Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Trust No One. And Be Quick About It.

Firewall
(Source: Pixabay)

In an era when security threats, such as ransom viruses, are spiking, at the same time, companies are scrambling to extend the virtual workplace to insecure home environments, IT security is finally taking the front seat as a driver for new deployments. But as apps move to clouds, and users move to home, traditional hub-and-spoke security models fail.

Put simply, COVID-19 has changed the game for cyber criminals: they now have millions of new victims in the form of employees working from home. IT must respond by changing its game, from one of trust to one of no trust. And we in IT must do this as fast as possible.

“Wait,” you’re thinking, “what’s wrong with my trusty VPNs? I thought that was the gold standard for network security!”  “Trusty” VPNs, it turns out, are over-rated. Given a fundamental architectural flaw, combined with a constant stream of vulnerabilities providing hackers an inviting attack surface, we were never right to trust VPNs in the first place.

Trust, you see, is the key architectural fly in VPN’s security ointment. By definition, a VPN connects two trusted networks; i.e., two networks that trust each other. Yes, VPNs obfuscate data with sophisticated encryption. Yes, VPNs authenticate using clever and complex protocols. Yes, VPNs can employ multifactor security devices. But in the end, there’s just too much trust going on, so that when a VPN does get compromised, the hacker is rewarded with free access to an entire corporate LAN.

A VPN is like giving a friend the key to your house so he can use your wall-size TV. You wouldn't give your key to a total stranger, but you trust your friend. He's not going to rob you or snoop where he shouldn't. But just to be safe, you've added a combo keypad to the front door, so if your friend loses the key, all is not lost. You've also put locks on the pantry and your bedroom doors. And the refrigerator, because, to be frank, you only trust your friend so far. "Defense in-depth," you always say! To your way of thinking, this is a perfectly reasonable trust situation.

The trust fallacy

Alas, as we’ve learned through hard experience, the “trust” VPNs require turns out to not be reasonable at all. In our house analogy, in addition to the explicit trust in your friend to not abuse your generosity, you also implicitly trust your friend never to give up that front door code, which he might do under duress. And a curious friend, once inside, might be tempted to pick that pantry lock, because, well, chips and dip. That’s why you locked it, no? But he’s already inside your house, away from suspicious eyes, and has time to burn, so why not give it a try?

VPNs are like this. They assume both networks trust each other, so once a VPN gets someone behind the firewall, they have free access to the entire network. While you can lock down specific critical internal resources, such as your accounting server, in general, the corporate LAN aims to not just permit, but accelerate speedy “lateral access” from VPN users to any inside point.

What’s more, not all internal barriers are equal. Like your easily picked pantry lock, a hacker can take his time exploiting the specific weaknesses of each new bulwark, which, thanks to freewheeling lateral access, he can easily identify.

Trust must end

Now that we’ve seen the folly of VPN’s “trusty” architecture, the solution appears as simplicity itself: Stop trusting. Everyone. That’s the aim of a key new remote access architecture called Zero Trust Network Access (ZTNA).

ZTNA is a security architecture that eliminates trust from a network, instead granting access only to a specific application or database for each user request. ZTNA’s inventor Forrester Research states that all resources must be securely accessed on an individual basis, regardless of their location, based on a least-privilege security model. This means encryption everywhere, plus authentication every time.

ZTNA is part of a larger network overhaul called Secure Access Service Edge, or SASE (pronounced "sassy," according to the term's originator, Gartner). SASE combines network-as-a-service offerings such as SD-WAN, carrier circuits, CDN, and bandwidth aggregators with a slew of new network security services, including ZTNA. Other SASE components are a Cloud Access Security Broker (CASB), Secure Web Gateway (SWG), Web API Protection as a Service (WaaPaas), and Firewall-as-a-Service (FWaaS). Together these deliver a single comprehensive, integrated solution that supports all traffic, applications, and users.

The details of how these components interact aren't important to your decision-making process. All that's important is the net effect: vastly improved security that can be deployed quickly, doesn't clog your network with encryption and authentication delays, and works seamlessly with another network evolution, SD-WAN. By encapsulating security inside SASE, SD-WAN now becomes a security-agnostic overlay, which lets SD-WAN focus on exploiting multiple paths and aggregating those paths to maximize performance.

The VMware SASE difference

VMware engineers enabled migration to the SASE architecture with its 2017 acquisition of VeloCloud, a market leader in cloud-delivered SD-WAN.  VMware completed its cloud-native SASE implementation by combining SD-WAN gateways with ZTNA, SWG, CASB, and next-generation firewall functionality.  VMware now lets you deliver these networking and security services off-the-shelf to HQ campuses, branch offices, teleworkers, mobile users, and even IoT devices.

Conceptually, VMware SASE organizes around a thin Edge/thick Cloud framework, spread through 2000 nodes around the planet. A VMware SASE environment provides application QOS, zero-touch deployment, built-in ZTNA protection, and dynamic scaling. Even SMB’s can get on board, adding capacity as their business grows.

As a managed service, VMware SASE falls on the OpEx side of your balance sheet, eliminating time-sapping CapEx deployments, and speeding your rollout of this essential new security paradigm. In which you trust no one.

About VMware

VMware, a leading innovator in enterprise software, powers the world’s digital infrastructure. Our solutions form a flexible, consistent digital foundation that enables technology-driven transformation without disruption.