The age of the VPN is over. There was a time when VPNs were the best enterprises could do when it came to connecting their remote offices and far-flung workers. But the “secure” connection they provide came with plenty of hassles: the client software crashes often, the software often fails to connect with essential enterprise applications, and VPNs require significant handholding from IT teams just to keep them working correctly.
In short: the VPN user experience is horrible. Not only that, but VPNs fail to provide the level of security often touted. For instance, VPNs typically broadly authenticate the user, so they gain access to the entire network once they have access to the VPN. That’s too big of a security risk. VPNs also make binary risk decisions: users are either authenticated or not, frequently only by a simple username or password. The reality is risk is much more fluid and granular than that.
VPNs are tools built for a different age: a time when most enterprise resources resided within the corporate local area network and datacenter. During that time, most staff worked within the office, and VPNs helped remote workers securely access centrally stored data and applications. Today, staff are spread remotely, accessing applications spread across various cloud services and on-premises. VPNs simply can’t keep up with such modern hybrid environments.
From VPN for zero trust
Users must be able to connect securely somehow. That “somehow” is zero trust, which we defined in this earlier post.
Unlike authenticating to a VPN, which may require a username and password combination, along with perhaps a second factor of authentication, zero trust means that those seeking access to an enterprise asset are correctly identified as trusted and given access only to appropriate access resources. These access levels are continuously monitored for fluctuations in risk, based upon changes with the user, the network, devices, and the nature of attempted transactions.
What does that look like in practice? When a user attempts to access a network, device, or application, the zero-trust access authentication and authorization process evaluates as much information about the user as possible before any authentication or authorization takes place. Who is the user claiming to be? What is the user’s job role? What device are they using? How secure is the device? Where is the user geographically? Based on the answers to these questions, among others, the user is granted the appropriate levels of access to only the resources they need to do their job.
This zero-trust security strategy reduces the amount of risk enterprises face by minimizing the addressable attack surface. This is because, unlike VPNs where a user is often authenticated and permitted access, with zero trust the user is continuously authenticated when they access devices, networks, systems, servers, workloads, and data. Because of the massive shift to remove work, getting access right is more crucial than ever before, because work is going to remain hybrid for some time to come.
The zero-trust access mechanisms to conduct this vetting must be integrated easily throughout the environment, whether within APIs or non-UI “headless” connections to persistent connections and zero-install clients. This way, zero trust access is streamlined for all users and devices, from endpoints and servers to IoT. It also optimizes secure remote access for users and devices.
During the early days of the pandemic, many enterprises were forced to rely heavily on their legacy VPN services to provide access for remote workers, and it proved highly challenging when companies went from 5% of their workforce being remote to over 90%. This was quite expensive for enterprises, but employees had to suffer all of the performance and reliability issues associated with VPNs.
The complexity of today’s enterprise environments makes this challenge even worse. Think about all the technology within the enterprise that’s still running, from mainframes to Linux and Windows servers and then out to the cloud including SaaS, and public and private cloud workloads. There’s no way to manage one-to-one connections to all these resources.
With zero trust, it’s possible to access all these resources and provide a better user experience and security aligned with the transaction context. And, with zero trust, user security levels can adapt to various levels of risk and scale to meet the needs of the modern workforce. Security is improved, along with convenience, because access must be constantly substantiated through the vetting of the device, the identity, and various other attributes regarding the digital session or transaction.
It wasn’t too long ago that enterprises didn’t have a choice. They had to suffer their way through all of the troubles associated with the traditional VPN. Not anymore. Enterprises can now choose to embrace zero trust, provide more secure and trusted connections to resources, and improve the overall technology experience of staff.