By Etay Bogner, VP, Zero-Trust Products, Proofpoint and former CEO of Meta Networks
According to Gartner, “Zero trust networking is a concept for secure network connectivity where the initial security posture has no implicit trust between different entities, regardless of whether they are inside or outside of the enterprise perimeter. Least-privilege access to networked capabilities is dynamically extended only after an assessment of the identity of the entity, the system and the context.”
Virtual private networks (VPNs) were introduced nearly 20 years ago and today are a widely used remote access solution. VPNs provide anytime access from any location to enterprise applications, data and any other resources in the private data center or distributed IT infrastructure. The VPN delivers network security to remote users by backhauling their traffic to the data center where products like Next Generation Firewall (NGFW), Security Gateway (SWG) and Data Loss Prevention (DLP) are applied. They also connect remote data centers and branches to the enterprise network (site-to-site).
As the cloud sweeps over the enterprise, next generation VPN solutions deliver remote access to cloud resources in public Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) providers like AWS and Azure, as well as Software-as-a-Service (SaaS) solutions. Cloud optimized VPNs also offer site-to-site connectivity between clouds and the data center (i.e. hybrid cloud) and some level of network security for users.
Enter the Software Defined Perimeter
While VPNs are even more important today than they were at the time they were invented, it is also clear that it is now time for the next generation of technology to address some of the major shortcomings of the VPN. When VPNs were first conceived, remote access to applications or servers was the exception. Now that it is the rule, traditional VPNs remote access capabilities are not keeping up with the enormous shifts in technology? From a security perspective, VPNs expose a very large attack surface. Once a user logs in, he or she, along with any malware on the endpoint, is now on the internal enterprise network. From the management perspective, defining rules for each user, and synchronizing them across the organization can be a headache.
And so, we have seen Software-Defined Perimeter (SDP) solutions begin to take on this challenge. As the name implies, they aim to redefine the perimeter as a solution that follows the user device wherever it is, rather than an office or data center.
When evaluating SDP solutions, look for ones that address all of the key business needs discussed above. Many solutions focus exclusively on remote access. This is an acute need today for many organizations, but it’s best to invest in a solution that can upgrade all of your VPN requirements and manage them centrally, to significantly reduce the operational overhead.
One must also consider worker mobility and cloud migration as they are making it more difficult to secure the perimeter. Traditional VPN access is overly permissive, granting remote workers – whether they’re employees, partners, contractors or customers – access to more of the network than is required to complete their tasks. As a result, network resources are unnecessarily visible, overly vulnerable, and open to attack. Zero-trust SDP remote access solutions do not have trusted zones. The IT administrator must grant users explicit permission to access specific applications. Beyond these designated one-to-one connections that are created for user devices, all other network resources remain isolated from view and completely invisible.
VPN vs SDP?
VPNs may be a legacy technology, but their role in the organization is fundamentally unchallenged. 2019 will not see the death of VPNs, but rather their rebirth in the guise of SDP solutions that will deliver the same core capabilities in a way that is better suited to the era of cloud migration and mobile working.
However, this is a mistake as the VPN is one of the most important components of enterprise IT today. It is absolutely crucial for cloud migration, for supporting mobile employees and contractors, and for delivering security products like Unified Threat Management (UTM), Secure Web Gateway, and Network Access Control that are part of every enterprise network security stack.
Because a large number of employees have ongoing issues with enterprise VPNs, some vendors are predicting their demise while others say they should be replaced by more advanced technologies. But the bottom line is that even if you replace a VPN with a different acronym, the need for an enterprise Virtual Private Network is as real now as it was 20 years ago.
According to a recent survey, 70% of employees work off-site at least part of the time, often from insecure locations like coffee shops, airports and hotels. Finally, end users consider VPNs a necessary evil. The clients tend to break, the connection over the internet to a remote data center is often slow, and reaching the help desk is a nuisance.
The typical WAN architecture delivers network security solutions such as a Next Generation Firewall, Secure Web Gateway and Network Access Control via the data center. That makes sense for users working on premise. When a user is working off-site, there are two ways to handle this. The optimal approach from the security perspective is to backhaul all the user traffic to the data center over the VPN and send it through the security gateways in the data center. From the user perspective, this makes internet access slow, and in the case of SaaS applications, the latency may be prohibitive.
Site-to-Site (or Cloud) Connectivity
Traditionally, VPNs were used to connect two LANs, for example, from a remote branch to headquarters or a data center. Today, site-to-site VPNs work overtime connecting clouds to the data center and to each other – in different regions or infrastructure providers. This places VPN at a critical juncture in the enterprise infrastructure.
Managing it All….
Unfortunately, while all of these functions can be covered by a VPN, managing it is not that simple. Handling all of these use cases requires multiple VPN appliances, each with a policy that needs to be maintained and synchronized. And that does not include the network security appliances, which need to consider VPN users as well. IT teams work hard to build dashboards that provide a coherent picture of the participants in the network and the access and security policies that govern them. While this does not scale easily, it is so easy to spin up a new cloud instance or hire another contractor.
About the Author:
Etay Bogner is the former CEO of Meta Networks and now VP of Zero-trust Products for Proofpoint. He is focused on helping organizations provide secure remote access for employees, contractors and partners to corporate applications and the internet. To learn more, download a detailed whitepaper on the subject.