In 2023, the great reset or the new normal of 2020 is now well established, and we are looking at the next normal, where the work-from-anywhere mindset stayed even after the Coronavirus pandemic. When all of a sudden, millions of employees started working remotely, enterprises the world over had no choice but to accelerate the pace of digitalisation.
The urgency to “go remote” compelled them to lean into VPNs. But are VPNs security tools? And are VPNs meant for providing secure remote access for millions of users? No, they are not. They are predominantly a business-enablement technology that provides access and protects data in transit beyond the company network. Because of the way they are designed, they simply enable access to the entire network. VPNs lack the capability of enforcing the principle of least privilege, thus providing all or no remote access to corporate networks. If a VPN is compromised, it allows users to gain encumbered access to the company’s network. Threat actors have exploited this shortcoming of VPNs to breach various businesses and government agencies. The result? A huge number of cyber threats and ransomware attacks.
In 2020, the number of ransomware attacks surged 150%. One of the spectacular ransomware attacks was on the Colonial Pipeline in 2021, which brought the major gas pipeline to a halt. The attack reportedly originated through a dormant VPN account accessed via a compromised credential.
Studies have shown that the global average total cost of a data breach is $3.86 million. In today’s world where our data is scattered everywhere, can we rely on VPNs to ward off cyber threats? Why should we allow access to the entire network? Can we restrict the user's access to the application or set of apps/resources they need? VPNless remote access based on Zero Trust Architecture (ZTA) is the closest solution.
Zero Trust is a Mindset Shift
John Kindervag, a former analyst at Forrester Research introduced the concept of Zero Trust in 2010. In late 2020, the National Institute of Standards and Technology (NIST) formalized the Zero Trust approach and in 2021, the White House hit the gas on Zero Trust to improve the nation’s cybersecurity. Let’s just say that Zero Trust Access is going mainstream and accepted by organizations all over the world.
The strength of Zero Trust Access is based on the guiding principle that trust is gained and not implicitly obtained and every user is a threat until proven otherwise.
In essence, Zero Trust enables organizations to:
Verify whether a user is adequately authenticated.
Isolate the enterprise resources that the user wants to access.
Figure out whether the access request is from a trusted third-party or a stolen device
Make an informed decision on granting or denying the request.
The Fortress of Zero Trust: An Analogy
Imagine you are in charge of guarding a fortress. Within that fortress, there are various rooms, each with valuable assets. To protect all the rooms within the fortress, you've built strong walls and checkpoints at the entrance of the fortress to ensure only authorized individuals can enter. However, there's a catch – instead of giving access to just one room, you're allowing anyone who gets through the entrance to roam freely throughout the entire fortress.
In the context of cybersecurity, this is somewhat similar to how VPNs operate. When a user gains access to the network through a VPN, they essentially have access to the entire network, just like anyone who enters the fortress can move around freely.
Now, let's introduce the concept of Zero Trust Access. Instead of granting access to the entire fortress, you design the system to provide entry to a specific room. To do that, first, you isolate each room from the rest of the fortress. You've set up a secure corridor that leads directly to that isolated room. Anyone who wants access has to go through a series of security checks at each step along the corridor that leads to that particular room. The rest of the corridors leading to the other rooms stay invisible.
Applying this analogy to the digital world, each application or asset becomes like a room within the fortress.
Zero Trust Access means that instead of granting users unrestricted access to the entire network (the fortress), you're only giving them access to the specific application(s) they need to do their job (the specific room). In cases when one enterprise resource needs to access another one on the same network, its configured to go through a similar route. Because the system doesn’t operate on the network layer, but on the application layer, whether it is an app to an app or an app to a user or vice versa, the Zero Trust Access works seamlessly.
The benefits of this Zero Trust Access approach include the following:
Reduced Attack Surface: By limiting access to only the necessary applications, you're minimizing the area that potential attackers can exploit.
Segmentation: Zero Trust Access segments each application or enterprise resources from each other. This prevents unauthorized interactions between applications, so even if one application is compromised, the attacker can't move to other enterprise resources.
Least Privilege: Users only get access to the applications they absolutely need for their tasks. This prevents unnecessary exposure and potential damage if their credentials are compromised.
Continuous Verification: Zero Trust Access continuously verifies the user's identity and device health during the entire remote access session. This minimizes the risk of unauthorized users gaining entry.
Isolation: If an application is compromised, the attacker's reach is limited to just that one application.
In a nutshell, Zero Trust Access is about granting the least possible access necessary to perform a task, rather than giving users full access to a network and then trying to restrict it. This approach enhances security, reduces potential vulnerabilities, and aligns with the principle of "trust but verify" in today's complex and interconnected digital landscape.
Combined with password free digital identity ecosystem, VPNless secure remote access enables a robust information security posture for the enterprise. Zero Trust Access manifests the “Trust but Verify” philosophy in the true sense in the digital world.