Depending on your age, you may remember a time when few people worked remotely. The corporate work environment was much more consistent across industries, and generally reflected a model of employees working in one or two predictable locations: either at the company’s headquarters, or in one of its satellite offices.
Because this configuration was so much simpler than what we have today, network security was much simpler, too. Legacy network security was centred around connecting workers in one of these few work spaces to information they had to access in data centres. So, it was a viable solution back then to use a virtual private network (VPN) for a connection back to the company’s network when an employee needed to work from home.
Things are much different in the current enterprise environment. Many more employees across diverse industries work remotely either for part of the week or always, and it’s a rare company today that doesn’t additionally leverage more than one cloud service. As the work environment has changed, so too have organizational security needs. When many workers and third parties need to access the system via their own devices and cloud has become the norm, the security risks rise exponentially. VPNs simply don’t have what it takes to keep organizations safe anymore.
Why Trust No Longer Works
Where remote access is concerned, VPNs have a few critical defects. A key issue involves the trust-based network model. In the VPN approach, any user who is authenticated becomes a “trusted” network user. As such, that user gains access to one or more segments of the enterprise network. Think of the implications of this from the perspective of a hacker or anyone who seeks to gain illegitimate access to company data. Once getting through the company’s firewall, they are free to traverse the network with few limits.
Respected IT research firms hold a counter view and are strong proponents of zero trust. According to Forrester, “The drumbeat of Zero Trust across the market has continued to grow louder. Almost daily, the inquiries and conversations around Zero Trust and ZTX are coming in at an ever-increasing rate. That’s a good thing. In truth, most of the inquiries are from end user clients now, vice the vendor side of the equation.”
To summarize, zero-trust security is quite the opposite of the traditional network security model. Zero-trust advises enterprises to authenticate and authorize users before connection, and to continuously verify. Also, unlike the conventional remote access model, zero-trust means that each person is granted access not to the network, but rather only to the resources that are needed to get that individual’s job done. So, with zero-trust, the network attack surface is significantly reduced. Each user is bound by a policy-based security envelope which keeps all resources that a user doesn’t need to access invisible to that user.
The most effective zero-trust solutions support next generation access, helping IT determine what individual users are doing, where they are located on the network, and why they are there. The Information Systems Security Association (ISSA) noted that “One key aspect of digital transformation for many companies has been the evolution and rise of the remote user. Application access from any device, anywhere has become an imperative for success, but with transformation comes challenges with attack surface and network vulnerability. Adopting a zero-trust model is key to combat cybercriminals who are probing security perimeters and enterprise resources for vulnerabilities with a distinct purpose.
Application access and identity is one of the key areas to begin.” Next generation access includes features such as:
Ability to view correlation between access/users
The shift to an identity-based SDP model rather than a site-centric solution means that companies can benefit from a zero trust, cloud-native approach that offers network segmentation that’s dynamic and based on each individual user. By requiring continuous verification and never automatically granting trust to someone seeking network access, companies can avoid the problems inherent in VPNs and other legacy approaches to securing networks.
To learn more, download a detailed whitepaper on the subject.
(Image Courtesy: searchsecurity.techtarget.com)