The venerable VPN, which has for decades provided remote workers with a secure tunnel into the enterprise network, is facing extinction as enterprises migrate to a more agile, granular security framework called zero trust, which is better adapted to today’s world of digital business.
VPNs are part of a security strategy based on the notion of a network perimeter; trusted employees are on the inside and untrusted employees are on the outside. But that model no longer works in a modern business environment where mobile employees access the network from a variety of inside or outside locations, and where corporate assets reside not behind the walls of an enterprise data center, but in multi-cloud environments.
Gartner predicts that by 2023, 60% of enterprises will phase out most of their VPNs in favor of zero trust network access, which can take the form of a gateway or broker that authenticates both device and user before allowing role-based, context-aware access.
There are a variety of flaws associated with the perimeter approach to security. It doesn’t address insider attacks. It doesn’t do a good job accounting for contractors, third parties and supply-chain partners. If an attacker steals someone’s VPN credentials, the attacker can access the network and roam freely. Plus, VPNs over time have become complex and difficult to manage. “There’s a lot of pain around VPNs,” says Matt Sullivan, senior security architect at Workiva, an enterprise software company based in Ames, Iowa. “They’re clunky, outdated, there’s a lot to manage, and they’re a little dangerous, frankly.”
At an even more fundamental level, anyone looking at the state of enterprise security today understands that whatever we’re doing now isn’t working. “The perimeter-based model of security categorically has failed,” says Forrester principal analyst Chase Cunningham. “And not from a lack of effort or a lack of investment, but just because it’s built on a house of cards. If one thing fails, everything becomes a victim. Everyone I talk to believes that.”
Cunningham has taken on the zero-trust mantle at Forrester, where analyst Jon Kindervag, now at Palo Alto Networks, developed a zero-trust security framework in 2009. The idea is simple: trust no one. Verify everyone. Enforce strict access-control and identity-management policies that restrict employee access to the resources they need to do their job and nothing more.
Garrett Bekker, principal analyst at the 451 Group, says zero trust is not a product or a technology; it’s a different way of thinking about security. “People are still wrapping their heads around what it means. Customers are confused and vendors are inconsistent on what zero trust means. But I believe it has the potential to radically alter the way security is done.”
Security vendors embrace zero trust
Despite the fact that the zero-trust framework has been around for a decade, and has generated quite a bit of interest, it has only been in the last year or so that enterprise adoption has begun to take off. According to a recent 451 Group survey, only around 13% of enterprises have even started down the road to zero trust. One key reason is that vendors have been slow to step up.
The poster boy success story for zero trust dates back to 2014, when Google announced its BeyondCorp initiative. Google invested untold amounts of time and money building out its own zero-trust implementation, but enterprises were unable to follow suit because, well, they weren’t Google.
But zero trust is now gaining traction. “The technology has finally caught up to the vision,” says Cunningham. “Five to seven years ago we didn’t have the capabilities that could enable these types of approaches. We’re starting to see that it’s possible.”
Today, vendors are coming at zero trust from all angles. For example, the latest Forrester Wave for what it now calls the zero-trust eXtended Ecosystem (ZTX) includes next-generation firewall vendor Palo Alto Networks, managed-services provider Akamai Technologies, identity-management vendor Okta, security-software leader Symantec, micro-segmentation specialist Illumio, and privileged-access management vendor Centrify.
Not to be left out, Cisco, Microsoft and VMware all have zero-trust offerings. According to the Forrester Wave, Cisco and Microsoft are classified as strong performers and VMware is a contender.
So, how does an enterprise, which has devoted millions of dollars to building and reinforcing its perimeter defenses, suddenly shift gears and adopt a model that treats everyone, whether an executive working inside corporate headquarters or a contractor working from a Starbucks, as equally untrusted?
How to get started with a zero-trust security model
The first and most obvious recommendation is to start small, or as Cunningham puts it, “try to boil a thimble of water and not the whole ocean.” He adds, “For me, the first thing would be to take care of vendors and third parties,” finding a way to isolate them from the rest of the network.
Gartner analyst Neil MacDonald agrees. He identifies three emerging use cases for zero trust: new mobile applications for supply chain partners, cloud migration scenarios and access control for software developers.
Access control for his DevOps and IT operations groups is exactly what Sullivan implemented at Workiva, a company whose IT infrastructure is entirely cloud-based. Sullivan was looking for a more effective way to give his teams cloud access to specific development and staging instances. He ditched his traditional VPN in favor of zero-trust access control from ScaleFT, a startup that was recently acquired by Okta.
Sullivan says that now when a new employee gets a laptop, that device needs to be explicitly authorized by an admin. To access the network, the employee connects to a central gateway that applies the appropriate identity- and access-management policies.
“Zero trust as a concept was so overdue,” says Sullivan. “It’s clearly the right way to go, yet it took us nearly 10 years of whining and complaining before enterprise-ready solutions came out.”
Network-centric or identity-centric zero trust
Bekker says that the vendor landscape is coalescing around two camps: There’s the network-centric group that focuses more on network segmentation and application-aware firewalls, and there’s the identity-centric camp that leans toward network access control and identity management.
Taking the network-centric route is Robert LaMagna-Reiter, CISO at FNTS, a managed services provider based in Omaha, Neb., who overhauled his infrastructure using a zero-trust security stack from Palo Alto. LaMagna-Reiter says he had the unique opportunity a couple of years ago to essentially start with a blank slate and build out the next iteration of the company’s cloud-services platform so that it could extend to a multi-cloud world.
“Zero trust has allowed us to more granularly enforce what folks are doing on a day-to-day basis,” says LaMagna-Reiter. He attributes the success of his zero-trust initiative to the extensive upfront groundwork that was done to fully understand employee roles, to identify which assets and applications employees needed to do their jobs, and to monitor employee behavior on the network.
He started with a limited rollout in a non-critical support application and built out slowly, gathering support from business leaders at the company. “We’re showing folks that it’s not a technology decision, it’s a business strategy,” he says.
Entegrus, an energy distribution company in Ontario, Canada, is equally committed to zero trust, but its approach is centered on network-access control. With a mobile workforce of maintenance and repair personnel, meter technicians and field-service reps spread across a broad geographic area, each carrying multiple devices, Dave Cullen knew he had a broad attack surface that needed to be protected.
“We had a business requirement to start rebuilding our network,” says Cullen, manager of information systems at Entegrus. The need for a network overhaul gave Cullen the opportunity to start down the zero-trust path. He decided to work with PulseSecure to deploy its zero trust-based remote access and network access control tools. Cullen says it was crucial that the products paired seamlessly so that Cullen can apply policies when employees connect to the network.
“We brought it in slowly,” Cullen says, using a phased approach that entailed pilot projects and tweaks in a lab environment before deployment in the field. The top priority was making sure that the zero-trust infrastructure was seamless to the employees.
“Zero trust to me is more about intelligent business processes and data flows and the needs of the business. It isn’t just about using a firewall and network segmentation. It’s actually more about dynamically responding to an ever-changing environment,” adds Cullen.
Forrester’s Cunningham acknowledges that there’s some level of pain involved in transitioning to zero trust. But he describes the options this way: "Would you rather suffer a little bit now and get it right, or suffer in the long term and wind up with the next mega-failure notification?"
Zero trust: Prepare for an uncharted, unending journey
For anyone considering zero trust, here are two key takeaways. First, there is no zero-trust deployment roadmap, there are no industry standards and there are no vendor alliances, at least not yet. You have to pretty much roll your own.
“There is no singular strategy. There are 100 ways to scratch the itch. It’s whatever gives you maximum control and maximum visibility with the least amount of resistance,” says Cunningham.
Second, the journey is never over. LaMagna-Reiter points out, "there is never a done state. There is no clear definition of success." Zero trust is an ongoing process that helps companies respond to shifting business conditions.