Kurt Glazemakers at Appgate argues that the risk of VPN déjà vu means it’s time to pave the way for something new
For years, VPNs have been the foundation upon which we’ve developed more flexible working for the agile workforce. However, the era of the VPN is coming to a close as the technology is no longer capable of handling the security challenges of today’s hybrid workforce and evolving threat landscape.
Recent news that has hit the headlines is testament of VPN limitations, including the half a million Fortinet VPN login credentials that were dumped on the dark web. But despite all this, many businesses still cling onto the tethers of VPNs and leave their networks vulnerable to attack.
It is well documented that VPNs are struggling against the current threat environment, leaving huge attack surfaces and easily scannable open ports that essentially provide criminals with free backstage passes to the network.
This antiquated technology is not designed for the flexible, hybrid workforce that’s been established over the past year, and the use of IP addresses to authenticate users makes it simple for criminals to breach the perimeter with stolen credentials. But there is an alternative, and one that doesn’t require a complete overhaul of the systems in place.
Zero Trust Network Access (ZTNA), a model based on the concept of least privilege and limiting permission access to sensitive data, is on hand to deliver a seamless transition away from the outdated VPN platforms, and into a far more secure and agile future.
First, let’s address the obstacles.
Busting the myths of VPN replacement
There are a number of reasons why businesses are so hesitant about giving up their VPN models, including sunken costs, extra workload and familiarity. However, these concerns are often founded on misconceptions that, in reality, are nowhere near as much of a problem as first suspected.
Organisations are naturally worried about forfeiting previous investments relating to their VPN, as they’re usually built into existing technology stacks, with plenty of budget tied in. However, diverting assigned budget for ongoing VPN maintenance can accommodate the new system without inducing further costs.
Implementing ZTNA does not need to break the bank, and the ongoing cost of keeping VPNs updated and the general maintenance will be much higher in the long term.
The other side of deploying a new service is the risk of additional workloads. Security and IT teams are already swamped by their current responsibilities and cannot realistically spread their resources any thinner.
However, a ZTNA solution does not require huge amounts of time and resources to deploy. Its single, private access platform and centralised policy takes away the need to do a complete overhaul of the network.
Additionally, teams can reduce the number of firewall rules and cut further instalments, freeing teams up to focus on higher value tasks, rather than having to manage countless rules and systems.
VPNs have been around for 25 years, so it’s understandable that businesses feel comfortable using them as it’s probably all they’ve known. Plus, all their employees will be familiar with the systems, and replacing them would require retraining, meaning more money and more down time.
Whilst deploying a new system would take time to get used to, and perhaps some initial training sessions, this would be a short-term factor, drastically outweighed by the long-term benefits to security and business productivity.
The security battle between VPN and ZTNA
In a rapidly evolving threat landscape, ZTNA will provide organisations with that fresh layer of security without the need of bigger budgets or more resources. Whilst VPNs contain open ports that were easily exploited, ZTNA uses single packet authorisation which refuses user access unless verified as a trusted account.
Given that the new model operates on a basis of least privilege, it means that employees will only be granted access to resources that are fundamental for their role. If an individual needs to get into sensitive data that they do not have clearance for, they could be given temporary access which is withdrawn immediately after the task has been performed.
ZTNA recognises identity as the new network perimeter and uses more advanced methods to authenticate users. Data from identity stores and contextual points – including time, date and location – are used to verify accounts before they are granted access. Further, VPNs leave the network siloed and therefore disjointed, whereas ZTNA ensures a seamless and agile process, with greater network visibility.
Small steps with a big impact
As we’ve established, ZTNA has the capabilities to strengthen network security and boost daily business productivity simultaneously. Making the journey away from VPNs and towards this securer alternative can appear daunting, but there are a number of simple steps that can help guide businesses along the way.
It’s vital to understand the extent of the current VPN landscape so that teams can develop a comprehensive ZTNA roadmap. This should include details on a technical, financial and management level, and goals should be set for all of them to keep the business on track. When it comes to launching the new model, organisations must first identify an appropriate vendor that can guarantee delivery on all business objectives for this replacement.
Above all else, enterprises should not feel pressured to deploy ZTNA across all areas of the network in the first instance. A more feasible approach is to choose one use case and start there. Once the teams are happy with the results, they can begin to scale up the implementation until VPNs are eliminated once and for all.
Deploying a new system is a marathon, not a race. The steps should be taken at the preferred pace, as long as the process is constantly moving forwards. When faced with increasingly advanced cyber threats, any progress made in cyber-security will have a big effect.
Kurt Glazemakers is CTO at Appgate
Main image courtesy of iStockPhoto.com