In a business world that is facing an ever-increasing and intensifying threat landscape, enterprises must re-evaluate their current perimeter security approach. This month we are sharing a blog from one of the pioneers of the “Zero Trust” mentality, Akamai. We take a look at how VPNs are out of date and why we should all be adopting the ‘never trust, always verify’ mentality.
Attention world: In 2018, we officially surpassed 4 billion internet users – and there are no signs of this adoption rate slowing down. Yet the Internet as we know it has only been around since the 1990s. Along with it, different iterations of virtual private networks (VPNs) have been created and utilized. Why have end users used this technology to connect remotely to private networks on a gigantic scale? Simply, they are seen to be efficient and can enhance productivity in a variety of ways, but (and there is always a “but”), the assumption is they are completely secure. Unfortunately, both unscrupulous individuals and organized crime groups have proven VPNs aren’t the panacea that organizations think they are.
One high-profile and well-known example of this is the Target breach of 2013. This now-infamous case was the result of malicious actors hacking a third party Target contractor, compromising their machine, and gaining access to the corporate network to steal data. When a VPN tunnel is opened between a client and a corporate VPN device (usually on the inside of the network) all applications can traverse that tunnel and are free to go mostly unmonitored.
In today’s working environment, third-party contractors, remote workers, support teams, and the like all need access to mission-critical back-end systems. These systems can reside in the cloud or in “secure” data centers, but either way, they house information that must be accessed. Historically, to get a user onto a system, said users were equipped with something they know (password), something they have (second-factor device) and something they are (username). Yet, this isn’t always practical with third-party users who sometimes lack one of these three credentials and do not have a solid cryptographic fingerprint. Sometimes they are given dispensations to access systems, but without the correct level of authentication, the entire network may as well be considered compromised.
To their peril, many companies prioritize productivity and maximizing profit at the expense of fundamentally necessary security. Security is often seen as a hindrance because of the amount of effort needed to implement and log in. Traditional difficult requirements include multiple hard-to-remember passwords and multi-factor authentication tokens that are easily misplaced, which cause helpdesk requests and delays.
On top of all this, VPNs add significant costs to organizations, as each access point (multiple data centers or clouds) require additional hardware (VPN concentrators, IDS/IPS, Proxies, Firewalls, etc). Not to mention, the number of resources needed to manage all the policies and access controls skyrockets with the solution. Mismanagement of this can lead to even greater lapses in security.
What is a company to do? VPNs are expensive and can have some security constraints, but the costs associated with both reputation tarnishing and data loss are even greater and far-reaching. The better choice: enable a zero trust mentality around network access. This starts by only providing access at the application layer based on who the user is and what they have. In other words, authenticate only applications the user is authorized to use (nothing more), and enforce multi-factor authentication. This allows organizations to secure access to resources and reduce the amount of hardware and periphery that go along with it.
So, in the new age of the Internet with the growing number of users, threats, and applications – are VPNs really a thing of the past? In short, the practicality of VPNs is no longer what it once was. Combining the high cost of running and maintenance with the various factors associated with third-party access (such as the above Target case) show a fundamentally new approach to access is needed. A zero trust approach is a new paradigm for many, but the first step is awareness.
At activereach we support businesses that are looking to implement a Zero Trust architecture. We are currently offering a free ‘Health Check’ security assessment that will analyse a site’s DNS traffic, and report back on any malware or phishing attacks that are detected – even with antivirus software and network firewalls in place! Get in touch with activereach on 0845 625 9025 to learn more about this.
This article was first published on the Akamai blog on 21st May 2018