Why zero trust is critical to security and not legacy VPNs

A laptop screen displaying a VPN logo
(Image credit: Shutterstock)

Remote and hybrid working models are common today, but such was not the case prior to the outbreak of the Covid-19 pandemic.

For many companies and organizations, cloud-based working accelerated, born out of necessity rather than convenience. As lockdowns and stay-at-home orders were enforced almost overnight, many traditional organizations were forced to digitize to ensure that they could continue to operate as social contact was limited by law (was it law or government mandate?).

Amidst this turbulence, many turned to virtual private networks (VPNs) as a first port of call – a familiar face when it comes to providing remote access to centralized networks, acting as a relatively straightforward extension of on-premises IT infrastructure.

A recent Menlo Security report shows that this was a popular course of action.

In the survey of more than 500 IT decision-makers across the US and the UK, 75 percent of organizations said they still use VPNs for controlling remote access to applications. Further still, this rises to more than four in every five for organizations with more than 10,000 employees.

However, many of those that opted to take this path will have since found that it is fraught with challenges and obstacles. Put simply, this is because they are likely to have uncovered some of the inherent issues with VPNs. 

VPNs are tricky and time-consuming to operate, placing a strain on IT workloads and resources where IT managers are forced to administer individual access requests for multiple users. This creates inefficiencies and unwanted costs for companies - businesses that may well have been looking to make operational savings in light of the economic uncertainty caused by Covid-19. 

It is not just the productivity of IT departments that suffers at the hands of VPNs, however. Equally, with too many people trying to access a VPN at one time, networks can quickly become overwhelmed, leading to traffic bottlenecks and limitations in regard to file, data and resource access for all employees. 

For this reason, VPNs can become a significant source of frustration – and this frustration is often manifested in actions that can undermine an organization’s security posture. Instead of waiting for a VPN to load, employees will often choose to work more quickly, effectively and efficiently by going directly onto their desktops, downloading key data, files and resources to their devices, and leaving them more vulnerable to attack. 

Indeed, this is of particular concern given how the endpoint has become a primary focus for many cyberattacks today. Ransomware and malware, for example, work where an endpoint – such as a laptop, or mobile device – is infected with a malicious payload. 

The challenge stems from the fact that VPNs simply weren’t designed to be the bedrocks of remote and hybrid working models, creating a domino effect of productivity and security issues. 

The three key principles of zero trust

Thankfully, with hybrid and remote working models seemingly here to stay in the long-term owing to a plethora of business- and work-life balance-related benefits, many organizations are beginning to consider new options. 

The same Menlo Security survey shows that 75 percent of organizations are currently revaluating their security strategies, this finding providing much cause for optimism. However, what is arguably more important is that these intentions result in genuinely useful changes that will see organizations adopting scalable, productive, secure and futureproof policies, protocols and solutions.

At Menlo, we advise that zero trust should form the backbone of all security measures today.

Unlike VPNs, zero trust is an ideology that has been designed specifically to bolster security and maintain productivity in cloud-based environments, structured around three key principles.

First is the notion of continuous authentication. It demands that all internal and external network users are authenticated, authorized, and continually validated before they are granted access to applications and data.

This moves away from traditional ‘castle and moat’ approaches to security that assume all internal network parties can and should be trusted – an assumption that has become a great source of vulnerability in the modern-day.

Second is the implementation of the principle of least privilege. This focuses on limiting the access of network users to only those specific applications and areas of the organization’s network that they need to do their job effectively. Privileged accounts are the holy grail for attackers, so limiting these within an organization is vital. 

Third is working off the assumption that a security breach is always just around the corner – by always anticipating an attack, security will remain a central focus that is considered in all key decisions, which will serve to eliminate potential vulnerabilities.

Improving security posture through isolation technology

Zero trust is so effective because it focuses on protecting beyond the perimeter. It sees trust as a vulnerability, and therefore takes an alternative default ‘deny’ approach.

Indeed, many of the most revered cyberattacks of recent times have been successful because of a lack of defenses beyond the perimeter. Without zero trust, hackers that are successful in infiltrating a network can move laterally with ease to elevate their privileges, exfiltrate data, execute ransomware attacks and more.

Currently, little more than one in three (36 percent) of those organizations we surveyed have adopted zero trust as part of their remote access strategy. Yet as companies begin to reconsider their security strategies, there is fortunately an easy way to achieve zero trust in its truest sense.

Enter isolation technology – an innovative solution that eliminates any opportunity for hackers looking to infiltrate an organization’s network by creating a digital air gap capable of preventing all malicious payloads from executing on their target endpoints.

In practice, it moves day-to-day activities from the desktop to the cloud to ensure that all content is safely rendered, and total peace of mind provided.

Simply put, if a malicious payload is downloaded, it cannot reach the endpoint, cutting cyberattackers off completely with holistic, reliable protection.

Jonathan Lee, Senior Product Manager, Menlo Security

You might want to check out our picks for the best business VPN.