The Banyan Security Blog

Garrett Bekker III

Principal Research Analyst, S&P Global Market Intelligence
@gabekker

 

 

In the wake of the COVID-19 pandemic, remote access has become a critical aspect of most organizations’ overall IT strategy. Before Covid hit, 451 Research survey data showed that just over a quarter of employees worked all or most of their time either from home or from another ‘non-office’ fixed location (like Starbucks). Post-Covid, however, fully three-quarters of enterprises are saying that ‘work-from-home’ (WFH) will be part of their operating strategy going forward.

Providing security for those remote users has become equally critical. Additional 451 Research data shows that the top three methods for securing remote access are multi-factor authentication (MFA), VPNs and Zero Trust Network Access (ZTNA). The popularity of VPNs is not a huge surprise, given that the rapid spike in WFA demands due to Covid lockdowns lead to a sharp rise in VPN usage. Many firms already had VPNs in place, and simply added new licenses to support more of their employees working remotely.

In some ways, the outbreak of Covid could be considered the ‘world’s largest experiment in WFH.’ Similar to the situation after 9/11, scores of workers needed remote access virtually overnight, and VPNs were the main avenue for doing so. While this battlefield largely triage worked, firms are coming to realize the limitations of VPNs in terms of performance, reliability and security. For starters, VPNs can be a challenge to deploy and typically involve installing either new hardware or images, but also rolling out VPN client software, which can be an issue for large numbers of workers, and also for non-employees or consultants may not be able to install VPN clients on their machines. VPNs also present security challenges, in the sense that they provide broad access to an entire flat network segment, rather than to just the applications they need to do their jobs. No surprise then that additional 451 Research survey data shows that just over one-third of respondents “strongly agree” that VPNs have met their security requirements during the pandemic, and only half ‘somewhat agree’ that their VPN has met their needs – not exactly a ringing endorsement.

VPNs are clearly a legacy technology that many firms would like to move on from. And one of our other top survey responses, ZTNA, is a logical alternative to VPNs. ZTNA allows firms to move from WFH to ‘work-from-anywhere’ (WFA), which basically means access to any application and any resource, regardless of the hosting model, from any device and over the public internet, with the appropriate level of security. But VPNs are also a store of years of security policies and business logic that are hard to let go of. How can firms make the transition away from VPNs without starting all over from scratch? How can they move to a more Zero Trust-based approach without boiling the ocean?

One suggestion for making progress on your own zero trust journey is to follow an incremental “deploy-as-you-go” model for admins and users, migrating one app at a time, using permissive mode vs. enforcing (learning mode) and generally co-existing with VPNs. Another possibility is to provide secure tunnels, but with more granular access than a traditional VPN by including continuous authentication and device trust checking that looks at things like patches and configurations of the user’s device. Going this route doesn’t require that you “throw out the baby with the bath water” and should be far more resource and time friendly as well.

A ZTNA approach can also offer deep visibility into the apps, services, users, devices, and activity that are present on the network, providing insights that can lead to better control and accountability; VPNs sometimes provide a log showing what users are doing through the VPN, but offer no such visibility into IaaS and other resources the organization is using. ZTNA can also allow for a least-privilege based access model that giving users access to only those resources they need to do their jobs, and nothing more. And a least privilege approach can help reduce or eliminate lateral movement and provide for better overall security, in addition to a better user experience.

In conclusion, it’s worth your time to do a bit of homework to identify a ZTNA solution that can help your reach your zero trust goals within the constraints of the resources you presently have. Doing so can set you up for measurable success rather than wondering how or if the journey will end.