Recently, I attended CloudNativeSecurityCon in Seattle. Most talks centered around Zero Trust, and how to implement these patterns in modern cloud architectures. Notably absent from any talks was the discussion of VPNs.
VPNs are starting to be viewed as out-of-date in the new world of Zero Trust. So what is Zero Trust, how does it differ from VPNs, and do VPNs still serve a purpose, or are they just vestiges of an older time?
To differentiate the two, I’ll use the example of traditional office security vs modern office security.
Back in the day, you might have a gate at the front of the office, with a security guard checking badges and letting people inside. This security only existed at the perimeter. Once people got inside, they could roam around freely, use the elevator, the printers, and go into rooms.
Now consider a modern office. The doors, the elevators, the printers, the office rooms, all require a badge swipe for access, which is checking your identity and your permissions. It’s both more secure and more fine-grained, allowing you to control who has access to what.
VPNs are a lot like that traditional security, checking the traffic before it comes in, but only securing the perimeter. Zero Trust is a lot like the modern office, checking your identity every time you access a resource. There is overlap in both directions, but this is in line with the general thinking.
However, there is a bit of a misnomer going on here. Zero Trust isn’t a thing that you can purchase, you have to implement it. It’s like DevOps or Agile. It’s a methodology, a pattern, with the goal of “achieving zero trust.” While there are tools you can purchase which help “enable” Zero Trust, the truth is that Zero Trust does not exist without a holistic approach to corporate security.
Meanwhile, an equal and opposite misnomer is being applied to the VPN. A VPN at its core just means encrypted, virtualized network connections, which are still being used everywhere including (spoiler alert) in Zero Trust! However, when the industry discusses VPNs, we tend to think of “legacy VPN products”, rather than of the concept of VPNs themselves, which causes some confusion. There are now “modern” VPN products which significantly reshape how we think about these tools.
Let’s clear up these misconceptions and discuss why VPNs are still in use, and how they fit into a Zero Trust implementation.
Why VPNs are still being used
There’s a pretty simple reason why so many organizations still use VPN solutions today, rather than Zero Trust: Zero Trust is hard. Zero Trust touches on everything in the business, and without a unified approach that spans all your resources, you won’t be able to implement it properly. And similar to DevOps or Agile, it’s not just a framework, it’s a culture shift. So for one, it’s just taking them time.
However, even as corporations implement Zero Trust, they’re still finding use cases which fall outside the frameworks they’ve implemented. I’ve worked with many businesses that need to get a solution up and running to provide secure access to, from, or across sites, which doesn’t fit within their current approach to Zero Trust. In such cases, a VPN gives them the solution they need.
This may be the case because the target resources are not user-controlled, are at the edge, or belong to another organization. Here, VPNs remain strongly in use. Additionally, for connecting sites, even if a Zero Trust solution is in place, encrypting the traffic generally between sites is generally desirable.
VPNs within Zero Trust
A principle of Zero Trust is to limit the “blast radius” of any potential breach, including both internal and external threats. Here, having a perimeter VPN still makes a lot of sense, with the “site-to-site” case mentioned above being one example. But more generally, consider the modern office again. Sure, you have smart security cards on the resources within the office, but don't you still want a gate, and wouldn’t having a security guard help limit the chances of a bad actor?
By combining a perimeter VPN with a Zero Trust architecture, you can have the best of both worlds. You also give yourself something to build on, with the VPN acting as your “minimal” security footprint, which you can increasingly make more secure with Zero Trust principles.
Modern VPNs
Beyond a simple perimeter, modern VPNs have been making a comeback, as enablers and alternatives to Zero Trust patterns. These new VPNs come equipped with technology that helps accelerate a strong security posture.
Speed
Modern VPNs are utilizing new encryption methodologies like WireGuard, which dramatically increase the speed of connections. While speed alone is not an enabler of security, it is often sited as a key reason not to use a VPN. After all, no one wants to cut their application speed in half, even if it would be more secure. Organizations have thus been hesitant to use VPNs in their infrastructure where high-speed data transfer is required, due to the latency of traditional VPNs. However, with modern WireGuard-based solutions, this limitation is all but eliminated, allowing the VPN to make a comeback in infrastructure-based use cases.
Point to point
Traditional VPNs were often point-to-site or site-to-site. Consider Cisco AnyConnect, where you log in, and get access to a corporate network, or Palo Alto, where you connect various offices and data centers into one big network.
By comparison, Point-to-Point VPNs connect a specific machine directly to another specific machine. This significantly restricts the perimeter of an attack, and allows for more fine-grained access controls, which can build into a Zero Trust framework.
This, in combination with the speed advantage, is allowing modern VPNs to become much more enmeshed into corporate resources, connecting not just employee laptops and phones, but servers, VMs, Linux containers, and more.
Blurred lines
With modern VPNs providing both high-speed and point-to-point connections, the line between VPN and Zero Trust is beginning to blur. These VPNs are increasingly adding access controls which take on pieces of a Zero Trust implementation. In fact, you’ll see some VPN products today advertise themselves as Zero Trust solutions.
Over time, we’ll likely see this confluence continue, with VPNs becoming more flexible, and implementing Zero Trust principles to provide both network-level security, resource-specific, identity-based authorizations.
Conclusion
With or without Zero Trust, VPNs are likely to continue on, with modern VPNs evolving to match modern corporate security. Setting up a network perimeter will help to ensure a baseline of network security on which organizations can implement Zero Trust principles, in addition to the edge cases that fall outside any implemented Zero Trust framework. By using both, organizations can secure against attacks from the outside, and from within.
We've featured the best business security system.
This article was produced as part of TechRadarPro's Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro