Why? Because legacy VPNs are cybersecurity kryptonite. Like the fictional power-sapping crystal, they weaken your security architecture every minute they’re still around.
VPNs ARE THE ANTI-ZERO-TRUST TECHNOLOGY
Virtual private networks are completely at odds with zero-trust fundamentals. A quick review of NIST’s definition offers more than enough proof:
Zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least-privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.
(Zero Trust Architecture, NIST SP 800-207)
Three key phrases stand out:
- Network viewed as compromised. This “assume breach” concept means that we must act as though attackers are always on our internal networks. It’s a sharp contrast from legacy security perimeters, where cyber walls attempt to define a “trusted” internal network — which they failed to do. Therefore, in a zero-trust architecture, you can’t trust something simply because it’s on your internal network. But that’s precisely what legacy VPNs do. After a one-time authentication, they simply drop users onto your internal network.
- Per-request access decisions. In a zero-trust architecture, trust is never earned, so every access request must be continually re-evaluated using the latest evidence of risk. That's because a person’s or device’s risk posture can change quickly if the device is breached, the user behaves suspiciously, if their user account is compromised. Some legacy VPN technologies can make point-in-time device posture checks, but they typically keep sessions open until users log themselves off or a timeout threshold is reached. In a sense, legacy VPNs “assume trust” for the duration of the session, unable to re-evaluate any access decisions until it’s time for a user to log back in.
- Least-privilege access. Legacy VPNs let users go wherever the network will take them, blind to the resources they’re accessing. Some may work together with network segmentation to limit how far they can go, but VPNs are simply unable to enforce least-privilege access to applications. With that in mind, let’s view this against the federal zero-trust strategy’s vision of making workforce applications “accessible over the Internet without relying on a VPN or other network tunnel.” The reason is clear: VPNs and other network tunnels are completely outdated in a zero-trust world.
VPNs ALSO DEGRADE USER EXPERIENCES
Let’s say you have two data centers — one in Washington, D.C., and the other in London — interconnected by a telco-provided MPLS private network. Both data centers have internally managed security stacks and provide access, but London is the primary for many internal mission-critical applications.
Now let’s say Lois is a remote user in San Jose, Calif. She requires access to London-hosted internal applications, but she also uses SaaS apps like Salesforce and the Internet. Each day, she opens her VPN client and authenticates to the nearest VPN concentrator, which happens to be on the other side of the country. Her traffic travels from coast to coast because security policy prohibits simultaneous connections to both internal and external networks (that is, no split tunneling). This “hair-pinning” effect adds network latency and internal system load that degrades her overall experience.
Furthermore, some of Lois’ traffic takes a transatlantic voyage aboard your expensive MPLS network to reach London-hosted applications. Delays introduced by the D.C.-based VPN concentrator, the data center networks and the MPLS wide area network — and the long journey back to California — accumulate and further affect her user experience.
ZERO-TRUST NETWORK ACCESS SAVES THE DAY
What’s the modern-day superhero for secure, high-performance remote access? This looks like a job for Zero Trust Network Access (ZTNA).
With ZTNA, Lois never accesses internal networks herself. Instead, she authenticates to a cloud-based ZTNA service that makes secure application connections on her behalf. Inside the ZTNA service are policy decision and enforcement points that constantly evaluate and re-evaluate Lois’ access requests and risk posture when granting access. ZTNA simultaneously controls access to internal applications, SaaS apps and Internet sites — all from a central control plane. It’s the beginning of a modern zero-trust architecture.
Lois also has a nearby onramp. Rather than establishing that long VPN connection to the D.C. data center first, she can simply connect to the closest access point in San Jose. If zero-trust policy allows, the web gateway frees her to access SaaS apps and the Internet using the fastest route from where she is — while still protecting her from malicious sites and content. And because the London data center also has a nearby onramp, the ZTNA service makes internal application requests locally and delivers data back to her much faster.
Her user experience improves, and so does your security posture. And none of the traffic ever hits your expensive MPLS network.
But perhaps the biggest advantages tie back to NIST’s zero-trust definition:
- Compromised networks are no problem. Applications are visible only to the ZTNA service, and they only accept requests from the ZTNA service too. If an attacker breaches your internal network, they are unable to locate or access critical applications. This protects against denial-of-service attacks, vulnerability exploitation and countless other adversary tactics, techniques and procedures. It helps you break down outdated security perimeters and safely make workforce applications Internet-accessible, accomplishing two key actions from the federal zero-trust strategy.
- Per-request access decisions are constantly evaluated. Because the ZTNA service makes each request on the user’s behalf, it can re-evaluate each request too — and adjust access policy dynamically when the risk profile is too high. This helps you realize the true spirit of zero trust where trust is never earned, and access is stated explicitly and always verified.
- Least privilege is enforced with an agile approach. The federal zero-trust strategy acknowledges that making workforce applications Internet-accessible without familiar VPNs is a major shift where “the chances of long-term success will be improved by beginning with an agile approach.” ZTNA is that agile approach that not only helps you begin your zero-trust journey, but also lays the foundation for you to reach optimal maturity.
You may not become superman by adopting Zero Trust Network Access, but you’ll certainly strengthen your security architecture by eliminating exposure to cybersecurity kryptonite. By replacing legacy VPNs, you’ll be able to:
- Take the first steps toward a zero-trust architecture with an agile approach;
- Improve and simplify experiences for remote users; and
- Dramatically cut the traffic flowing through internal networks and security stacks.
ABOUT THE AUTHOR
Steve Caimi is principal product marketing manager at Cloudflare.
