You’ll Need Zero Trust, But You Won’t Get It with a VPN

Listen to post:
Getting your Trinity Audio player ready...

Properly implemented, a zero trust architecture provides much more granular and effective security than legacy security models. However, this is only true if a zero trust initiative is supported with the right tools. Legacy solutions, such as virtual private networks (VPNs), lack the capabilities necessary to implement a zero trust security strategy.

Zero Trust Security is the Future

Castle-and-moat security models were common in the past, but they are ineffective at protecting the modern network. Some of the primary limitations of perimeter-focused security models include:

  • Dissolving Perimeters: Legacy security models attempt to secure a perimeter that encapsulates all of an organization’s IT assets. However, with growing cloud adoption, this perimeter would need to enclose the entire Internet, making it ineffective for security.
  • Insider Threats: A perimeter-focused security model lacks visibility into anything inside of the corporate network perimeter. Insider threats — such as attackers that breach an organization’s defenses, supply chain vulnerabilities, and malicious users — are all invisible to perimeter-based defenses.
  • Trusted Outsiders: Castle-and-moat security assumes that everyone inside the perimeter is trusted, while outsiders are untrusted. However, the growth of remote work means that companies need to find ways to account for trusted users outside of the perimeter, forcing the use of insecure and unscalable VPNs.

The zero trust security model was designed to address the limitations of these legacy security models. Under the zero trust model, all access requests are evaluated independently against least privilege access controls. If a user successfully authenticates, their session is monitored for suspicious or risky activity, enabling potential threats to be shut down early.

94% of companies are in the process of implementing zero trust, making it one of the most common cybersecurity initiatives. Some of the drivers of zero-trust include:

  • Corporate Security: Data breaches and ransomware infections are common, and, in many cases, are enabled by the remote access solutions (VPNs, RDP, etc.) used to implement perimeter-based security. Zero trust promises to reduce the probability and impact of these security incidents, decreasing enterprise security risk.
  • Regulatory Compliance: The zero trust security model aligns well with regulators’ goals to protect sensitive information. Implementing zero trust is best practice for compliance now and may be mandatory in future updates of regulations.
  • Incident Investigation: A zero trust security system tracks all access requests on the corporate network. This audit trail is invaluable when investigating a security incident or demonstrating regulatory compliance.
  • Greater Visibility: Zero trust’s stronger access control provides granular visibility into access requests. In addition to security applications, this data can also provide insight into how corporate IT assets are being used and inform infrastructure design and investment.

Zero trust overcomes the problems of legacy, perimeter-focused security models. As corporate IT environments expand, cyber threats mature, and regulatory requirements become stricter, it will be a vital part of a mature security policy.

Why remote access should be a collaboration between network & security | White Paper

A VPN Can’t Provide Zero Trust

The rise of remote and hybrid work has made secure remote access a vital capability for many organizations. VPNs are a well-established remote access solution, and many organizations turned to them to support their remote employees.

However, while VPNs offer employees secure remote access to the corporate network, they fail to provide crucial capabilities for a zero trust deployment. Some of the ways in which VPNs fall short include:

  • Access Management: VPNs are designed to provide an authenticated user with full access to the corporate network, simply creating an encrypted tunnel from the user’s machine to the VPN endpoint. Without built-in access controls, VPNs cannot enforce zero trust’s least privilege access policies.
  • Integrated Security: VPNs have no built-in security capabilities, meaning that traffic must be routed through a full security stack en route to its destination. With corporate assets scattered on-prem and in the cloud, this usually results in traffic being routed to a central location for inspection, increasing network latency.
  • Optimized Routing: VPNs are point-to-point solutions, which limit the routes that traffic can take and can cause significant latency due to suboptimal routing. This may cause security controls to be bypassed or disabled in favor of improved network performance.

Two of the foundational concepts of zero trust security are access control and monitoring for security issues during an authenticated user’s session. VPNs provide neither of these key capabilities, and their performance and scalability limitations mean that users may attempt to evade or bypass defenses to improve performance and productivity. While zero trust is rapidly becoming essential for corporate cybersecurity, VPNs are ill-suited to implementing a zero trust architecture.

Achieving Zero Trust with SSE and SASE

These two essential capabilities of zero trust — access control and session security monitoring — are the reason why Security Service Edge (SSE) and Secure Access Service Edge (SASE) are ideal for implementing a corporate zero trust program. SASE solutions include zero trust network access (ZTNA) functionality, which provides the ability to enforce least privilege access controls across the corporate WAN.

Alongside ZTNA, SSE and SASE solutions also offer a range of key security functions, including Firewall as a Service (FWaaS), an intrusion prevention system (IPS), a secure web gateway (SWG), and a cloud access security broker (CASB). Converging security functions with access control makes SASE an all-in-one solution for zero trust.

SASE’s design can also eliminate the network performance impacts of security. Deployed as a cloud-native solution on a global network of points of presence (PoPs), SASE can inspect traffic at the nearest PoP before optimally routing it to its destination. Cloud-native design ensures that converged security has the resources required to perform vital security functions without incurring latency.

Cato provides the world’s most robust single-vendor SASE platform, converging Cato SD-WAN and a cloud-native security service edge, Cato SSE 360, including ZTNA, SWG, CASB/DLP, and FWaaS into a global cloud service. With over 75 PoPs worldwide, Cato optimizes and secures application access for all users and locations, and is easily managed from a single pane of glass. Learn more about how Cato SASE Cloud can support your organization’s zero trust security goals by signing up for a free demo today.

Related Topics