In 1996, a Microsoft employee used the first Virtual Private Network (VPN) to provide a secure connection to the Internet — which later was adapted into a popular method for remotely connecting with private corporate networks by the 2000s. Obviously, a lot has changed since then in terms of IT environments and infrastructure — that now highly utilize cloud and hybrid computing.
VPNs are services that let users access a network, such as the Internet or an organizational network, without anyone being able to see their online activity, location, or Internet Protocol (IP) information as it encrypts their connection data. Because it works at the network level and users get to access the entire network through a single connection, it’s not as relevant anymore because employees access most resources at the application level, such as a web app or online database.
Unfortunately, some insurance companies haven’t yet adapted their underwriting requirements for cyber & data breach insurance to consider these changes. Many tell companies that they need to implement VPNs as part of their security program, in which the insured’s do so to “check off the box” and procure a policy — giving them the false illusion that this is the most secure method for employees to access resources.
Thankfully, the Zero Trust Framework is becoming popularized, with 97% of businesses saying they either have started the process of transitioning or plan to in the next year or so. As part of using this framework to develop a security program, organizations are now easing into a Zero Trust Network Access (ZTNA) system to consider the need for remote network access due to COVID-19 and the increase of cloud-based applications.
So what are the risks of using a VPN, what exactly is ZTNA, and why are businesses shifting toward it?
Risks of VPNs for Network Security
Though VPNs are slowly becoming categorized as “legacy products,” many users still enjoy them because of the access capabilities. For instance, because you’re using an untraceable virtual connection, you can set different geographic locations that would give you access to websites, content, and services that could be regionally blocked.
It’s also excellent for individuals who might be on public or non-secure Wi-Fi sources and want to protect their data as they browse the Internet. The issue is, more so, that it’s no longer a practical solution for enterprise network access and giving employees a remote method to access their technology resources.
Unsegmented Access
To start, since VPNs connect users to a private corporate network, they often operate on the assumption that any identity connected to the company network is a trusted one — authorizing them to all applications and resources on that network.
This, of course, leads to a considerable risk where if someone were to breach another person’s VPN tool, they would have access to all organizational resources with limitless lateral-moment capabilities — making it tough to identify and isolate incidents. Additionally, it makes it tricky to manage privileges of insider threats that already have authorized access at the network level.
Poor Visibility
A VPN model also makes it challenging to gain traffic and access activity visibility. On the network level, system administrators, IT managers, and security operations teams can only see what’s happening within the network and not on an individual application or cluster of resources. Without detailed visibility, teams will struggle to pinpoint network anomalies and potential breaches for an adequate response.
Simplified Authentication
By default, VPN solutions tend to exclusively use standard and traditional authentication methods such as username and password credentials. The simplicity of this authentication process leaves users and an organization vulnerable to data breaches through account-based hacking. For instance, a cybercriminal could use credential-harvesting phishing scams to trick a user into divulging VPN account information. Alternatively, they could also take advantage of weak passwords through brute-force attacks.
Why Zero Trust Network Access
ZTNA directly fixes the primary risks of using VPNs for network access. Through the principles and philosophy of zero trust, here’s how ZTNA works and how it is different from a VPN model:
- Application/Resource-Based Access: Rather than giving users access at the network level, as a VPN would, ZTNA does granular authentication at the individual applications and resources. This lets you control access on a more detailed and contextual level — improving your security posture.
- Micro-Segmentation: In contrast to VPN access, which gives users and threat actors the ability to move throughout a whole network once they’re past the perimeter, ZTNA focuses on controlling and requiring authentication at each network segment of similar resources. This lets you prevent movement and better identify incidents for isolation.
- Principle of Least Privilege: ZTNA uses access management solutions to follow the least privilege model — only giving users access to the resources and data necessary for their jobs. In contrast, a VPN-only model would assume all users and devices in the network are trustworthy — over distributing them with access rights.
- Comprehensive Visibility: Teams enforcing VPNs for remote access can only see what enters the network and not specific activity within it — limiting system observability. ZTNA uses advanced data collection and analytics technology to continuously monitor all users and endpoints (even trustworthy ones) and spot anomalies.
- Never Trust, Always Verify: While most VPNs only require basic credentials for corporate network access that gives the user tons of resource accessibility, ZTNA assumes all traffic could be malicious — requiring constant verification in the network’s resources through methods such as multi-factor authentication (MFA) and contextual authorization (session type, time between logins, location, etc.).
ZTNA is extremely important for organizations because of its scalability, ease of deployment, and usability for employees looking to connect with network resources — much more straightforward than setting up a VPN service. There are also the security benefits that ZTNA offers, which account for today’s demand for remote access. As many employees now use private or public cloud applications to manage data and perform job functions, enterprises need a modern way, such as implementing ZTNA to protect their data, applications, and other network components.
Make the Move to ZTNA with Ascension Global Technology
Simply put, VPNs are not enough nor relevant to today’s enterprise cybersecurity risks — prompting organizations to consider ZTNA for secure access to network resources like applications, data, and online services. Contact us today to speak to an expert and learn how our team and partner ecosystem of software vendors and practitioners can help you transition from the vulnerabilities of a VPN into the secure and scalable Zero Trust Network Access system.
Also, be sure to check out our blog for industry updates, cybersecurity news, and valuable insights that can help your business improve its program and security posture.