Many enterprises use VPNs for their remote employees. They depend on them for securing company information and enabling remote workers to connect to the organizational network. However, sometimes VPNs block productivity instead of enabling it.
For example: just two weeks ago Pulse Secure VPN users were suddenly unable to log into their organizational networks. It eventually emerged that a code signing certificate used for digitally signing and verifying software components - had expired. The certificate was considered invalid, and because of a bug, company resources could not be accessed. With many users still working from home due to Covid-19, many businesses screeched to a halt.
IT teams had trouble fixing the issue, which required agent reinstallation and software updates for the Pulse Secure machines. This is also not the only security and accessibility issue Pulse Secure VPN is dealing with. One week later, vulnerabilities in Pulse Secure VPNs were reported to have been exploited by attackers, and require patching. Last August, hackers were able to access more than 900 of Pulse Secure’s VPN servers. They leaked credentials, IP addresses, SSH keys and admin details.
Can businesses continue to trust their most valuable organizational assets, like their source code, IP, production environment and customer data - with VPNs?
VPN technology was built for a different technological era, and Pulse Secure VPNs are no exception. VPNs are virtual tunnels between network points. They connect external users to internal network users, in a supposedly more secure manner.
But VPNs are based on the castle-and-moat approach to cybersecurity, which places defenses on network entry points instead of throughout the entire network. As a result, if and when a perpetrator gains access, it could be due to the VPN tunneling them in straight into the network and the crown jewels. VPNs provide no defenses against attackers once they’re inside.
In addition, connecting through a VPN is a bulky, resource-intensive process. Updating VPNs, patching them, scaling - are all processes that require a lot of IT overhead and budgets. In a fast-paced world with changing demands, and even more so since Covid-19, VPNs can’t keep up.
Zero trust, by contrast, is a security model that is based on enabling business continuity while securing networks externally and internally. Access and security are ensured by basing access on the user’s identity, not their originating network (e.g a VPN). Users are constantly and continuously verified each and every time they want to access an asset or app. In addition, the network is cloaked for users, preventing network visibility.
These VPN drawbacks are also what cause breaches like the recent Pulse Secure one. Let’s see how incidents like Pulse Secure could have been prevented with zero trust.
Zero trust secures network assets and applications, not networks themselves. Therefore, zero trust would never have blocked Pulse Secure VPNs users from organizational network access. Instead, zero trust would have enabled application access without compromising network security. Users would have been able to use their regular networks to connect to network assets. Then, each of them would have been verified individually before gaining access to specific apps.
Zero trust is more secure than VPNs, because no trust is given, so it does not tunnel users into the network. As a result, zero trust could have blocked adversaries from entering the network without proper authentication. Cyber attackers who did gain access, would not see the network structure or have access to files, libraries, and more. Zero trust can replace or complement VPNs - both models help organizations improve their security posture.