We’ve used Virtual Private Networks (VPNs) for decades, and they’ve only become more commonplace thanks to the adoption of remote work. But there are actual performance and security concerns with VPNs that are becoming painfully apparent.
First, performance issues. As many IT professionals know, VPNs can reach capacity quickly, are difficult to scale, and as more users sign on, connections will get slower, zapping productivity.
But that’s not the biggest problem: VPNs use an outdated “castle and moat” security model. All the protection is on the perimeter: once you’re inside, you’re not going to get a lot of pushback. We think it’s time organizations ditch the VPN and move to a zero trust architecture to keep hackers at bay.
VPNs and zero trust: a quick review
Before we jump into why IT departments should seriously consider transitioning to a zero trust model, let’s define both a VPN and the zero trust security model.
VPN: Provides an encrypted “tunnel” between the corporate network and the user’s device. Data is encrypted and protected, the user typically has the same access to applications, services, and files as if they were working from the office on company hardware.
Zero Trust: As the name suggests, the network trusts no device or user. Users are not provided blanket access to applications, services, and files but merely access to the resources they need for the given task. Even within the company network, devices undergo verification and authentication checks before accessing company data.
If you are thinking the security postures of VPNs and zero trust sound like opposites, you’re correct. The IT manager has access to everything on the network on a VPN, whereas on a zero-trust network they only can access the services they’re using at that particular moment.
Why VPNs are so insecure
VPNs aren’t as secure as you’d imagine because access control is a single perimeter, with tiers of access to sensitive information on the company network after authentication. Another issue is the user and devices themselves: the VPN has no insight into how secure a device might be.
For this reason, hacking in via a VPN is an attractive target, and especially if it’s the account of somebody with a higher tier of access. Once the hacker’s in, they’d have access to anything they’d want.
Why zero trust is more secure
Removing the concept of trust from a network goes a long way in securing it. By forcing users and devices to authenticate themselves continuously and limiting resource access to only the files and data they need for the given task, users and devices are a much less attractive target for hackers.
With many services and applications now cloud-based, there is no need to route traffic through the corporate network. Even the policy engine and policy administrator can reside in the cloud: that way, most malicious actors don’t make it to your company-owned infrastructure.
Access also isn’t granted based solely on a correct authentication in a zero trust network. A zero trust network also enforces a set of security policies to maintain access. Suppose a user or device connects with out-of-date software or missing security patches. The network may offer reduced access and block access until the issue is remedied for the most egregious issues. This happens regardless if the device is company-owned on the company-owned network or a user-owned device connecting remotely.
The Biden administration is moving the US government to Zero Trust
Perhaps the most significant validation of a zero-trust strategy came from the U.S. Government in May. President Biden signed an executive order directing all Federal agencies and contractors to migrate applications and systems to zero trust.
The order includes moving more applications to the cloud and off internal networks, improving overall monitoring of threats and incidents, and adding multi-factor authentication and encryption to all data — all essential concepts of the zero trust security model.
How to transition to zero trust
There are three phases in the transition to zero trust, each adding another layer of security to the corporate network.
1. Perform an initial security assessment.
You won’t be able to adequately protect yourself if you don’t know your current security posture. Start by identifying potential attack surfaces and any potential targets such as sensitive data, assets, applications, and services (DAAS). Next, review user accounts, remove unused or old accounts, and review the privileges assigned to the remaining accounts. Make sure critical assets are protected first but pick these carefully, so disruptions are minimal.
2. Know where your data is and where it goes.
You’ll now want to understand where your data is located and who might need access. Also, note how third-party services connect to the corporate network and what access they might have. Use passwordless authentication to secure your network further: passwords are a prime target for hackers looking to infiltrate your network. Always limit data access to only what is needed for the user to complete their task.
3. Get on offense when it comes to security.
Finally, it’s time to be proactive when it comes to security and you should set up a real-time monitoring system. Using things like MFA, a robust access control policy, and micro-segmentation to protect highly sensitive information further go a long way in enhancing data protection and limiting exposure if an incident happens.
How Beyond Identity can help achieve zero trust
With Beyond Identity, you can implement granular zero trust authorization policies that limit access to resources based on device security posture, location, and other factors. Beyond Identity’s technology replaces passwords with secure credentials based on X.509 certificates and public-private key pairs.
Beyond Identity relies only on what you have and what you are, eliminating any knowledge-based authentication that is popular for attackers to target. If your organization is pursuing a zero-trust strategy, you won’t get there as long as you base it all on a fundamentally insecure authentication method: the username and password.
Our passwordless platform integrates easily with most existing SSO solutions with only a few lines of extra code, helping organizations in their efforts secure their resources.