The story of how cyber security is evolving from the static, perimeter-based model to the more nuanced, identity-centric model – in response to changes in how the world is working during the pandemic, no less – can best be understood by what I recently heard during CloudNativeSecurityCon in Seattle. Amid all the buzz about next-generation technologies and trends, one thing really stood out: the changing role of VPNs in the Zero Trust era.
For centuries, VPNs have formed the backbone of corporate security. By creating encrypted tunnels for data, security pivots to a guard at the front gate of the office. As security at modern offices upgraded from a guard at the front gate to badge-access on every door, so the IT landscape is evolving toward Zero Trust models. Zero Trust as security reimagines from a premise that threats can come from anywhere. As a result, verification needs to come from everyone and every device at every door (be it inside or outside the network).
This shift in story and practice is stark, despite some common misunderstandings. Zero Trust is a philosophy: not a product, like Agile or DevOps. It demands that organisations approach security differently, from the ground up, designing systems that insist on verification in every access request, regardless of point of origin. VPNs are not dead – far from it – they are evolving, and can be a critical component in Zero Trust Following Zero Trust requires a dramatic shift in thinking. Zero Trust must shift the entire mindset of the security discipline, forcing organisations to approach security differently from the beginning.
So why do companies keep using VPNs? The simple answer is that Zero Trust is hard and comprehensive. All aspects of an organisation’s IT have to be touched in order to implement a Zero Trust model, something that companies often claim has too high a cost. And, of course, VPNs still fill needs that the blanket approach of expansive Zero Trust frameworks can’t touch. They still handle inter-site connections, for instance, and third-party communications.
Zero Trust tends to focus on minimising the amount of damage a breach will cause. A Zero Trust strategy can integrate VPNs as perimeter defences – the initial check of access to the network. Once an initial perimeter access check is made, Zero Trust can provide granular access to resources, checking the individual’s identity and providing access only to explicitly approved services. In a way, VPNs can help with the initial check part, and Zero Trust can provide deep, ongoing verification, marrying the best of both worlds.
Many modern VPN solutions are shaking off their previous skins, incorporating technologies that make them more adaptable to Zero Trust. Advances such as WireGuard mean they can provide quick, secure connections without the latency problems of old, and can be kept up to the speed of modern data-intensive high-speed needs. Finally, the trend towards point-to-point means the only thing accessible post-connection is the thing to be accessed, which allows for exactly the kind of granular access control that is the cornerstone of Zero Trust.
The boundary between VPNs and Zero Trust is getting more and more blurry as modern VPN services start to embrace Zero Trust functionality as part of the network security controls that limit access only to users with the right identity-based permissions. We expect to see this convergence continue in the future, as VPNs become an integral part of organisational security strategies, not by replacing them, but by augmenting their functionality with the Zero Trust approach.
The claim that Zero Trust makes VPNs obsolete is a reductive black-and-white view of the nuance and complexity of the real world of IT security. It’s most likely that modern enterprises will benefit from a best-of-both-worlds approach, where the two technologies work together. Establishing a network perimeter using VPNs is a precursor to more complex, identity-based models of Zero Trust, which sit on top of the VPN’s internal network to provide an additional layer of security underpinning the zero-trust model, safeguarding against both external and internal threats.
Moving forward, it’s apparent that the choice between VPNs or Zero Trust is a false one – and understanding how each can complement the other is defining for finding a security strategy that is resilient, adaptive and able to successfully protect against the sophisticated threats of tomorrow.
To put it in the context of this discussion, ‘edge’ means ‘edge of networked environments, where the devices or local networks are connected to an external, usually public, network’. This explains both the popularity of VPN and the Zero Trust security architectures to protect such ‘edge’ of the corporate networks – because the data leaking from the enterprise edge can render all enterprise data at risks of being accessed and exploited by malicious agents. With the boom of remote work and the prevalence of cloud computing to stretch the network perimeter, the internet edge has become an extremely critical edge to protect, with the requirement of innovative ways to make sure data remains intact and confidential through all the access points.
To summarise, as cyber security continues to evolve in these dynamic times, the mix of the best aspects of Zero Trust with the strong, identity-centric verification of VPNs provides an organisational approach that can offer the necessary security to their digital perimeters, as well as a framework that can readily expand to respond to the new threats that may yet emerge.
© 2024 UC Technology Inc . All Rights Reserved.