Issues arose with using VPN servers when workforces expanded and scaled up. VPNs were built around a model where IT administrators distributed the devices employees used so they knew the network, device, and person. But remote work changed everything.   

As the workforce expanded globally and added contractors along with the introduction of BYOD, IT administrators could no longer assume that the device connecting to the VPN could be trusted. Without knowing if they were updated or patched correctly, this could open the door for major security issues.  

Furthermore, the centralized nature of VPNs creates other security dilemmas. They become easy targets for hackers as they only need a user’s credentials or a compromised device to gain access to the entire network. According to a Verizon report, 76% of VPN network intrusions involve compromised user credentials. Often, hackers will have access to VPNs for years before the organization discovers them. The process of patching can then take months and frequently systems are left unpatched and wide open to hackers. VPNs are notorious for being one of the main vectors of data breaches.

An issue of trust

Fundamentally, the issue exists around how VPNs are treated – there is assumed that once the device is authenticated and authorised, then connected to the company network – that all traffic to and from that device is then trusted. Essentially, VPNs are no longer suitable for the modern-day remote workforce. Although there are occasions where VPNs could be used, there are still better, more efficient alternatives that provide a more seamless and secure user experience.   

READ ARTICLE:   What is a Zero Day

Enter Zero-Trust  

Moving beyond VPNs, we find a far more secure and scalable model: zero-trust. More organizations are adopting the zero-trust security architecture. There has been an evident increase in recognition of the importance of such architecture, with 84% of organizations around the world either adopting or in the process of adopting a zero-trust security system. 

Organizations must intelligently and strategically choose what security solutions they need and apply those technologies in a manner that deals with the core issues that enable flexibility and choice of a decentralised IT. Zero-trust is that strategic focus that leverages available security solutions to deal with the fundamental issues that allow heterogeneous infrastructure and BYODs. 

Zero-trust evolved from the need for a more identity-centric approach to the adoption of mobile and cloud technologies. It tied dynamic authorization (entitlements) to the identity. Zero-trust particularly started moving to the center stage throughout the pandemic and picked up pace moving into the hybrid era. As cloud solutions and platforms grew, secure access became increasingly important. Zero-trust methods reduce the cost of a data breach by about $1.76 million. Zero-trust also reduces the blast radius of these data breaches by isolating applications. With remote work here to stay, businesses can’t afford to have weak security systems.   

The removal of Implicit trust

Zero-trust does what VPNs never could, as they remove any implicit trust from the environment through a layered security approach. By default, zero-trust is a security model that denies access to data and applications and takes the “never trust, always verify approach”. So, even if you are connected to the corporate network (through any means), unless you have verified granular access, you can’t be granted entrance into corporate data. Moreover, unlike VPNs zero-trust architectures assume data access is not uniform. This enables regulated scenarios like healthcare or finance to easily implement zero-trust architectures without exposing sensitive data to everyone within the organization.  There are informed risk-based and contextual verifications across users and devices to gain access. 

READ ARTICLE:   Embracing mistakes in cybersecurity

Zero-trust advocates three simple principles:  

  1. All entities are untrusted by default, no assumption that the device, user, or where they are connected from, is trusted
  2. Least privileged access is enforced, with a removal of the approach where wide security groups or configuration allows broad access
  3. Comprehensive security monitoring is implemented, comparing against a “known” configuration and following governance checks

These principles are why zero-trust is more suitable for remote work. They securely enable the “anywhere, anytime” workforce through continuous and rigorous verifications to ensure that, although you can get privileged access anywhere, it is not open to anyone.

Share this knowledge