohibited.
While security professionals have long embraced these ideals, the reality is that businesses’ access control systems have made it almost impossible to implement them. The zero-trust paradigm allows these principles to at last be put into action.
The share of IT security teams globally that have or are in the process of implementing a zero-trust security model.
Source: Cybersecurity Insiders, “Zero Trust Adoption Report,” November 2019
Focus on Identity and Access Management
Of course, that’s easier said than done. Least-privilege approaches haven’t been widely implemented because it is very difficult to do without a strong identity and access management solution. Fortunately, technology is advancing in this area, and most organizations have already moved from legacy IAM approaches to modern solutions that facilitate granular privilege management. Using these tools, administrators can still create role-based access policies but do so in a granular way that makes them more secure and less cumbersome to administer.
Multifactor authentication is also essential to the implementation of a zero-trust model. If an organization is going to place a tremendous dependence on the identity of a user when making access decisions, we need to have tremendous confidence that users are who they claim to be. The old knowledge-based password authentication model simply doesn’t provide the level of assurance needed to make these decisions confidently. Organizations that have not already made the shift to full-scale MFA deployments should put that project at the top of their priority list.
A few words of caution are called for before businesses start shutting down their VPNs. First, businesses that continue to maintain perimeters with valuable resources behind them will continue to need VPNs. An organization needs to make its transition away from perimeter-based security before it can really consider eliminating its virtual private network.
And even then, VPNs will continue to be useful in protecting traveling users from eavesdroppers on local, untrustworthy networks in airports, hotels and coffee shops. So don’t turn that VPN off just yet; instead, just spread your security eggs in different baskets.