putilov_denis - stock.adobe.com

Why zero-trust models should replace legacy VPNs

Many organizations use legacy VPNs to secure their networks, especially in the work-from-home era. Expert Pranav Kumar explains why zero-trust models are a safer option.

Companies have been using VPNs for over two decades. The tool allows employees, contractors and other parties to access an organization's internal data, assets and applications. Unfortunately, VPNs are ill equipped to adapt to changes in technology and security needs. They no longer keep company resources safe and secure, which is their primary function. Alternatively, organizations that use zero-trust models are better equipped at handling security risks.

Definition and limitations of VPNs

Traditional VPNs connect remote end users to private company resources by backhauling traffic to data centers and applications. Once traffic is brought to a central location, traditional security measures are applied. Microsoft invented VPNs in 1996, making the tool nearly as old as the internet itself. With the increase in cyber attacks, the limitations of VPNs have become more visible.

VPNs grant immense trust to authenticated users, allowing users to access information and resources they do not need. Also, VPNs often suffer performance problems from routing traffic through centralized data centers. Bandwidth-intensive cloud applications are also quite costly. Lastly, and most concerning, VPNs are ill equipped to defend against many security threats. For instance, if an infected user or an attacker with stolen credentials connects to your internal network through a VPN, there is a risk that viruses, ransomware and data breaches spread throughout the network. VPNs were ideal before the cloud when the legacy security model was a set perimeter based on a castle-and-moat architecture.

Zero trust and implementation

Zero trust is simple: There is no such thing as a trusted user. Instead, when users are authenticated, they are placed within a security bubble, or software-defined perimeter. Here, users only get access to authorized resources rather than everything. Even if the user's computer is compromised by a remote agent, the user is unable to directly access other users or resources. In addition, URLs are obfuscated, and sensitive data is hidden from view.

In a zero-trust model, each user is always monitored, using identity-aware proxies -- technologies that can scrutinize user behavior patterns and detect erratic behavior in real time. The zero-trust model enables more security checks. It generates logs that are not possible with traditional VPNs, such as recording the user's location and application use histories.

Why companies need to adopt zero-trust models

It is too easy for companies to reach for traditional VPNs. The technology is historically reliable, easy to implement and familiar to users. However, due to the serious security flaws, an alternative tool is needed to meet today's needs.

When legacy VPNs were first adopted, cloud-based applications and many current scaling problems were nonexistent. Outside contracting, cloud expansion and remote work exceed the original system's capabilities. When you add outliers -- like a pandemic -- VPNs show their age. Additionally, networks cannot be segregated with legacy VPNs in the same way they can with zero-trust architectures. It is important to note that these two technologies are not necessarily exclusive. VPNs can be re-architected to work within a zero-trust architecture, which may please administrators who find this system familiar.

Legacy VPNs vs. zero trust

Part of the issue with legacy VPNs is the nature of trust itself. In the traditional VPN model, users are restricted using access lists by lines of code. Large access lists are notoriously hard to manage and have the potential for error. Additionally, users are placed in an internal VPN subnet, which potentially gives them access to the internal network. Traditional VPNs also require an inbound connection to your network, which is a threat if your VPN credentials are stolen. For example, VPN credentials were stolen during the Colonial Pipeline attack.

To protect data and resources, many companies may turn to zero trust. However, there are drawbacks for well-established companies to consider when embracing zero-trust protocols. Companies that use older legacy applications may have trouble implementing them on zero-trust networks. Other companies that have made significant investments in architecture might find additional expenses less appealing. Other issues involve data control, what that implicitly means for liability and whether it can be safely allowed outside the traditional security perimeter.

Despite concerns, zero-trust models have many strengths. While it does not guarantee safety, zero trust improves breach detection and can shut down connections faster than a traditional VPN. It also compartmentalizes resources, which helps to mitigate damage that might occur. Zero trust makes companies better equipped to handle today's emergencies and minimizes the impact of tomorrow's challenges. Since zero trust is implemented with cloud-based computing in mind, it also enables greater scalability and reduces the capital investment requirements needed for implementation.

For these reasons, newer and more agile companies have generally been the first successful implementers of zero trust. Although, companies such as Coca-Cola, Google and WestJet Airlines, have also embraced zero-trust principles.

Mitigate security risks

Zero trust mitigates security risks by removing trust and reducing inbound connections to protect data, assets and applications. Too often, companies merely react to security threats following an attack. By then, attackers may have accessed business-critical assets and data. Implementing zero-trust models enabling organizations to re-architect their systems and discover efficiencies they previously missed when using older, traditional VPN structures.

About the author
Pranav Kumar is a senior technical account manager with Zscaler. He has worked in security for 16 years with experience in pre-sales, post-sales, designing, transition and transformation of security projects. For further information, please email [email protected].

Dig Deeper on Cloud security

Enterprise Desktop
Cloud Computing