The rise of remote working in recent times has been both a productivity boost and a cause of concern for modern organizations. While remote working provides numerous benefits, it also provides a new pathway for cybercriminals to break into your environment. Virtual Private Networks (VPNs) have been the traditionally secure way of remotely accessing corporate environments, but a new concept referred to as Zero Trust has been gaining popularity these last few years. In fact, Gartner has predicted that 70% of new companies will transition away from VPNs to Zero Trust based networks by 2025. This article examines these two models, their strengths and weaknesses, and why companies have embraced the Zero Trust Model over VPNs.
Virtual Private Networks (VPNs)
VPNs are designed to provide a secure and encrypted “tunnel” for workers to access their corporate networks over the Internet. By providing secure, end-to-end encryption, companies can ensure that their data is protected when traveling over a less secure network such as the Internet. Cybercriminals are prevented from viewing or accessing it, but employees are free to use their folders, applications, and data just as they can from an on-prem network. VPNs can also allow users to bypass location-specific restrictions to access content that is not allowed within a region. They can even enhance privacy by hiding users’ IP addresses and browsing activities, offering more control over their online lives.
Despite these benefits, however, VPNs are limited by the following disadvantages:
-
Perimeter-based Security Model: VPNs operate on a perimeter-based model of security that assumes the internal network is trusted while the external network is untrusted. This model, while good for its time, is no longer sufficient to deal with today’s advanced threats that can gain access via compromising trusted users or devices. Once granted access, the VPN cannot stop attackers from laterally moving within the network to compromise further applications and systems.
-
Performance and Scalability: VPNs often carry a performance overhead and introduce latency when users connect to their corporate resources over the Internet. This can increase with the number of connected users and devices, causing problems with scalability and speed.
- Dependency on VPN servers: The VPN server can become a single point of failure for organizations and cause connections for all remote users if it experiences an outage.
The Zero Trust Model
Zero Trust is a paradigm shift in how network security and access are approached within cybersecurity. Instead of relying on a hard perimeter and assuming an implicit trust for users and devices within the network, Zero Trust operates on the principle of “Never Trust, Always Verify.” This principle dictates that no user or device is implicitly trusted, and every request is considered to be potentially malicious. This allows the model to address threats both inside and outside the network.
Zero Trust was explicitly designed to address the limitations of perimeter-based security, such as VPNs and firewalls, which no longer provide sufficient security against today’s multi-layered attacks. Technologies such as mobile devices, cloud computing, and the Internet of Things (IoT) have also blurred the perimeter, necessitating this new approach.
In addition to its core concept, Zero Trust also involves several principles, such as the following:
-
Identity and Access Control: Zero Trust moves the focus from the perimeter to identities and enforces strong controls such as multi-factor authentication (MFA) to ensure users are verified with robust security controls.
-
Continuous Monitoring: Authorization is not a one-time activity; user activities are continuously verified against a baseline of authorized behavior. Additional controls are enforced if the Zero Trust engine detects any anomalies.
-
Least Privilege: Zero Trust ensures that users and devices are only granted the least amount of privilege required for carrying out their duties. This mitigates the risk of lateral movement by limiting the ability of attackers to move within the network.
- Micro segmentation: One of the critical controls involved in Zero Trust is micro segmentation, where the network is further divided into smaller segments that can be dynamically enforced based on security data. This allows the network to adapt to changing security conditions in response to instructions from the Zero Trust engine.
However, Zero Trust does have some challenges, such as the following:
-
Complexity: Zero Trust is not a plug-and-play solution. It requires a fundamental re-architecting of the network structure. This can be challenging for organizations unfamiliar with the concept.
-
Visibility: Zero Trust requires deep visibility into the infrastructure, which may require additional investments and costs. The Zero Trust engine needs to analyze every request, because requests that are not being monitored can potentially bypass its inspection.
-
Compatibility: Some network components may be unable to accommodate Zero Trust principles of visibility and micro segmentation. These may need to be replaced or upgraded, requiring cost and effort.
-
Awareness: Employees and IT administrators may find Zero Trust cumbersome to adopt and resist the change unless they become aware of its benefits. It is important to engage stakeholders early on and implement Zero Trust in a phase-wise approach.
Zero Trust vs. VPN
While VPNs are a useful system, and can be easier to implement than Zero Trust, Zero Trust provides more security and flexibility over the traditional VPN model. It is able to accommodate new technologies and working methods, and also allows for future-proofing, as its principles can adapt to various security conditions. Some of the key benefits Zero Trust offers over VPN include the following:
-
Enhanced Security: Zero Trust eliminates the dependence on perimeter controls and assumes that every request is potentially malicious. This makes it more resistant to today’s advanced attacks, as it verifies every request regardless of where and how it originated. Plus, the Zero Trust engine uses a strong identity core, micro segmentation, and continuous monitoring to restrict the damage an attacker can do even if they compromise the environment. Meanwhile, VPNs are more vulnerable, as an attacker on the inside will be trusted.
-
Flexibility: Zero Trust models are designed to work with many environments, be it on-prem, cloud, hybrid, etc., and accommodate trends like Bring Your Own Device (BYOD). By verifying every request, the Zero Trust can adapt to any request, whether it originates from a personal or corporate device.
-
Scalability: VPNs traditionally struggle to scale as networks and the user base increase. There is also the issue of configurations and user rights that can become an administrative overhead. Zero Trust can scale much better, as it is designed with scalability in mind and adopts a more decentralized approach.
-
Performance: VPNs impact performance and introduce latency if the server is overloaded with traffic. Zero Trust provides a more seamless user experience, eliminates the need to connect to a VPN server, and allows users to access resources directly from the Internet. The Zero Trust engine ensures that its security controls, like continuous monitoring and identity, run in the background, ensuring no malicious activity occurs.
Although Zero Trust has many benefits over VPNs, organizations must remember that Zero Trust takes time and effort to implement. Care must be taken when adopting it, and it may be a good idea to use a hybrid approach where VPNs continue to be used while Zero Trust components are implemented in a phase-wise manner.
Google’s BeyondCorp Project—A Case Study
Having discussed the Zero Trust model and how it compares to VPNs, let’s look at a real-life concrete example of the benefits of Zero Trust. One of the best case studies of how to successfully implement Zero Trust and move away from the traditional VPN model is Google’s BeyondCorp initiative. The tech giant decided to transition away from VPNs and embrace the flexibility offered by Zero Trust, adopting an enterprise model called BeyondCorp to allow employees to work from any location without a VPN.
Google also published several research papers for the industry detailing its journey into the Zero Trust model, which serve as excellent guides for any organization still hesitant about embarking on this journey. The principles that BeyondCorp implemented are based on the following:
- Access must not be determined by the network from which you connect
- Access is granted based on contextual factors from the user and their device
- Access must be authenticated, authorized, and encrypted
In short, Google’s BeyondCorp is a great success story for adopting Zero Trust and shows the practical benefits of adopting this new model. It proves that the security benefits mentioned previously can be practically implemented without compromising the user experience or security. BeyondCorp is an excellent benchmark for other organizations to aspire to when starting their journey. In addition, Google has turned BeyondCorp into a zero-trust solution, delivering BeyondCorp Enterprise via Google Cloud.
Conclusion
Cybersecurity is a constant state of evolution, and Zero Trust can be seen as the next step forward in network security. Because attacks can now originate inside the network due to a compromised device or user, the old perimeter approach is no longer feasible. Furthermore, trends like cloud computing, personal devices, and remote work require a new way of doing things. Zero Trust is the answer to these issues. Either used alone or combined with VPNs, Zero Trust can give organizations the flexibility they need without compromising on security or performance.
Thank you for trusting us to help with your cybersecurity needs. Contact us any time – we’re always happy to help.
Adam