The VPN is dying, long live zero trust

Mazino Ukah

23 Dec 2019

The traditional VPN is being replaced by a smarter, safer approach to network security that treats everyone as equally untrusted.

The venerable VPN, which has for decades provided remote workers with a secure tunnel into the enterprise network, is facing extinction as enterprises migrate to a more agile, granular security framework called zero trust, which is better adapted to today’s world of digital business.

VPNs are part of a security strategy based on the notion of a network perimeter; trusted employees are on the inside and untrusted employees are on the outside. But that model no longer works in a modern business environment where mobile employees access the network from a variety of inside or outside locations, and where corporate assets reside not behind the walls of an enterprise data center, but in multi-cloud environments.

Gartner predicts that by 2023, 60% of enterprises will phase out most of their VPNs in favor of zero trust network access, which can take the form of a gateway or broker that authenticates both device and user before allowing role-based, context-aware access.

There are a variety of flaws associated with the perimeter approach to security. It doesn’t address insider attacks. It doesn’t do a good job accounting for contractors, third parties and supply-chain partners. If an attacker steals someone’s VPN credentials, the attacker can access the network and roam freely. Plus, VPNs over time have become complex and difficult to manage. “There’s a lot of pain around VPNs,” says Matt Sullivan, senior security architect at Workiva, an enterprise software company based in Ames, Iowa. “They’re clunky, outdated, there’s a lot to manage, and they’re a little dangerous, frankly.”  

At an even more fundamental level, anyone looking at the state of enterprise security today understands that whatever we’re doing now isn’t working. “The perimeter-based model of security categorically has failed,” says Forrester principal analyst Chase Cunningham. “And not from a lack of effort or a lack of investment, but just because it’s built on a house of cards. If one thing fails, everything becomes a victim. Everyone I talk to believes that.”

Cunningham has taken on the zero-trust mantle at Forrester, where analyst Jon Kindervag, now at Palo Alto Networks, developed a zero-trust security framework in 2009. The idea is simple: trust no one. Verify everyone. Enforce strict access-control and identity-management policies that restrict employee access to the resources they need to do their job and nothing more.

Garrett Bekker, principal analyst at the 451 Group, says zero trust is not a product or a technology; it’s a different way of thinking about security. “People are still wrapping their heads around what it means. Customers are confused and vendors are inconsistent on what zero trust means. But I believe it has the potential to radically alter the way security is done.”

Security vendors embrace zero trust

Despite the fact that the zero-trust framework has been around for a decade, and has generated quite a bit of interest, it has only been in the last year or so that enterprise adoption has begun to take off. According to a recent 451 Group survey, only around 13% of enterprises have even started down the road to zero trust. One key reason is that vendors have been slow to step up.

The poster boy success story for zero trust dates back to 2014, when Google announced its BeyondCorp initiative. Google invested untold amounts of time and money building out its own zero-trust implementation, but enterprises were unable to follow suit because, well, they weren’t Google.

But zero trust is now gaining traction. “The technology has finally caught up to the vision,” says Cunningham. “Five to seven years ago we didn’t have the capabilities that could enable these types of approaches. We’re starting to see that it’s possible.”

Today, vendors are coming at zero trust from all angles. For example, the latest Forrester Wave for what it now calls the zero-trust eXtended Ecosystem (ZTX) includes next-generation firewall vendor Palo Alto Networks, managed-services provider Akamai Technologies, identity-management vendor Okta, security-software leader Symantec, micro-segmentation specialist Illumio, and privileged-access management vendor Centrify.

Not to be left out, Cisco, Microsoft and VMware all have zero-trust offerings. According to the Forrester Wave, Cisco and Microsoft are classified as strong performers and VMware is a contender.

So, how does an enterprise, which has devoted millions of dollars to building and reinforcing its perimeter defenses, suddenly shift gears and adopt a model that treats everyone, whether an executive working inside corporate headquarters or a contractor working from a Starbucks, as equally untrusted?

How to get started with a zero-trust security model

The first and most obvious recommendation is to start small, or as Cunningham puts it, “try to boil a thimble of water and not the whole ocean.” He adds, “For me, the first thing would be to take care of vendors and third parties,” finding a way to isolate them from the rest of the network.

Gartner analyst Neil MacDonald agrees. He identifies three emerging use cases for zero trust: new mobile applications for supply chain partners, cloud migration scenarios and access control for software developers.

Access control for his DevOps and IT operations groups is exactly what Sullivan implemented at Workiva, a company whose IT infrastructure is entirely cloud-based. Sullivan was looking for a more effective way to give his teams cloud access to specific development and staging instances. He ditched his traditional VPN in favor of zero-trust access control from ScaleFT, a startup that was recently acquired by Okta.

Sullivan says that now when a new employee gets a laptop, that device needs to be explicitly authorized by an admin. To access the network, the employee connects to a central gateway that applies the appropriate identity- and access-management policies.

“Zero trust as a concept was so overdue,” says Sullivan. “It’s clearly the right way to go, yet it took us nearly 10 years of whining and complaining before enterprise-ready solutions came out.”