VPNs Transformed
Several articles have been published of late predicting that Zero Trust Networking spells the end for VPNs. Is this likely? Research suggests it is not. VPNs are critical to enterprises on many levels and can’t simply be replaced. For example, for enterprises with remote workers, enterprise VPNs’ capacity to offer access to enterprise data, applications and cloud-based resources from anywhere is invaluable. VPNs are also important to enterprises since they facilitating site-to-site connection of remote data centers with enterprise networks. Rather than being the death of VPNs, Zero Trust Networking is expected to transform VPNs and help them deliver more secure remote access, especially to cloud resources. It is envisaged that the two technologies are going to be used in tandem to implement blended solutions that use the best of both technologies. The much loved functionality of VPNs will be enhanced with Zero Trust Networking’s least privilege access approach.
How Does Zero Trust Networking Work?
Traditional networking security involves the use of firewalls to block access into enterprise networks from the outside world, with remote access only allowed via a secure VPN. With this traditional model, it is hard to obtain access from outside the network, but everyone inside the network is trusted by default. The problem with this approach, as evidenced by the recent attacks on VPN servers and the Aurora attacks some years ago, is that once an attacker gains access to the network, they have full access to everything inside. To counter this threat, Zero Trust Networking relies on the notion “never trust, always verify”. The principle behind Zero Trust Networking is that there are attackers both inside and outside the network, so no users or devices should automatically be trusted. To secure an enterprise’s network from attacks originating from either of these two sources, Zero Trust Networking uses least privilege access, micro segmentation and multifactor authentication to secure networks. Zero Trust’s least privilege access approach only provides “need to know” access to users. Users’ access is restricted so they only have access to data they need to do their work and no more. Zero Trust’s micro segmentation breaks up a network into many zones. A user or program logged into one zone will not be able to access another zone without further authentication. Furthermore, each zone is protected by multifactor authentication. This means that a user not only has to enter a password, but they also need to enter a code sent to another device, such as a mobile phone, to prove they are who they claim to be.
Zero Trust Networking Adoption by Enterprises
Thus far, Zero Trust Networking has had most traction amongst large corporations such as Google, Kayak and Siemens. Smaller enterprises, although interested in implementing aspects of the technology, are not looking at replacing their VPN setups. This was confirmed in a survey commissioned earlier this year by Zscaler, a global cloud-based information security company. The survey, which was conducted by Cybersecurity Insiders on behalf of Zscaler, found that two-thirds of the professionals polled were interested in the technology’s least privilege access approach. The appeal of this aspect of the technology lies in its potential to close gaps created in traditional Enterprise VPNs mainly due to the emergence of cloud technologies. However, most of the 315 IT and cybersecurity professions polled from across multiple industries, stated that they were not looking at replacing their VPNs with Zero Trust Networking. As VPNs remain an essential element in enterprise infrastructures, this technology is not going away any time soon, nor should it. Instead, a next generation of VPNs is in the making.