What does zero trust security mean to enterprises in the real world? VPN replacement and isolation-based internet access protection, for starters
From “Ocean’s Eleven” to “Baby Driver” to “The Italian Job,” movie-goers love watching a team of creative scoundrels break into a vault. Network security administrators feel differently. Those tasked with safeguarding critical enterprise data prefer that their applications and files remain safe behind virtually fortified walls built on zero trust security.
Imagine zero trust security as a high-security bank vault. Traditionally, you might picture a single locked door with a large steel spindle protecting the valuables behind it. But with zero trust, the vault also has multiple doors inside — each requiring authentication, verification, and validation before being opened — protecting critical data at every turn. Using this “never trust; always verify” approach to access, networks are kept safe, even from the cyber versions of Bonnie and Clyde.
How do zero trust tunnels differ from traditional VPN solutions?
Conventional virtual private network (VPN) setup is most often compared to a moat encircling a castle. Once breached, the entire perimeter and everything within it becomes accessible. This illustrates how significant breaches occur when hackers infiltrate a corporate firewall via a perimeter-based VPN and gain unrestricted movement across secure applications.
For decades, VPNs have served as the bedrock of corporate security. However, their evolution hasn’t kept pace with the ever-shifting tactics of modern hackers. A 2023 VPN risk report revealed that 90% of organizations are concerned about their security posture using VPNs, leading them to consider more modern solutions. While some companies deploy both VPN and zero trust solutions, the latter offers district advantages over traditional VPNs.
Zero trust security restricts the scope of user access
When comparing zero trust vs. VPN, zero trust security doesn’t presume any part of the enterprise network to be inherently secure. Using microsegmentation and prescriptive security policies, it constructs access tunnels for users limited to specific applications. This means they only have access to the data within their permitted network microsegment, minimizing the scope of potential breaches.
Zero trust security policies adapt to continuously mitigate risk
Unlike VPNs that rely on one-time authentication, zero trust’s adaptive security policies are persistent. Continuous evaluation of a user’s session, consideration of location changes, device variations, and unusual behaviors such as rapid data alterations help zero trust achieve a network surveillance level that is unattainable with VPNs alone.
User experience is enhanced with direct-to-app connections
By routing all traffic through cloud inspection points, authentication occurs with negligible latency, making it virtually imperceptible to users. By contrast, VPNs may suffer from bandwidth limitations and backend performance issues that can lead to delays for remote employees attempting to access the resources they need to do their jobs.
Zero trust security cuts costs
Establishing a corporate VPN network demands substantial investments in hardware, authentication tokens, software provisions, and the management of cumbersome data center infrastructure. Alternatively, zero trust tunnels are agile, quick to deploy, and scalable, while demanding fewer IT resources for training, maintenance, and management. The cherry on top? A zero trust security solution enables a BYOD (Bring Your Own Device) policy that can potentially reduce hardware expenses — a practice often at odds with VPN setups.
Understanding zero trust and its relationship to ZTNA
The price of data and intellectual property is high, making it no surprise that hackers are actively working to get their hands on it. Unfortunately, with more network entry points than ever, thanks to the addition of digital tools such as meters, sensors, and cameras, and the influx of remote employees and growing fleets, expansive security can be difficult to administer without a zero trust solution.
Zero trust security operates on the premise that anyone entering a network could be a threat, necessitating continuous restriction and verification. Even after confirming an identity, users are limited to specific, predefined resources. Contemporary WAN security relies on these exclusive connections between users and resources to keep valuable assets safe, but few, if any, organizations rely solely on payroll employees to keep their operations running smoothly.
Third-party contractors, suppliers, consultants, and other external users bring expertise to the table to manage things such as HVAC systems, custom lighting, cameras, point-of-sale solutions, and more. Rather than granting unrestricted access to these individuals, a Zero Trust Network Access (ZTNA) solution allows meticulously defined user-to-resource connections, giving users and devices access only to what they need to do their job and nothing else.
The impacts of zero trust security on IoT networks
Some outlets predict that the damages from ransomware attacks will exceed $265 billion by 2031, up from a mere $325 million in 2015. IoT devices are often to blame for such attacks. They often establish a smattering of entry points across a network and are also easily exploited thanks to their basic hardware and protocols and limited ability to support on-board security.
What often happens during these attacks is a malicious actor infiltrates the network by exploiting an exposed Internet Protocol (IP) address through an IoT device. With the device compromised, the intruder gains the ability to mill about through different sections of the network — sometimes for months — to gather a detailed lay of the land. Eventually, they uncover their target, posing a significant threat to the entire network. A casino famously learned this lesson the hard way when its high-roller database was hacked through a fish tank thermometer.
Here's how zero trust principles can improve the security posture of IoT devices:
Concealed IP addresses
IoT devices typically broadcast their IP addresses, making them an easy target for IP scans. Although a conventional VPN can create secure, encrypted connections over public networks, it falters when it comes to safeguarding IP addresses. A zero trust solution can mask IP addresses, rendering them invisible and ultimately thwarting any attempts to access and move laterally throughout the network.
Strict access by default
Zero trust security challenges conventional beliefs in network trust. Rather than presuming implicit trust within a network, it operates on the principle of continuous user verification, irrespective of their location or the device being used. This protects IoT devices by limiting access strictly to what is essential for each user. A ZTNA solution further restricts access for third-party contractors and suppliers who play a vital role in business operations for many enterprises seeking ways to save money through outsourcing.
Extending zero trust principles to safeguard against browser-based threats
It should come as no surprise that access to the internet creates a vast attack surface of threat-entry points thanks to careless clicking, weak passwords, and successful “phishermen.” Thankfully, the application of zero trust security principles applied to web access creates a set of tools beyond firewalls to protect applications and users.
Secure web gateways
A secure web gateway (SWG) acts as a filter by applying zero trust policies to regulate outbound internet traffic and protect against malware, viruses, and more. When users input a link into their browser, click on a link in an email or a website, or upload files and images to the internet, the SWG serves as a security checkpoint to ensure secure access.
Remote browser isolation
Remote browser isolation (RBI) is a web security strategy that creates a digital air gap using a remote container environment. When a user clicks on a link, all web content — including sites accessed through email — is executed in an isolated, virtual browser that is hosted in the cloud and distinct from the user’s device or network.
How to implement zero trust security to protect your enterprise WAN
Zero trust is more than a buzzword. Its adoption has surged in recent years, proving that replacing implicit trust with identity- and context-based trust holds a lot of weight — so much so that Gartner estimates more than 60% of businesses will adopt zero trust as their foundational security approach by 2025.
To safeguard their networks effectively, IT and security leaders face the daunting task of examining their existing security strategies and determining where and how zero trust implementation fits in. Here are some key things to consider:
#1: What use cases will benefit from zero trust?
Refining the use cases for zero trust is instrumental in determining which solution is best for your organization. For instance, enterprises must differentiate between site-to-site connections and remote access scenarios spanning IoT devices, vehicles, kiosks, retail outlets, and more. Most organizational use cases generally fall into one of three categories: supporting an extended workforce, facilitating a BYOD policy and privileged remote access, and managing on-premises access.
#2: How will remote users and resources connect to the network?
When considering the location and connectivity options for users and endpoints, a ZTNA solution can be either agent-based or agentless.
Agent-based systems are often support-intensive and can be cost-prohibitive as they require an agent to be installed on every device to perform required security functions such as posture assessments, device and user authentication, and network traffic redirection to the security gateway.
Alternatively, an agentless ZTNA solution is agile and the only option available for BYOD, contractor access, or remote locations. Agentless zero trust solutions rely on a web-based portal for user authentication and access, making them simple to manage from a single pane of glass.
#3: How will the zero trust security solution be deployed and managed?
As lean IT teams increasingly prevail, a zero trust solution that can be deployed and managed from a central location is crucial. This approach also minimizes training needs and ongoing maintenance expenses, supporting the overall well-being of the IT team while working within limited resources.