Is your VPN getting in the way of productivity? If so, you’re not alone. When it comes to remote network access, you have difficult choices to make. But essentially, they all boil down to two things: You need to make access for as as possible legitimate users easy You need to make access for as as possible anyone else hard Until now, many organizations have relied on a traditional network security model centered on perimeter security, using virtual private networks, or VPNs. The basic model of the VPN is that the network is surrounded by a virtual perimeter, or “fence”, to keep out intruders. But in today’s decentralized climate, that model is becoming increasingly hard to manage. Not everybody accessing your network needs to have or should have the same level of access permissions, for example third party users such as consultants, administrators are not likely to require access to the same applications, or require the same level of permissions (e.g. read, write, manage permissions etc.) . The relevance of VPNs is tested to the limit as organizations move applications off the corporate network, especially into the cloud, and with more and more employees working from remote locations at least part of the time. Not only can all these changes render your VPN far less effective, but they can also interfere with productivity. Let’s explore some of the ways your traditional VPN may be letting you down. Then, we’ll look at an emerging security model that’s simpler to manage and offers you more granular control to take back the reins of your network security. The Limitations of VPNs for Remote Network Access As many organizations have already realized, traditional VPN and perimeter-based access controls aren’t sufficient. Why not? As mentioned, corporate networks are becoming decentralized. Work from home (WFH) and third-party access (e.g. by consultants and partners) mean that are coming in from everywhere. Performance can be compromised and latency increased due to an on-premises, perimeter-centric security architecture that forces all traffic to be routed through the datacenter. remote network access requests Inability to support BYOD unmanaged devices Enabling access from these unmanaged, non-corporate sourced devices means your network and assets are being accessed from unknown endpoints, whose risk posture is unknown and which may or may not be infected with malware. In this climate, you can’t always recognize or control the endpoints to make sure they’re patched and healthy. An intruder could easily piggyback into your network via a compromised endpoint. No secure access to cloud workloads VPNs also lack the flexibility you need in today’s IT environments. They don’t transition well to cloud and usually have limited capability to support secure access to cloud workloads and IaaS (e.g. AWS, , ). GCP Azure Overly permissive third party access And when it comes to , VPN use may not be permitted at all, due to regulations that prohibit the installation of clients on non-employee devices. Alternatively, where such regulations do not exist, excessive permissions may be given to external parties by enabling them to install a client and thus receive an unnecessarily high level of implicit trust, which may also allow easy access to sensitive company assets and information. supporting third party users No granular network or in-app controls Plus, by attempting to simplify security with a perimeter model, VPNs disempower you and your security team. With a VPN, you lack granular control over a few key areas, creating multiple problems: Overly broad network-level authorization and access controls Implicit risk of lateral movement and discoverability of sensitive assets No single place to manage controls for different applications No in-app controls over what users can do within each app (read, write, edit, ) Considering VPN Alternatives VPNs were great for their time—when most users were on-site, and when most apps were on local servers. But today, we’re seeing serious data breaches happening because hackers know that if they can get through a corporate firewall, chances are good that they won’t meet with much resistance from internal systems. Indeed, VPNs and firewalls can all make us overconfident in the state of our network security. For all these reasons, has estimated that by 2023, up to 60% of enterprises will phase out VPNs in favor of a different architecture– s or ZTNA. Gartner Zero Trust Network Acces The Rise of Zero Trust and ZTNA Some of the problems with VPNs have helped create awareness of the need for a security model that doesn’t simply allow trusted users to roam freely within the corporate network. Into this vacuum has emerged the model, a concept originally coined by . Zero Trust security Forrester Zero Trust—endorsed by heavy hitters such as the —focuses on a reality in which we must “never trust, always verify.” In this way, Zero Trust makes it easier to ensure only the right people get least privileged access to the right application, in the right role at each and every access attempt, ideally with in-app controls and visibility available into what they do post-login.. U.S. Department of Defense In fact, Zero Trust is more a state of mind or paradigm shift than a single tool—there is no “zero trust in a box.” The Zero Trust model: Relies on the principle of limited access on an application-by-application basis Relies on authentication of every single device and user no matter where they are located Acknowledges the complex reality of today’s networks and makes zero assumptions Zero Trust can be difficult to implement, and certainly, most organizations will want to shift gradually. A U.S. Department of Defense document explains that “Zero Trust can be applied incrementally, group by group, or application by application, although end-user experience should definitely be a consideration.” Choosing tools to simplify the shift will help transition your entire operation to a Zero Trust architecture far more easily than you might think. Analyst firm Gartner has taken the zero trust notion a step further, specifically defining an architecture called Zero Trust Network Access. To quote its : ZTNA glossary definition “Zero trust network access (ZTNA) is a product or service that creates an identity- and context- based, logical access boundary around an application or set of applications.” Or put simply, ZTNA services replace network-layer permissions with application-specific permissions, taking into account identity-based access controls and contextual authentication, e.g. user group or role, multi-factor authentication, IP address, location and day or time restrictions. “The applications are hidden from discovery, and access is restricted via a trust broker to a set of named entities.” In practice, this may work with a cloud-based that hides the network from view via the public internet, essentially serving as a DMZ-as-a-service that “darkens” the datacenter. The broker authorizes or forbids access to specific applications on a case-by-case basis. ZTNA-as-a-service “The broker verifies the identity, context and policy adherence of the specified participants before allowing access and prohibits lateral movement elsewhere in the network. “ By authorizing access only to the requested resource, the risk of lateral movement is eliminated, as users only see applications they are allowed to access. All other applications are hidden from view (for example, using a personalized portal that only shows apps authorized for access by a particular user). “This removes application assets from public visibility and significantly reduces the surface area for attack.” Moving from Network to Application-layer Access One tool that can make shifting to Zero Trust and a modern network environment easy is . Part of Check Point Harmony Connect, Check Point’s a Check Point Harmony Connect Remote Access addresses the limitations of current infrastructures providing a viable alternative that enables you to: Harmony Connect Remote Access SASE (secure access service edge) solution , VPN replacement : Instead of vetting users once at the entrance to your IT perimeter, shift access control decisions to business-driven policies that take into account devices, users, contextual attributed and requested Move from a physical to logical access perimeter : Use multi-factor authentication to eliminate the risk of unauthorized access arising from credential theft, integrating with your current identity provider as Authenticate and authorize each access attempt : With a clientless architecture, you no longer need to install any VPN client on user devices, meaning that consultants and partners get simple access to resources, and that users can easily connect and work from mobile devices Support BYOD and third party users : Reduce the risk of lateral movement by hiding your network and every unauthorized resource with a cloud-based trust broker, thereby also reducing the risk of DDoS attacks Darken your data center and network : Manage policies not only at the app level, but also at the query and command level, including permissions such as read, write, administer permissions etc.. Define and enforce in-app permissions : A centralized SIEM-friendly audit trail ensures you know who accessed which app, what actions they took within it, and optional session recordings. Get granular visibility into user session activity Learn More about our ZTNA-as-a-Service There are many reasons to begin the transition to Zero Trust sooner. You may already be experiencing growing pains with your VPN as you scale and expand into hybrid and cloud-based environments, especially as work from home has become business as usual. Perhaps you’re also looking to the Zero Trust future for security or compliance reasons, to ensure that your organization’s assets are as well-defended as possible. Discover how Check Point Harmony Connect Remote Access keeps your business running at its best. Here are a few resources to get you started: ESG’s Guide to Adopting SASE Network Security White Paper: How to Implement Zero Trust Corporate Access

Harmony

Check Point

Discovery

Google

Microsoft

How AWS Misconception Resulted in Detection of 5 Million Personal Records

How we Fuzz Tested the Microsoft Office Ecosystem

Visit us

Too Long; Didn't Read

How the Security of Remote Work Has Evolved With the Rise of Zero Trust

How the Security of Remote Work Has Evolved With the Rise of Zero Trust

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Best Practice: Identifying And Mitigating The Impact Of Sunburst

47 Stories To Learn About Checkpoint

Best Practice: Identifying And Mitigating The Impact Of Sunburst

Check Your Privilege: Designing Cloud Infrastructures According to the Least Privilege Principle

Cloud Sourcing as a Crucial Component in Threat Prevention

Cloud Threat Hunting: Investigating Lateral Movement

Best Practice: Identifying And Mitigating The Impact Of Sunburst

47 Stories To Learn About Checkpoint

Best Practice: Identifying And Mitigating The Impact Of Sunburst

Check Your Privilege: Designing Cloud Infrastructures According to the Least Privilege Principle

Cloud Sourcing as a Crucial Component in Threat Prevention

Cloud Threat Hunting: Investigating Lateral Movement

Light-Mode

Classic

Newspaper

Minty

Dark-Mode

Neon Noir

Minty

HN StartUps