Virtual private network (VPN) technology has long offered a simple and effective way to link remote workers and other trusted parties to enterprise IT and data resources. Yet despite serving as an invaluable security tool during the COVID-19 pandemic, VPN is beginning to show its age in an era when a growing number of sophisticated cyber attackers work on behalf of organized crime and rogue governments.
Rapidly emerging as a strong VPN competitor is zero-trust, a security concept focused on the idea that organizations shouldn't automatically trust anything inside or outside their perimeters and must, instead, verify absolutely everything attempting to connect to its systems before granting access.
A security framework
Zero-trust is essentially a framework that helps enterprises transition from traditional perimeter-based security to modern architectures. "The fundamental tenets of zero-trust posit that actors, systems, or services operating inside the security perimeter should not be automatically trusted and that everything, whether coming from inside the organization or outside, should be verified before being given access," said Theresa Lanowitz, AT&T's cybersecurity director. "In short, trust nothing and verify everything."
The “never trust, always verify” philosophy that zero-trust embraces requires that both user and device are authenticated each time they attempt to access the network and continue to be assessed and authenticated throughout the session. "This creates a micro-perimeter within the larger network and mitigates the lateral movement of threats within the network, even if it is compromised," explained Samrah Kazmi, chief innovation strategist at advisory firm RESRG.
Zero-trust solutions are inherently more secure than VPNs, which take a castle-and-moat defense approach. "With VPNs, once you are on the network, you are deemed a trusted party and can then gain access to various enterprise systems and assets," said Paul V. Merugu, a senior manager in the business advisory firm's EY's cybersecurity practice. There are no such trust assumptions with zero-trust. "Additionally, zero-trust solutions are inherently agile and support a variety of workforce and business enablement scenarios, like partner and contractor onboarding, ... and IT integrations without [requiring] additional overhead."
Zero-trust is really about applying a variety of technologies to provide robust defenses based on the assumption that no request—human or machine-driven—should be explicitly trusted, explained Jason Myers, a principal at management and IT consulting firm Booz Allen Hamilton. "In many ways, zero-trust is a strategic approach to applying cybersecurity tools and practices more than it is a specific product or technology," he added.
Predictive, dynamic protection
Zero-trust combines a wide range of dynamic and adaptive controls and techniques. The approach's core foundations include identity management, network segmentation, data security, and access control. "The key to successful zero-trust implementations is the ability for those components to work together to form a resilient architecture," Myers said. Identity management is critical not just for humans, such as end-users, administrators, and customers, but for non-human entities, including services, applications, and databases.
A zero-trust journey can take a considerable amount of time to complete. "In some cases, it may be necessary for the entire network to be rearchitected," Lanowitz warned." Organizations undertaking zero-trust should be proactive in managing monetary resources and have a committed leader with a vision at the helm of the project," she added.
If an organization is truly serious about zero-trust, it should also be serious about its cybersecurity practices, policies, and procedures. "Security should not be viewed as a technical issue. Rather, it should be viewed as necessary to running the business and producing strong business outcomes," Lanowitz said.
A successful zero-trust deployment is best achieved by focusing on business outcomes and piggy-backing on existing or upcoming modernization or digital transformation projects, Kazmi stated. "Treating the implementation as a cross-functional project may also spread the cost across different business units and make it more affordable," she added.
Myers noted that one of the biggest mistakes he sees are organizations that believe they need to choose between a VPN and zero-trust. "VPNs can be used to establish an encrypted tunnel between the user and the organization's internal network, [but] an organization’s failure to build out additional access controls—segmentation and encryption—is not the fault of the VPN tool," he explained. "In fact, one should argue that VPNs are a key tool in zero-trust because they ensure that data is protected out to the edge, ensuring attackers cannot compromise data-in-transit and providing privacy against data harvesting efforts from ISPs and public network providers."
Zero-trust is a journey, not a destination. "Threats change, organizational priorities change, leadership changes," Lanowitz observed. It's important to realize that as new use cases are created, new types of threats may emerge. "The human element in computing brings risk," she said. "Following and implementing cybersecurity practices, policies, and processes is crucial, but realizing that humans are fallible is just as critical."