Virtual private networks, VPNs, have often been referred to as the “backbone of the enterprise network.” This is a bold statement to make about a technology that essentially hasn’t changed in almost over two decades. And yet, a VPN’s ability to offer employees, third parties and even customers “secure” remote access into enterprise applications and data continues to be a necessity in today’s corporate world. However, it’s time the death of VPNs, which industry experts have been speculating about for over a decade, actually happens.
The reason that traditional VPNs, a workhorse of most Enterprise Networks, have no place in our architectures moving forward is that they perpetuate a network perimeter security architecture where a user’s location on the corporate network topology defines their trustworthiness and suitability to access critical assets. In the network perimeter security model, things were simple. A user’s machine connecting to the corporate network either directly in an office or remotely via a VPN grants the machine a designation of trust. That trust is then leveraged to grant that user’s machine a level of access nearly always beyond the minimum required to complete the user’s duties. That fundamental excess of access has been leveraged by attackers in one way or another during the lateral movement phase of the majority of successful breaches.
Zero trust architectures provide an alternative model for access where the users never gain excessive network layer access to a trusted corporate network because there is no trusted corporate network in this architecture. Instead, access decisions are moved up from the network layer to the application layer where much more granular access decisions are made based on a variety of data sources. Access is then mediated on an app-by-app basis predicated on a strong understanding of the user’s Identity and the minimal access required by Identity.
While zero trust philosophy is spreading quickly throughout the security industry, unfortunately, most organizations are still operating with the traditional network perimeter security model and using VPNs to grant access for remote access. But what some don’t know, or are forgetting, is that 40% of cyber breaches actually originate with authorized users accessing unauthorized systems. If more than 40% of breaches come from authorized users accessing unauthorized systems, why assume access can be trusted?
Perhaps the greatest risk use case for VPNs is extending remote access not just to employees, but to third parties, such as contractors or business partners. It is often a critical business requirement to grant access to corporate applications to third parties, but that no longer needs to mean these third parties are given access to a trusted corporate network via a VPN. That excessive level of access represents a significant risk, which is one reason that many organizations are prioritizing their Zero Trust transformations to target third-party access early in the process.
According to a recent report by Forrester, more and more security leaders approach Zero Trust as a way to address top security and risk challenges. In turn, this adoption has created significant growth opportunities within the Zero Trust market. The report confirms, “Growth is in large part due to security pros increasingly relying on vendors to act as both technical integrator and long-term partner for planning and actualizing the architectural recommendations of Zero Trust.”
Frequently, architects adopting cloud services say they are looking for a more efficient solution than legacy VPN for remote access. As remote users seek to access corporate applications that are increasingly delivered from the Cloud, the inefficiencies of routing user traffic to VPN concentrators in a corporate data center become more obvious. It makes little sense to route user traffic to a VPN concentrator in a corporate data center to establish trust only to immediately route traffic back out to a cloud provider where the application exists. Cloud native zero trust architectures can provide simpler, more efficient IT operations at the same time as they reduce risk.
By implementing a zero trust approach and switching to an Identity Aware Proxy(IAP) model of access, enterprises can move beyond the limitations of traditional, premises-based technologies for remote access. Security and IT teams can use a software-as-a-service solution that simplifies application access and security controls without granting access to an entire privileged network. Shifting to an IAP model allows for end-users to receive app-by-app access to specific corporate applications specifically mapped to the user’s Identity. Furthermore, organizations can leverage context aware access while seamlessly integrating additional services such as application acceleration, application security and advanced malware protection anywhere across the globe.
With a zero trust security posture and access control in the Cloud, lateral movement across the trusted corporate network is no longer possible because trust is removed from the network and sensitive corporate data and IP can remain secure and in the right hands.
Patrick Sullivan, Global Director of Security at Akamai