Kurt Glazemakers, CTO at Appgate lays out the five steps organisations can take to migrate away from old school VPNs
Organisations have been under increasing pressure to adopt efficient and secure access policies in recent years, particularly in the wake of the pandemic. VPNs have been widely used by organisations for several years now, creating the foundations for remote access.
However, as time has passed, and criminals have become ever more cunning, security flaws in VPNs have left these organisations vulnerable.
One of the most serious security concerns around VPNs are open ports, which can be discovered and exploited by threat actors. VPNs also tend to force network administrators to choose between broad network access policies or complex, restrictive ones, with little flexibility or granular control.
To counter these vulnerabilities, zero trust network access (ZTNA) has emerged as one of the most effective approaches, with its risk-based approach blocking threats without hindering legitimate users.
Where most VPNs base ‘trusted’ access on IP addresses, ZTNA takes a ‘verification first, trust second’ approach. Given how easy it is for criminals to steal a set of credentials through phishing or social engineering, the traditional approach taken by VPNs can leave gaps in a company’s security. Additionally, VPNs that are still tied to hardware are awkward and expensive to scale depending on business needs.
This outdated technology simply doesn’t match the needs of the workforce and organisations are looking to alternative solutions that offer advantages, such as better agility and flexibility, over older VPN-centric strategies, which are prone to creating security issues and impacting productivity.
In this article I provide advice and possible steps to take to those organisations looking to migrate away from out-dated VPNs towards a ZTNA approach, and the benefits that come with doing so.
Step one: Mapping the VPN landscape
Before making any decisions about ZTNA migration, organisations need to establish a strong understanding of their existing VPN landscape.
Carrying out a VPN baseline assessment will help to establish how VPNs are integrated into the company’s tech stack, and how any changes will impact operations. It’s also useful to focus on which user groups currently have access to the most sensitive data or would otherwise pose the greatest risk if they were compromised. It can be effective to trial a smaller rollout with a select high-risk user group, as a successful implementation here will make it easier to scale up for the rest of the organisation.
Step two: Writing the ZTNA roadmap
The next step is to create a roadmap that details the ultimate destination for the ZTNA programme.
Cloud access is a popular use case, as ZTNA can manage dynamic entitlements across multi-cloud environments without manual intervention, which is ideal for large workforces accessing a variety of cloud-based assets. Similarly, organisations can grant remote network access to third parties such as vendors, contractors, and business partners, without exposing the business to elevated risk from overprivileged access.
While a Zero Trust approach is usually thought of in terms of human users, a robust solution can also apply the same policies for machine-to-machine (M2M) connections, helping to reduce attack surfaces by preventing lateral movement from compromised devices.
Step three: Find the starting point
The big undertaking of implementing a ZTNA model begins with a single step.
Focusing on risk mitigation is a popular launch point, for example starting with a subset of privileged VPN users who routinely access mission critical assets. Productivity is another strong option, focusing on improving remote access for key activity like DevOps.
Where possible, it is also useful to tie a ZTNA initiative into wider business activity. Reaching the end of a budget cycle presents an opportunity to begin the “replacement vs upgrade” discussion and move away from VPNs. Likewise, the launch of a new initiative such as a cloud migration project also presents an excellent opportunity to demonstrate what can be achieved.
Step four: Choose a provider and launch the first use case
The penultimate step is to decide on a ZTNA provider. The ideal provider will be able to deliver a high level of flexibility and versatility, working across different deployment options, in different environments, and handling different protocols.
The deployment will involve several steps, starting with infrastructure instantiation, which can involve either a self-hosted solution or an as-a-service approach. Next comes policy creation. A few simple policies should be set first, covering context such as time, location, and multifactor authentication based on risk.
Once this has been sorted, it’s time to start user onboarding. Depending on the use case and number of users, this could be supported either by an installed client or browser-based access. Finally, it is then possible to determine where automation can be applied to reduce complexity and manage administrative burdens.
After the use case is up and running, success should be measured against key metrics. The criteria will depend on the use case and the company’s priorities, but data points such as end-user satisfaction, adoption rates, productivity gains and firewall rule reduction are some useful examples.
Step five: Scaling up
Organisations can now begin planning how to scale up across more of their operations. The fact that ZTNA is a software-defined model makes it relatively straight forward to create an expanded roadmap as there are no physical installations or investments to deal with. With a robust provider in place, it should be as simple as adding more gateways, defining new policies, and bringing in more users.
Alongside covering more applications, the journey to ZTNA implementation can also include more advanced capabilities, such as automating policies and infrastructure and orchestrating workflows. The data generated by log activity can also be integrated into tools such as user and entity behaviour analytics (UEBA) and security information and event management (SIEM), providing valuable insights and further improving the security posture.
Kurt Glazemakers is CTO at Appgate
Main image courtesy of iStockPhoto.com