In this blog, we highlight the limitations of VPN, NAC, and firewalls, and how Zero Trust Access can overcome them.
As a result of the pandemic-driven changes in the workspace and IT environments, bad actors have adapted rapidly to tap into a growing attack surface. During 2020 and 2021, we’ve seen ransomware-as-a-service wreak havoc in the IT supply chain and critical infrastructure just at a time when IT organizations were migrating infrastructure and applications to the cloud and trying to secure access for an all the sudden majority of remote workers. It’s been a rollercoaster across all industries for organizations of all sizes, to say the least.
Users, devices, applications, and data have for the most part left the traditional perimeter, and as a result, traditional security controls are failing to secure them. The enterprise networks have become more challenging than ever before to secure against these ever-growing cyber threats from outside and inside the new perimeter. Rogue applications, unmanaged IoT devices, and overlap of IT and Operational Technology (OT) networks add more to these difficulties, with growing risks as the attack vectors multiply. In the end, network availability and productivity are suffering too due to the lack of scalability of traditional cyber defenses.
These trends resulted in a re-definition of the enterprise perimeter which is now centered around the identities of users, devices, applications, and data. It is being said that identity is the new perimeter. By now, you should have read about the Zero Trust model enough to be confused by the sheer amount of spin around this information security concept. To make it simple, short, and sweet, let’s stick to the fact that Zero Trust is not a product, but a premise from which to derive a ubiquitous information security strategy and the controls that help operationalize it. Zero Trust is based on the assumption that all network communications are compromised and therefore should be untrusted regardless if these occur within or outside a network’s boundaries. The solution to minimizing risk under that premise demands for identities to be continuously verified and access authorized regardless of location in the network.
Zero Trust is essentially a journey towards the aspirational elimination of the attack surface. In this regard, Identity has a central role. But Identity alone is not enough. It’s behavioral intelligence that should deliver the power of end-to-end protection for all of your assets, regardless of location. There is a pressing need to contextualize three things: identity, environment, and behavior. This new fluid perimeter is a combo to be managed by organizations with a simple business logic policy to securely connect all of the assets across every domain: campus, branches, data center, cloud, and remote.
Although the concept of Zero Trust is been here for a decade or so, it was always challenging to operationalize it because the traditional security controls, designed under the premise of Implicit Trust, are inefficient and ineffective to enable it at scale.
Let’s list some of the limitations of these legacy security controls:
User-to-application access from outside the traditional network perimeter has been traditionally secured with VPN, but:
NAC technology has been around for a while but it is showing its age vis-à-vis of the evolving threat landscape.
Deploying and managing firewalls across an SD-WAN is quite an undertaking, and firewall policy drift is a common ailment. This is why:
All these limitations drive the requirements for the transformation of network security and how information security is approached altogether. Some of this transformation was in progress before the pandemic, but it accelerated rapidly out of necessity when it struck. Zero Trust is still riding the hype curve, and many fragmented point solutions exist that address specific use cases without accounting for the bigger picture. This bigger picture is the need to decouple security from the underlying network construct to avoid the traditional cybersecurity vs. networking trade-offs that either cripple network availability or the security posture.
There is also a need for ubiquitous access policy management (across all domains) and simplification via automation of cybersecurity operations to accelerate detection and response times. An ideal Zero Trust Access (ZTA) platform should deliver full visibility about what’s flowing through the network (users, devices, apps) by integrating with existing identity providers (IDP). The solution should also provide a unified policy management plane across multiple domains that would address the need for ubiquity and agility.
It’s just then, through a single pane of glass across all domains, that the never-ending Zero Trust journey to eliminate the attack surface can start. Organizations can begin by securing the crown jewels first, or by piloting Zero Trust Network Access (ZTNA) to secure access for the hybrid workforce. Alternatively, Network Security Architects may choose to learn the ropes of Zero Trust network security by addressing the sprawl of IoT in the workplace. Whatever the most pressing use case may be, the worst they can do is to lose sight of the long game: that the same solution should address all use cases and avoid network chokepoints that prevent scalability.
The ideal end game is a distributed architecture where multi-domain policies are managed centrally but distributed and enforced as close to the resources as possible, with continuous identity verification via integration with any flavor of IDP, including those providing telemetry about health status and other contextual attributes alongside identity. By making identity, context, and behavior the new (and now dynamic) enterprise perimeter, it becomes easier to manage risk and implement a potent cyber defense system that works under the Zero Trust paradigm.
Elisity offers an identity-driven control plane for corporate networking and remote access without tying customers to a particular network or network security technology. Its Cognitive Trust platform, delivered as a cloud-based service, is deployed as an overlay or underlay on whatever WAN and/or SD-WAN infrastructure an enterprise prefers to protect data, users, devices, and applications in the data center, the cloud, at home, and everywhere. Request a demo and see the possibilities with Elisity Cognitive Trust.