Zero Trust vs. VPNs: It’s Time to Kill Your VPN

by Erin Risk

Zero Trust vs. VPNs: It’s Time to Kill Your VPN

One of the biggest threats to network security is a company’s own Virtual Private Network (VPN). Based on old network architectures, VPN’s assumption of a secure fixed perimeter surrounding a trusted network is a dated design pattern that undermines security. Zero Trust is a framework of security concepts that are better suited to the way business works today.

In this article, we will explain how Zero Trust is a better security design paradigm that reverses the assumptions implicit in VPN and similar legacy technologies. Changing the way we look at access controls creates benefits beyond security. We will share these benefits and explain how implementing Zero Trust without additional infrastructure can be a fast, affordable path to improved security.

What is Zero Trust?

Zero Trust is a modern concept of information security based on the assumption that trust can never be implicit.

Within a Zero Trust framework, no user, no device, and no network can be automatically trusted with access to company resources. This mindset relies on three core principles: assume breach, verify explicitly, and least privilege access. The Zero Trust framework is the opposite design pattern to the VPN. The fact that a local area network is physically in an office does not mean it has not been compromised. Access requests may arrive at the network from the CEO’s laptop, but is it the CEO sending them? Clearly the VPN approach of trust everyone inside the “moat” is an old pattern that isn’t recommended for today’s distributed work everywhere and access anything world.

Assume breach

The scale and precision of cyberattacks make it impossible to assume your networks are safe. Every day, criminal syndicates and script kiddies alike scan every exposed RDP and VPN port on the public internet. Spear-phishing and other social engineering attacks target the credentials of specific employees.

Zero Trust’s principle of “assume breach” accepts the fact that, no matter how extensive your security system may be, hackers have already penetrated and are roaming freely on users’ systems and your network. As a result, every connection request is a potential threat until proven otherwise.

Verify explicitly

Verification cannot be a one-time event. One click on a malicious file can compromise a user’s system at any time. Employees wanting a change in scenery may leave their home office to work in a coffee shop. Any change in the context of a user’s access could open a gap in an organization’s security.

Zero Trust’s principle of “verify explicitly” requires verifying every attempt to access resources. That verification should be based on the user’s identity, the device’s posture, and other contextual factors.

Least privilege

Over-permissioned employees, particularly network administrators, are cybercriminals’ highest-value targets. The more access a compromised user has, the easier it is for criminals to move laterally through a network.

Zero Trust’s principle of “least privilege” limits users’ access to only the resources they need to do their jobs. Zero Trust policies may also limit their degree of access based on the context of their connection.

Where did Zero Trust come from?

Some of the earliest research into the role of trust in artificial systems was performed by Stephen Paul Marsh in 1994. Now a professor at the University of Ontario Institute of Technology, Marsh coined the term “zero trust” and formalized a mathematical approach to evaluating trust from a system perspective.

By 2010, thinking about trust’s role in network security had reached a tipping point. Forrester analyst John Kindervag proposed an alternative to traditional concepts of the secure perimeter based on Zero Trust. Within a few years, Google began applying those concepts in its “BeyondCorp” security initiative.

The pervasive threat from cybercriminals and the changing nature of networking have led security professionals to see Zero Trust as the most promising way to protect information assets. That growing consensus came into sharp focus in early 2021 when the Biden Administration ordered all federal agencies to start adopting a Zero Trust security model.

What is a VPN?

Zero Trust stands in stark contrast to traditional approaches based on the concept of the secure fixed perimeter. Best exemplified by Virtual Private Network remote access technologies, vulnerabilities in the secure perimeter paradigm are the reasons security breaches are so widespread.

VPNs were originally created as an internet-based wide-area networking solution. Cheaper than the leased line services telecom companies offered, VPN let small and mid-sized businesses link satellite offices and other facilities to their data centers. The technology created an encrypted tunnel over the internet between VPN gateways at the two locations. Over time, the VPN gateway evolved into a path for remote employees to access resources on the company network.

Under the old security model, the VPN gateway was a portal through the company’s secure perimeter. Much like the way a moat protected a medieval castle, the secure perimeter protected a company’s network and the attached resources. The secure perimeter model assumes everything outside could be a threat and everything inside could be trusted. The VPN gateway verified remote users’ identities and allowed them through to the protected network.

Why is Zero Trust a superior solution to VPNs?

Assumptions of trust have made VPN itself the greatest security risk. Assuming that only trusted users need the information, for example, VPN gateways publish their IP address and device identifiers to the open internet where anyone can see them. Once a VPN gateway has been compromised, cybercriminals can traverse the network within just like any trusted user.

VPN creates other issues for network administrators such as the way it undermines network efficiency. Regardless of the resource’s location, all traffic from remote users passes through the VPN gateway by default. The resulting impact on network performance creates poor user experiences that could undermine security compliance: some users simply switch off the VPN because it is slowing down their connection.

Zero Trust vs. VPN Comparison Table

Zero Trust benefits

Zero Trust solutions, such as those offered by Twingate, eliminate the security and manageability issues of technologies like VPN. Among the benefits Twingate Zero Trust solutions deliver:

  • Dramatically smaller attack surfaces.
  • Limited lateral spread of successful breaches.
  • Faster deployment and scaling without additional infrastructure.
  • Unification of all security and access control policies.
  • Improved network performance.
  • Improved user experiences.
  • Easier security compliance.

In addition, Zero Trust deployments are not all-or-nothing propositions. Taking a phased approach lets you start with less critical resources. Later phases can leverage the lessons learned to protect more sensitive resources.

What trends will make VPNs difficult to maintain in the future?

VPN will only become more difficult to manage in the coming years. The secure perimeter model was developed at a time when companies had fixed perimeters surrounding on-premises, proprietary resources. Furthermore, VPN and other remote access technologies only needed to support the handful of employees working remotely.

Today’s world is vastly different. The perimeter itself means less and less. Companies are replacing on-prem resources with cloud-hosted solutions. B2B collaboration and on-demand workforces require granting access to non-employees. System administrators have less control over connected devices as BYOD policies become the norm.

But it has been the sudden shift to work-from-home that has pushed VPN to the breaking point. The technology does not scale affordably. Throwing more gateways at the problem is an expensive quick fix that adds to network administrators’ maintenance burden.

How can your organization implement Zero Trust today?

Twingate uses software-defined perimeters to implement Zero Trust security and access control. Twingate’s software solution does not require additional infrastructure or changes to your existing network. Once implemented, Twingate makes breaches much less effective by hiding each protected resource from anyone on the network who doesn’t need to see them.

Deploying the first phase of your Twingate implementation is fast and seamless. Within 15 minutes, you can protect resources on your network and in the cloud with modern Zero Trust practices. Simple administrative tools and “set and forget” client applications make Twingate’s solution as easy to manage as it is to use.

Protect your resources with Zero Trust today

Zero Trust is a fundamental change in the way we look at secure access. Rather than defending trusted resources and networks from outside attacks, Zero Trust recognizes that there is no “outside”. Networks and endpoints can be compromised at any time.

This modern approach to secure access assumes that breaches already exist. With that assumption, the only way to protect a resource is by verifying explicitly and granting least privilege access.

Twingate’s software-based solution provides a fast, easy, and effective way to start implementing Zero Trust within your organization. Contact us to learn more.