The pandemic changed the way people work, and many companies have been fast to adapt to this shift in work culture by encouraging and promoting remote and hybrid work. Zero Trust Network Access or ZTNA is gaining popularity as a secure alternative to corporate VPN-based access to the internal application and network services.
This article will explain how the zero trust security model provides a secure alternative to VPN and review an overview of the steps involved in transitioning to a zero-trust architecture for your organization. With nearly every business having remote workers, it is important to understand the advantages and disadvantages of VPNs and zero trust access.
VPN in remote working
A Virtual Private Network (VPN) provides an encrypted and secure connection to the network over the public internet. It works by masking a user's IP address and routing it through a private, remote server, which is usually run by a VPN host. For more details on VPN, read our blog on what is VPN and types of VPN.
A remote-access VPN provides organizations the capability and flexibility to allow employees to remotely access the company network and operate important resources from anywhere in the world. This makes a VPN suitable for employees or third-party contractors to access the internal application and network resources while working from home. Although a VPN allows the organization to determine who has access to their network and limit logins as needed, there are a few shortcomings as listed below:
- VPNs fail in providing granular network protection, leaving the organization open to significant security risks.
- Traditional VPNs are known to blindly trust the authorized users and can provide full access to the corporate network, making it easier for hackers to exploit sensitive information.
- VPNs tend to have a slower connection for remote employees as the number of connections increases.
- Working over a VPN can be time-consuming. If there are too many users logged in at the same time, the connection speed drops, which may hinder productivity.
- Typically, VPNs are costly to manage and hard to configure as the number of users and applications grows.
With remote work becoming the norm for many employees and organizations in the tech world, many are looking for a more permanent and secure solution.
Zero trust security in remote working
Since the pandemic, the concept of zero trust security has gained popularity in the cybersecurity industry with the shift toward remote and hybrid work. As per the NIST Special Publication, zero trust architecture is defined as follows:
"Zero trust (ZT) provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised. Zero trust architecture (ZTA) is an enterprise's cybersecurity plan that utilizes zero trust concepts and encompasses component relationships, workflow planning and access policies. Therefore, a zero trust enterprise is the network infrastructure (physical and virtual) and operational policies that are in place for an enterprise as a product of a zero trust architecture plan."
For remote access, principles of zero trust are implemented as zero trust access or zero trust network access (ZTNA). In a ZTNA implementation, every access attempt of a user goes through strict verification each time they access a company resource, irrespective of network location or whether they have used the resource earlier or not.
The core principles of zero-trust security include the following:
Zero trust has strict identity verification for every employee and device trying to access resources over a private network. No one is trusted by default, and verification is required from everyone. This added layer of security forces users and devices to authenticate and continuously re-verify.
Principle of least privilege
Zero trust architecture implements the principle of least privilege, meaning that users are only given as much access as needed to perform tasks. This ensures minimizing access to the sensitive data on a company's network. User permissions need to be carefully managed, and VPNs are not suited for such an approach. Compared to VPNs, zero trust takes a more holistic approach to security.
MFA (multi-factor authentication) is known to be one of the most important core values of a zero trust network. Requiring more than one piece of authorization other than just a password has proven to be difficult to gain access to the network for scammers and hackers. While VPNs also use multi-factor authentication, zero trust approach is designed in a way that contains hackers so that they cannot move up the network. Even if they gain access, it reduces the attack surface, unlike the traditional VPN.
How to move from VPN to zero trust access
Zero trust access models give organizations the ability to scale, as well as to prepare themselves for data breaches, data leakage and threats, all of which are compelling reasons for enterprises to make the transition from VPNs. Organizations like IBM and Microsoft are a few of the big companies that have already made this important decision to improve network security by switching to a zero trust security model. In fact, according to Gartner, "By 2023, sixty percent of enterprises will phase out most of their remote access virtual private networks (VPNs) in favor of zero trust network access (ZTNA)."
Making this transition involves several considerations, including the size of an organization, its infrastructure and ability to manage change, and the current tech solutions in place. However, it is certainly worth implementing it due to the extensive security benefits. Below are a few important steps that help transition from VPN towards the zero trust access solution:
Use a modern identity management service as a policy engine and a next-generation VPN that has the ability to act as a policy enforcement point. Several identity management engines or services like Okta, Auth0, Duo, or Azure Active Directory are readily available in the market. Although setting them up can be difficult, the benefits of using them are tremendous in the long run.
Set up the policy engine to work with the existing VPN while you perform the migration. The policy engine is responsible for granting access to resources on a network. It uses input from external sources and plugs it into a trust algorithm in order to grant, deny or revoke access. The best course of action would be to start with replacing gateways that are closest to the network and applications.
Set up the policy enforcement point. Starting with session-based applications and real-time policy enforcement makes it easier to progress to the next level in setting up the zero trust architecture.
Keep endpoints protected. When working from home, it's increasingly common for employees to bring their own user devices (BYOD). It's important to keep these devices protected from malicious software.
Finalize the zero trust architecture. Replacing current technology with a brand new solution is always difficult, but taking a step-by-step approach and focusing on long-term benefits eases the transition. It's also helpful to source all the components from one vendor. For example, for Windows users, implementing Microsoft Azure Active Directory with Azure cloud infrastructure and Office 365 would help streamline the transition.
Zero trust access with Teleport
Zero trust security model is proving to be the greatest security improvement most organizations can make for the future in the cybersecurity. By transitioning to zero trust, companies can protect themselves against emerging threats and can gain the ability to scale.
Teleport — an open-source identity-aware, multi-protocol access proxy — offers zero trust access to infrastructure servers and applications, improving security compliance and user productivity. If you're considering replacing your VPN for user access, be sure to check it out and start a free trial today.
Active Directory Security
By Anish Devasia
TLS Routing Support for Teleport Behind an AWS Application Load Balancer
By Steve Huang
What’s New in Teleport 11
By Kenneth DuMez