Zero Trust: Replace your legacy VPN and deliver secure remote access

2020/09/21 04:21

What is Zero Trust?

Zero Trust (ZT) is probably one of the most talked-about topics, terms, or buzzwords on the cybersecurity market today. If you have attended any conference across the globe in the last 2 years in the cyber circuit, it is highly likely that you have run across this Zero Trust “thing”. But what is Zero Trust? Where did the concept and idea originate and why should we be inundated with this onslaught of Zero Trust shenanigans?

blog-replace-your-legacy-vpn-and-deliver-secure-remote-access-01.jpg

To understand what Zero Trust is, we must rewind the clock for about 16 years to the Jericho Forum. That was a group of academics that were sitting around pondering the more tangential issues in network security and how they might apply their brainpower to addressing that pivotal issue. At that time, nearly two decades ago remember, the most powerful asset in an enterprise to be introduced to the market was the NGFW, next generation firewall. This “all-powerful” device was supposed to be the game-changer in eliminating threats and helping to segment the infrastructure of on-perimeter systems and infrastructure. While this was innovative at the time it was not much more than a high powered dynamic segmentation tool. That being the case the members of the Jericho Forum adopted the research concept of “De-Perimeterized Security”. Essentially the focused effort of using that NGFW tool capability to extend control and segmentation throughout the infra- structure more dynamically but with a focus on not just a big high “wall” at the edge of the network. Instead, it would be a series of more granular segments with more focused controls and improved monitoring. This would be a watershed moment in the secure infrastructure forethinking and in truth, no one paid much attention other than the members of the Jericho Forum, and one Forrester analyst John Kindervag.

blog-replace-your-legacy-vpn-and-deliver-secure-remote-access-02.jpg

Jon was visionary enough to see the application of this approach was valuable and could change the game for more secure, and more controllable infrastructure at scale. Jon saw the coming power of the cloud and the potential for the problems that diverse and ever-growing infrastructure might create. He also had the foresight to realize that the world was moving to a space of BYOD (Bring Your Own Device) as a primary method of futurizing the workspace.

With that realization, his background in network security Jon looked for the most singular point of failure in that future state. After a year or so of research, he concluded that the “trust” that was installed and implied within this future state of architecture would be the harbinger of its failure. To much default sharing, over connectivity, and unfettered access would be problematic for any enterprise that was compromised, and Jon knew that compromise was a given, not a possibility.

With that as his basis, Jon coined the term Zero Trust and began the mission to spread his gospel that “trust” was the most important item to control in any infrastructure and at the time using the Next Generation Firewall (NGFW) was the way to do that. And that was where Zero Trust focused for the next decade or so, until around 2017 when technology finally caught up and more practical approaches to modern secure infrastructure became part of the 2020 state of Zero Trust.

As infrastructure grew and the need for secure connectivity of that BYOD workforce became the standard for the workplace, the VPN became the standard “secure” application that would be adopted to help enable a “secure” remote workforce. While at first, that seemed like a great concept and approach to the problem, in reality, thanks to the massive breaches that contained usernames and passwords and the nation-state hacks that compromised VPN providers the VPN became not much more than a hindrance for users at best and a direct pipe for hackers into a network at worst.

The VPN didn’t do much more than poke holes in those early Zero Trust systems and, was just allowing for direct connections into systems for the bad guys. NGFW and segmentation couldn’t fix the issue of a VPN when that connection for a BYOD user was authenticated with hacked password and administrator privileges. This technology plagued enterprises for nearly a decade.

replace-your-legacy-vpn-and-deliver-secure-remote-access-04.jpg
Browser Isolation, Virtualization and SDN

Now we arrive at the current state of the art in the industry, Software-Defined Networking, Browser Isolation, and Virtualization of infrastructure are keys to any future Zero Trust system. A dynamic space wherein everything can be remote and secure and the need for failed password-based authentication can be eliminated. True Zero Trust infrastructure can finally be deployed because these tools or capabilities have aligned with the reality of what is needed to enable this vital strategic initiative. Using a combination of these vital techniques now allows enterprises to adopt the basic tenets of Zero Trust and eliminate the default configuration issues that plague secure infrastructure and can enable a more dynamic workforce simultaneously.

blog-replace-your-legacy-vpn-and-deliver-secure-remote-access-05.jpg
Zero Trust is not an isolated initiative, it's an all-encompassing strategy

Think about how you would want to work, or even better how you would want your employees to work. Especially as we now see that remote work and BYOD is the new standard, not the option, for enterprises. To have a more “Zero Trusty” related enterprise, and one that is easier to actually work within, you would want to eliminate the VPN, push the security control from the internals of the infrastructure outward, and enable continual access as well. And do all that while never impacting the user experience. Oh, and you would want to use protocols that are “harder” to be used for exploitation. This means HTTP instead of RDP. Lastly, you would want to eliminate the issues that are present around old or out of date machines that users might want to work on as they operate in your enterprise. That would be incredibly difficult if you were to try and build that out on your own, and that approach would require large investments in time and effort to get to that final state.

Awingu, Zero Trust secure BYOD

Thankfully, Awingu has exactly this type of capability ready to deploy for its customers. With Awingu the users are never actually “on” the network, and there is no need for a VPN. By using the dynamic power of virtualized infrastructure combined with browser isolation the entire workspace for the user is “pushed” to them within a virtual connection.

End-users login via the browser of their BYOD (or managed) device. They get access to published applications, desktops and files remotely, in HTML5. No data sits locally. Even if the device is compromised, there is no direct access to your company assets.

There is no pipe that can be used by malicious hackers, all sessions are encrypted, and MFA is a default built-in offer for all customers. The user is also continuously authenticated as they operate in that secure remote session and the system is integrated with a Single Sign-On (SSO) capability to make login and ease-of-use readily available.

blog-replace-your-legacy-vpn-and-deliver-secure-remote-access-06.jpg