Is your VPN getting in the way of productivity? If so, you’re not alone.
When it comes to remote network access, you have difficult choices to make. But essentially, they all boil down to two things:
Until now, many organizations have relied on a traditional network security model centered on perimeter security, using virtual private networks, or VPNs.
The basic model of the VPN is that the network is surrounded by a virtual perimeter, or “fence”, to keep out intruders. But in today’s decentralized climate, that model is becoming increasingly hard to manage. Not everybody accessing your network needs to have or should have the same level of access permissions, for example third party users such as consultants, administrators are not likely to require access to the same applications, or require the same level of permissions (e.g. read, write, manage permissions etc.) .
The relevance of VPNs is tested to the limit as organizations move applications off the corporate network, especially into the cloud, and with more and more employees working from remote locations at least part of the time. Not only can all these changes render your VPN far less effective, but they can also interfere with productivity.
Let’s explore some of the ways your traditional VPN may be letting you down. Then, we’ll look at an emerging security model that’s simpler to manage and offers you more granular control to take back the reins of your network security.
As many organizations have already realized, traditional VPN and perimeter-based access controls aren’t sufficient. Why not?
As mentioned, corporate networks are becoming decentralized. Work from home (WFH) and third-party access (e.g. by consultants and partners) mean that remote network access requests are coming in from everywhere. Performance can be compromised and latency increased due to an on-premises, perimeter-centric security architecture that forces all traffic to be routed through the datacenter.
Enabling access from these unmanaged, non-corporate sourced devices means your network and assets are being accessed from unknown endpoints, whose risk posture is unknown and which may or may not be infected with malware. In this climate, you can’t always recognize or control the endpoints to make sure they’re patched and healthy. An intruder could easily piggyback into your network via a compromised endpoint.
VPNs also lack the flexibility you need in today’s IT environments. They don’t transition well to cloud and usually have limited capability to support secure access to cloud workloads and IaaS (e.g. AWS, GCP, Azure).
And when it comes to supporting third party users, VPN use may not be permitted at all, due to regulations that prohibit the installation of clients on non-employee devices. Alternatively, where such regulations do not exist, excessive permissions may be given to external parties by enabling them to install a client and thus receive an unnecessarily high level of implicit trust, which may also allow easy access to sensitive company assets and information.
Plus, by attempting to simplify security with a perimeter model, VPNs disempower you and your security team. With a VPN, you lack granular control over a few key areas, creating multiple problems:
VPNs were great for their time—when most users were on-site, and when most apps were on local servers.
But today, we’re seeing serious data breaches happening because hackers know that if they can get through a corporate firewall, chances are good that they won’t meet with much resistance from internal systems. Indeed, VPNs and firewalls can all make us overconfident in the state of our network security.
For all these reasons, Gartner has estimated that by 2023, up to 60% of enterprises will phase out VPNs in favor of a different architecture–Zero Trust Network Access or ZTNA.
Some of the problems with VPNs have helped create awareness of the need for a security model that doesn’t simply allow trusted users to roam freely within the corporate network. Into this vacuum has emerged the Zero Trust security model, a concept originally coined by Forrester.
Zero Trust—endorsed by heavy hitters such as the U.S. Department of Defense—focuses on a reality in which we must “never trust, always verify.” In this way, Zero Trust makes it easier to ensure only the right people get least privileged access to the right application, in the right role at each and every access attempt, ideally with in-app controls and visibility available into what they do post-login..
In fact, Zero Trust is more a state of mind or paradigm shift than a single tool—there is no “zero trust in a box.” The Zero Trust model:
Zero Trust can be difficult to implement, and certainly, most organizations will want to shift gradually. A U.S. Department of Defense document explains that “Zero Trust can be applied incrementally, group by group, or application by application, although end-user experience should definitely be a consideration.”
Choosing tools to simplify the shift will help transition your entire operation to a Zero Trust architecture far more easily than you might think.
Analyst firm Gartner has taken the zero trust notion a step further, specifically defining an architecture called Zero Trust Network Access. To quote its ZTNA glossary definition:
“Zero trust network access (ZTNA) is a product or service that creates an identity- and context- based, logical access boundary around an application or set of applications.”
Or put simply, ZTNA services replace network-layer permissions with application-specific permissions, taking into account identity-based access controls and contextual authentication, e.g. user group or role, multi-factor authentication, IP address, location and day or time restrictions.
“The applications are hidden from discovery, and access is restricted via a trust broker to a set of named entities.”
In practice, this may work with a cloud-based ZTNA-as-a-service that hides the network from view via the public internet, essentially serving as a DMZ-as-a-service that “darkens” the datacenter. The broker authorizes or forbids access to specific applications on a case-by-case basis.
“The broker verifies the identity, context and policy adherence of the specified participants before allowing access and prohibits lateral movement elsewhere in the network. “
By authorizing access only to the requested resource, the risk of lateral movement is eliminated, as users only see applications they are allowed to access. All other applications are hidden from view (for example, using a personalized portal that only shows apps authorized for access by a particular user).
“This removes application assets from public visibility and significantly reduces the surface area for attack.”
One tool that can make shifting to Zero Trust and a modern network environment easy is Harmony Connect Remote Access. Part of Check Point Harmony Connect, Check Point’s a SASE (secure access service edge) solution
There are many reasons to begin the transition to Zero Trust sooner.
You may already be experiencing growing pains with your VPN as you scale and expand into hybrid and cloud-based environments, especially as work from home has become business as usual. Perhaps you’re also looking to the Zero Trust future for security or compliance reasons, to ensure that your organization’s assets are as well-defended as possible.
Discover how Check Point Harmony Connect Remote Access keeps your business running at its best. Here are a few resources to get you started: