With the rise of zero trust, is the VPN really dead? [Q&A]
As a big chunk of the world suddenly started to work from home during the pandemic, many companies turned to VPNs as a means of securing remote access.
However, as more systems are now in the cloud and secured using zero trust network access (ZTNA) is the age of the VPN over? We spoke to Robert Byrne, field strategist at One Identity to find out.
BN: What's happening with the VPN in light of cloud services and does it still have a place?
RB: Initially, when VPNs were developed, the majority of systems and applications that needed to be accessed by remote workers were within the company’s data center. Fast forward to today, in the cloud computing era, where many company services and applications are hosted online and the user base itself is increasingly distributed and remote. These developments oblige organizations to evolve their network level security policies and supporting technologies to cope with this increasingly distributed and exposed application and user base.
In the past, VPNs were useful in offering secure access to data and applications in the context of a well-defined network perimeter, but as we have seen, these lines have now been blurred considerably. You can see this as VPNs evolve into new technologies better suited to protecting these new environments and the users who are accessing them. The value of the classic remote worker VPN is certainly diminished and in time will become all but redundant; however, many organizations rightly retain them in order to secure access to legacy or high value assets.
BN: Many are touting zero trust as the new standard in network access -- is there a reason why it is placed in opposition of the VPN?
RB: The reason that VPN is positioned in opposition to ZTNA is that, traditionally, once on the VPN you have implicit right to reach all corporate applications. This is not very 'zero trust', which directs us to verify access at every step and avoid implicit trust policies. Furthermore, it represents a rich target for hackers seeking to compromise accounts and gain intelligence and access on valuable resources.
The solution is to introduce identity and context-level checks before allowing access to the application. This has the additional benefit of providing a layer of security for internet exposed applications and SaaS endpoints. You can then feel a lot more confident that anyone or anything hitting your application endpoints is a valid actor.
This is still an emerging area so VPNs will be with us for some time yet.
BN: So the VPN isn't yet dead?
RB: In response to the comment 'VPN is dead' one operations engineer at a Managed Service Provider told me that in his experience, most customers experiencing breaches were those without VPNs. What's important to understand is the limitations of traditional VPNs, including how the user and application landscape has changed and then devise an evolutionary strategy that suits your security requirements.
Some important scenarios where VPNs are useful are for employees to access their office desktops or to have IT support step in and troubleshoot technical issues. These remote administration sessions are vital, particularly, during the past year and a half’s mass experiment with remote working. Unfortunately, running such sessions also puts a target on the organization's back if it’s not secured properly or if ports are left exposed. Attackers will no doubt be quick to take advantage of this easy route to unrestricted control of a device, from mouse and keyboard to everything on screen. As such, it is critical that a VPN is employed to fortify these sessions.
BN: What are some of the biggest mistakes organizations make when it comes to using a VPN?
RB: As technology evolves and adhering to zero trust principles become the norm, VPNs will still have a place in creating secure tunnels for transporting data to organizations' on-prem data centers and the cloud. However, if the VPN terminates at the data center, too much trust will be placed at the origin point and security will be compromised. Another big mistake is not requiring proper authentication to the VPN. And what I mean by 'proper' is limiting access to only individuals that require it for their job roles, using location as a guide and considering the network type that is trying to access it. The zero trust guidance here is to take account of the security context of the entity accessing your resources.
If this type of strong authentication is not used, all it takes is one mis-click of a phishing link for an employee to share credentials with an attacker. Once a bad actor has captured login details, it won't be long before they connect to the VPN and, with a classic VPN, your network is now wide open.
Therefore, multi-factor authentication is critical. That way, even if a user's credentials are compromised, cybercriminals will find it more difficult to get past a second security check, such as a one-time, time-sensitive password sent to a separate device or the use of biometrics.
Above all else though, not changing default credentials of the VPN infrastructure is probably the biggest mistake organizations make when it comes to VPN access and these should be immediately removed. It may appear obvious, but regrettably, it is a common mistake that has been frequently leveraged by cybercriminals. Most of the time, technology gets a bad rap when it's really user implementation that causes many of the problems.
BN: You touched on this previously, but how can identity and behavior best be used to bridge the gap between ZT and the VPN?
RB: ZTNA has been driven by the need for remote working, but some organizations are missing the crucial fact that this means our administrators and privileged access solutions are also coming in remotely. These special users require unique attention and a critical point there is that the communication channel should be initiated by the on-prem service itself, so that no incoming ports need be exposed.
With the rise of SaaS and distributed collaboration and remote working, the perimeter of our IT landscape has effectively been decomposed into lots of virtual mini perimeters with security enforced by approaches like ZTNA -- and identity can provide the key anchor to tie policy together. ZTNA relies on authorization provisioning and governance technology to put the right authorizations in place at the right time and for the right users. Getting the timing correct gives us a just-in-time and zero standing permission stance while ongoing governance ensures a least privilege and just-enough privilege stance. As a result of this, we are seeing a lot of interest from organizations in a more identity-centric access and governance approach as a foundation for zero trust strategies.