Even before the COVID-19 pandemic, VPNs were in trouble. The pandemic certainly exasperated the problem, as the number of employees using VPNs to access enterprise IT and remote resources rocketed when we all shifted to working from home. Initially, VPNs were a simple and effective way of enabling staff to connect when not in the office, but they weren’t designed to be used by entire global workforces. It wasn’t a surprise to security experts, who had been warning about the danger for years, that VPNs became a significant vulnerability for companies around the world.
In early 2021, a series of VPN hacks demonstrated just how susceptible businesses were to attack, with the Pulse Secure VPN affecting numerous global organisations, while a back door account in Zyxel firewalls and VPN gateways left IT teams scrambling to install patches to protect systems from cyber-attacks, organised crime, and rogue governments. If VPNs weren’t quite obsolete yet, it was clear they were heading in that direction.
Why VPNs don’t protect your business
VPNs are often described as a ‘castle and moat’ approach to security. You keep the bad guys out with a seemingly impenetrable outer perimeter. But what happens when someone manages to penetrate that shield? The answer is – disaster. Once the hackers have gotten through, there’s little to stop them from accessing your company data or attacking internal networks and assets. If we continue with the castle analogy, what we need then is internal barriers. Basically, you need some doors and gatekeepers between systems, networks, and users—guards who patrol the entire castle and doors that are kept locked shut. Anyone passing through must identify themselves to the guards. What we are describing is a Zero Trust Network.
The first thing to know about Zero Trust is that what we are describing isn’t a tool or an app. It is an approach to security, which is based on seven core principles (as defined in NIST Special Publication 800-207):
-
Treat everything as a resource
All data sources and computing services are considered resources.
-
Secure all communications
All communication must be secured, regardless of network location.
-
Maintain session-based access
Access to individual resources is granted on a per-session basis.
-
Policies must be dynamic
Access to resources is determined by dynamic policies which respond in real-time to changing security posture.
-
Continuously monitor security posture
No asset is inherently trusted because of who, where or what it is, or was. The security of resources is a point-in-time state and should be continuously evaluated.
-
Authenticate before connect
Resource authentication and authorization is dynamic and strictly enforced before access is granted. This means actors, systems, and workloads (resources) inside the perimeter should not be automatically trusted. Without verification and policy-based authorisation, access is denied.
-
Measure and improve
Collect as much data as possible, monitor and measure the integrity and security posture of all assets and use it to improve.
Put simply, Zero Trust dictates that organisations shouldn’t automatically trust anything, either within or outside their network perimeter, and should instead require every connection to be made by authenticated and authorised parties.
In the post-VPN world, users and devices are continually assessed and authenticated - from the moment they first access the network through their entire duration of a session. This monitoring within the network and need-to-know connectivity prevents lateral movement of threats within the network, even if the network itself has been compromised.
Zero Trust is Inherently Agile
Zero Trust combines a range of dynamic and adaptive controls and techniques, including data security, access control, network segmentation, and identity management. It is important to note that identity management isn’t just concerned with verifying human users such as end-users, admin, and customers, but extends to non-human entities, including databases, services, and applications. These components must be configured to work well together to create a resilient and agile infrastructure that can be used in a range of workforce and business enablement scenarios, including partner and contractor onboarding and IT integrations.
By the way, you won’t have to onboard your employees on a new way to access internal documents or systems. In fact, it’s best that they don’t even know about this new development as there is a danger of it being misunderstood as the company having “zero trust” in their employees. If done properly, no one outside of your IT operations team will even know that you have a Zero Trust network. It will just do its job, unobtrusively and effectively, leaving your team to get on with their work.
Setting up a Zero Trust Network
Setting up a Zero Trust network requires committed leadership with a clear vision. While it involves technology, it’s not simply a tech issue, but rather a business-critical task necessary to running a robust business and producing strong business outcomes. It can be integrated into existing digitalisation projects, and as a cross-functional project, the monetary resources can be spread across business units.
You are never finished with the setting up of a Zero Trust Network. It’s a journey, not a destination. As time goes by, threats change, as do your organisational priorities, and perhaps even leadership. You need to be ready to face new challenges and threats.
Does this mean that VPNs are obsolete? Not entirely. They still have a job to do as the first line of defence against hackers. But companies cannot rely on them entirely, as we’ve seen how vulnerable they can be. And once the business has been hacked, it’s too late. The costs of clean-up are significantly more than if the vulnerability had been addressed in advance. Not to mention the business lost when all systems are down. Only a comprehensive and well-designed Zero Trust Network provides adequate protection for critical business infrastructure.