Zero Trust Network Access: A VPN Replacement

For many years Virtual Private Networks (VPNs) have been the dominant technology for enabling remote access. In this post we’ll explore why the time is right for most companies to make the switch from VPNs to an alternative remote access solution based on Zero Trust.

Virtual Private Network (VPN) Basics

VPNs were first introduced in 1995, when a consortium of companies led by Microsoft released Point-to-Point Tunneling Protocol (PPTP), a protocol that allowed the creation of a secure network between users by establishing an encrypted tunnel over a Local Area Network (LAN) or Wide Area Network (WAN).

Businesses and governments quickly adopted VPNs to let employees access critical systems on the corporate network using an internet connection. VPNs have found wide use for other purposes as well: Consumers often use VPNs to access the internet because it provides a greater level of online privacy and allows users in countries that restrict internet access, such as China, to bypass government restrictions. They also allow users to bypass geolocation restrictions imposed by vendors and other website owners. For example, streaming services enforce content licensing restrictions by blocking access for users outside the geographical area to which their licenses apply. Users in those areas may use a VPN to appear as if they are in other countries. By appearing to the streaming service as a local user, they (illicitly) gain access to the restricted content.

The corporate VPN was created long before the distributed workforce, cloud computing, and software-as-a-service (SaaS) existed. Corporate VPNs were developed in an era when corporate data was stored primarily (if not entirely) on internal corporate networks. Remote working was somewhat rare, limited for the most part to salespeople while they travelled among customers and prospects. Companies used to provide supposedly secure remote access VPNs for these salespeople and other occasionally remote employees to jump onto the corporate network and access network resources as if they were directly connected in the office. For the most part, software resided on users’ laptops. Typically, the only resources they accessed on the organization’s network via the VPN was data.

Over the years, numerous VPN protocols have been developed beyond PPTP, including SSL and IPSec, the protocols that are most commonly used today. Secure Socket Layer (SSL) protects most websites on the internet today. When you shop online, for instance, an SSL VPN secures the transfer of sensitive data such as your credit card number to the vendor. Another protocol commonly used in VPNs is IPSec. Using a four-step process, IPSec authenticates the origin of the data, encrypts it, checks the data, and finally manages its reception and decryption, providing a secure communication link.

The Downsides of VPNs

Corporate VPNs weren’t designed for today’s environment, which features many remote workers and the extensive use of SaaS apps and cloud services. In fact, even before the pandemic-spurred mass move to working remotely, VPNs were no longer able to serve the diverse secure remote access needs of today’s businesses and users.

Many issues inherent in VPNs make them a major cybersecurity risk, insecure and inconvenient for organizations today.

Open ports

VPN concentrators (the networking device that creates the VPN connections) rely on open ports that remote users access to establish VPN connections. These ports broaden the available attack surface, as bad actors scan for them and leverage them as a path to enter networks.

Network-level access controls

When connecting through the VPN client, once the authenticated user passes network perimeter controls, they’re inside the perimeter, potentially granting access to the entire network. The same is true for cybercriminals who manage to gain access. This inherent architectural weakness places an organization’s data centers, data, applications, and intellectual property at risk.

Weak authorization

VPNs rely heavily on user credentials. Thanks to poor password practices, VPNs are often successfully penetrated via brute force attacks. Often, however, even the effort involved in such an attack is not needed.

Login credentials are primary targets of many phishing and social engineering attacks. As a result, criminals need not even bother to steal user credentials: millions of stolen user credentials, even privileged credentials, are available for sale on the dark web.

With an open port and a set of stolen credentials hackers can quickly and easily infiltrate a network. Even two-factor authorization codes can be captured.

Software vulnerabilities

Over the years, many leading VPN solutions such as FortiGate and Pulse Secure – the list is long – were found to have software flaws that cybercriminals were able to exploit. Far too many companies are negligent about installing software patches as soon as they come out, or delay installation of patches that are likely to “break” integrations. Unpatched VPNs thus leave organizations at risk even when vendors issue patches promptly. Most VPNs require a client, so a user device that has not been updated is also a security risk, even if the server side is up to date.

Inflexible architecture

VPNs were designed to connect remote users to networks. In today’s hybrid cloud environment, where employees both in the office and working from home work extensively with SaaS apps and cloud-based resources on public and private clouds, as well as resources on company servers, it’s difficult to provide consistent security to all destinations using remote access VPNs. Routing all user traffic through the VPN to apply security controls is cumbersome when much of the workload is not handled on the internal network.

Poor performance

VPN concentrators create chokepoints with performance issues, resulting in poor user experiences.

Inconvenient

Beyond the slowdowns and unexpected disconnections that inconvenience users, VPNs are also a hit to the employee productivity of the IT staff.

• Traditional VPNs are expensive and time-consuming to scale, with application-level maintenance required to control access
• They have poor interoperability with IT, security, and business systems
• They create complexity in firewall and access policy management
• They typically require clients to be installed on each laptop and personal user device, which is both inconvenient and a security vulnerability

VPN Alternatives and the Zero Trust Model

The continuing onslaught of cyberattacks in recent years has overwhelmed conventional approaches to network security based on legacy technologies such as VPNs. In the wake of a growing number of very expensive, crippling cyberattacks it’s become clear that the conventional approaches to cybersecurity and remote access aren’t enough – and that in many cases, such as the Colonial Pipeline attack – VPN-related issues were key enablers. VPNs are failing to protect data the way they used to. VPN alternatives are needed to secure today’s more complex networks.

Under the castle-with-a-moat security model, VPNs were valued as part of a strong perimeter, along with firewalls, antivirus and anti-malware software that defended the perimeter “walls.” VPNs served as a path to enable remote work and were secured with user credentials. Users who chose easy-to-break passwords, stolen credentials, software vulnerabilities (including zero-day exploits), sophisticated phishing and spear phishing attacks, however, opened gaps in those perimeter walls, allowing unauthorized application access, resulting in data breaches and ransomware attacks.

More to the point, however, is the obsolescence of the traditional network perimeter concept which divides work surfaces into a dangerous “outside” and a safe “inside” as a way to manage access. In keeping with the central role of the web, SaaS apps on remote servers, and both public and private clouds are essential for business today. The Zero Trust model eliminates the in/out distinction and views everything and everyone with suspicion. Zero Trust security treats internal traffic as potentially dangerous, along with traffic originating from the remote workforce.

While the basic Zero Trust security concepts were introduced over a decade ago, the more recent dissolution of the business perimeter has confirmed the value of the Zero Trust security model as the security paradigm of choice in only the last few years.

In contrast to VPNs, compliance with Zero Trust security concepts of least privilege access and “never trust, always verify” requires remote users to have extremely limited access, only to the specific resources each user needs. Moreover, Zero Trust security requires user authentication and validation for each individual resource.

Zero Trust Network Access (ZTNA)

Zero Trust Network Access (ZTNA) solutions, sometimes also referred to as SDP (software defined perimeter) solutions, are a VPN replacement representing a new conceptual approach to providing secure remote access. It is a robust form of Identity and Access Management (IAM) that replaces the perimeter based on the physical location of the company’s servers with virtual (software-defined) perimeters, for more granular control. These perimeters are uniquely defined and leverage per-user access policy and access controls to enforce secure least privilege access for individual users.

This type of secure access minimizes the potential damage resulting from data breaches, brute force attacks and stolen credentials, in keeping with “assume breach,” the third principle of Zero Trust security. It is important that privileged accounts (high level accounts with extensive access) be used sparingly. Failures in privileged access management have resulted in successful cyberattacks.

Least privilege protections cover (at least) two different scenarios. In the event that someone does manage to hack into your environment, either with stolen credentials or in a brute force attack, the damage is limited to the applications that the user was permitted to access. It also provides some protection from “malicious insiders,” an employee or vendor who has legitimate corporate network access, but who may be interested in either stealing confidential data or harming the organization.

Ideally, security teams should implement ZTNA in a comprehensive manner, to provide secure access for both remote work and for users accessing the network while onsite, and to enable Zero Trust protection for apps and data wherever they are located, on company servers or in the cloud.

ZTNA technology can – and should – be implemented with a comprehensive verification process such as multi-factor authentication. Ideally, to ease the burden on users, the secure connection should be enabled via Single Sign On (SSO), a technology allowing authenticated users to log in once each day (or until they have been inactive for a significant period of time) with one set of credentials to gain secure access to all their apps. This enhances security by reducing the number of attack surfaces: reducing the number of occasions when credentials are entered reduces the opportunities for them to be compromised as well.

VPN vs ZTNA, In Short

To summarize, ZTNA offers several benefits over VPN:

• More secure – sets the perimeter around apps and users, not physical hardware, for more secure remote access
• Comprehensive – cloud-based as well as internal server-based resources for both remote workers and users onsite
• Simpler to manage – designed from the ground up for today’s network topologies for high performance and easy integration
• Better performance – cloud-based ZTNA solutions, such as ZTEdge, bring authentication enforcement close to the user, eliminating chokepoints associated with VPN clients
• Simpler to scale – Cloud-based ZTNA solutions require no equipment and scale instantly

Implementing ZTNA

Given the above problems with VPNs, the time is ripe to consider a VPN replacement. Zero Trust access solutions are an essential element of a comprehensive Zero Trust solution. While security experts recommend migrating to a comprehensive Zero Trust solution, rather than implementing Zero Trust on a piecemeal basis, for organizations that prefer a more gradual approach, ZTNA is an ideal place to start.

ZTEdge’s ZTNA solution is a VPN alternative that provides simplified remote application access along with all of the benefits of ZTNA mentioned above. ZTEdge is a SASE (secure access service edge) platform that combines the network speed of a software-defined WAN (SD-WAN) with Zero Trust security, tailored to the needs of midsize enterprises and small businesses and hybrid work. ZTEdge makes it easy to implement Zero Trust gradually, at the pace that is right for many organizations.

Contact us today to hear just how quick and easy it can be to ditch your vulnerable VPNs and move to a Zero Trust security approach, starting with ZTNA.

---

Share this on:

---

About Leo Versola

For over 25 years, Leo has executed on strategic business vision and technical leadership with a wide range of start-ups and established cybersecurity companies in various senior leadership roles. Leo’s expertise in enterprise, cloud and SaaS security enabled him to build and lead high-performance technical teams driving product development, technical innovation, and sales for a number of companies including VMware, Lastline, Zscaler, Barracuda Networks, Forcepoint, RedSeal Networks, Fortinet, Juniper, and NetScreen.