IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.
Sponsor Content
What does this mean?

Cybersecurity Kryptonite: Eliminate Your Exposure

A smartphone screen showing a VPN connection interface.
Shutterstock

Legacy VPNs, once a cornerstone of secure network access, have now become cybersecurity vulnerabilities. Learn why Zero Trust Network Access is the modern solution for secure, high-performance remote access, improving user experience while eliminating risks associated with VPNs.

When the federal zero-trust strategy (OMB M-22-09) hit the streets in early 2022, it required a governmentwide baseline level of zero-trust maturity by September 2024. This wasn’t high-level guidance; the actions were quite specific. And one of them took aim at a shiny green nugget: the legacy virtual private network (VPN).

Why? Because legacy VPNs are cybersecurity kryptonite. Like the fictional power-sapping crystal, they weaken your security architecture every minute they’re still around.

VPNs ARE THE ANTI-ZERO-TRUST TECHNOLOGY

Virtual private networks are completely at odds with zero-trust fundamentals. A quick review of NIST’s definition offers more than enough proof:

Zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least-privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.
(Zero Trust Architecture, NIST SP 800-207)

Three key phrases stand out:

  • Network viewed as compromised. This “assume breach” concept means that we must act as though attackers are always on our internal networks. It’s a sharp contrast from legacy security perimeters, where cyber walls attempt to define a “trusted” internal network — which they failed to do. Therefore, in a zero-trust architecture, you can’t trust something simply because it’s on your internal network. But that’s precisely what legacy VPNs do. After a one-time authentication, they simply drop users onto your internal network. 
  • Per-request access decisions. In a zero-trust architecture, trust is never earned, so every access request must be continually re-evaluated using the latest evidence of risk. That's because a person’s or device’s risk posture can change quickly if the device is breached, the user behaves suspiciously, if their user account is compromised. Some legacy VPN technologies can make point-in-time device posture checks, but they typically keep sessions open until users log themselves off or a timeout threshold is reached. In a sense, legacy VPNs “assume trust” for the duration of the session, unable to re-evaluate any access decisions until it’s time for a user to log back in. 
  • Least-privilege access. Legacy VPNs let users go wherever the network will take them, blind to the resources they’re accessing. Some may work together with network segmentation to limit how far they can go, but VPNs are simply unable to enforce least-privilege access to applications. With that in mind, let’s view this against the federal zero-trust strategy’s vision of making workforce applications “accessible over the Internet without relying on a VPN or other network tunnel.” The reason is clear: VPNs and other network tunnels are completely outdated in a zero-trust world. 
We could go on and on with other reasons why VPNs weaken your security posture, like the burdens of managing, configuring, patching and scaling VPNs — but let’s not even go there. Legacy VPNs are the anti-zero-trust technology, the kryptonite of your modern zero-trust architecture.

VPNs ALSO DEGRADE USER EXPERIENCES

Let’s say you have two data centers — one in Washington, D.C., and the other in London — interconnected by a telco-provided MPLS private network. Both data centers have internally managed security stacks and provide access, but London is the primary for many internal mission-critical applications.

Now let’s say Lois is a remote user in San Jose, Calif. She requires access to London-hosted internal applications, but she also uses SaaS apps like Salesforce and the Internet. Each day, she opens her VPN client and authenticates to the nearest VPN concentrator, which happens to be on the other side of the country. Her traffic travels from coast to coast because security policy prohibits simultaneous connections to both internal and external networks (that is, no split tunneling). This “hair-pinning” effect adds network latency and internal system load that degrades her overall experience.

Furthermore, some of Lois’ traffic takes a transatlantic voyage aboard your expensive MPLS network to reach London-hosted applications. Delays introduced by the D.C.-based VPN concentrator, the data center networks and the MPLS wide area network — and the long journey back to California — accumulate and further affect her user experience.

A traditional VPN deployment
Figure 1: A traditional VPN deployment, where all user traffic destined for the Internet must route through the company hosted and managed VPN service.
But the worst part about this? The assumption that Lois, her device and her traffic are trusted for the duration of her session. The legacy VPN simply placed her on the internal network and allowed her to travel freely through two mission-critical data centers. What if her device was compromised during that session?

ZERO-TRUST NETWORK ACCESS SAVES THE DAY

What’s the modern-day superhero for secure, high-performance remote access? This looks like a job for Zero Trust Network Access (ZTNA).

With ZTNA, Lois never accesses internal networks herself. Instead, she authenticates to a cloud-based ZTNA service that makes secure application connections on her behalf. Inside the ZTNA service are policy decision and enforcement points that constantly evaluate and re-evaluate Lois’ access requests and risk posture when granting access. ZTNA simultaneously controls access to internal applications, SaaS apps and Internet sites — all from a central control plane. It’s the beginning of a modern zero-trust architecture.

Lois also has a nearby onramp. Rather than establishing that long VPN connection to the D.C. data center first, she can simply connect to the closest access point in San Jose. If zero-trust policy allows, the web gateway frees her to access SaaS apps and the Internet using the fastest route from where she is — while still protecting her from malicious sites and content. And because the London data center also has a nearby onramp, the ZTNA service makes internal application requests locally and delivers data back to her much faster.

Her user experience improves, and so does your security posture. And none of the traffic ever hits your expensive MPLS network.

SASE platforms do not degrade user Internet access experience
Figure 2: SASE platforms do not degrade user Internet access experience, and provide fast, secure global access to self hosted hosted resources.

But perhaps the biggest advantages tie back to NIST’s zero-trust definition:

  • Compromised networks are no problem. Applications are visible only to the ZTNA service, and they only accept requests from the ZTNA service too. If an attacker breaches your internal network, they are unable to locate or access critical applications. This protects against denial-of-service attacks, vulnerability exploitation and countless other adversary tactics, techniques and procedures. It helps you break down outdated security perimeters and safely make workforce applications Internet-accessible, accomplishing two key actions from the federal zero-trust strategy. 
  • Per-request access decisions are constantly evaluated. Because the ZTNA service makes each request on the user’s behalf, it can re-evaluate each request too — and adjust access policy dynamically when the risk profile is too high. This helps you realize the true spirit of zero trust where trust is never earned, and access is stated explicitly and always verified. 
  • Least privilege is enforced with an agile approach. The federal zero-trust strategy acknowledges that making workforce applications Internet-accessible without familiar VPNs is a major shift where “the chances of long-term success will be improved by beginning with an agile approach.” ZTNA is that agile approach that not only helps you begin your zero-trust journey, but also lays the foundation for you to reach optimal maturity. 
CONCLUSION: ELIMINATE EXPOSURE TO CYBERSECURITY KRYPTONITE

You may not become superman by adopting Zero Trust Network Access, but you’ll certainly strengthen your security architecture by eliminating exposure to cybersecurity kryptonite. By replacing legacy VPNs, you’ll be able to:

  • Take the first steps toward a zero-trust architecture with an agile approach; 
  • Improve and simplify experiences for remote users; and
  • Dramatically cut the traffic flowing through internal networks and security stacks. 
At Cloudflare, we help organizations of all sizes succeed with zero trust. Learn how Cloudflare One modernizes your network and protects your workforce with our unified cloud-native platform. And for a technical deep-dive on VPN replacement, we published a reference architecture for network and security experts responsible for planning and implementing zero-trust architectures.

ABOUT THE AUTHOR

Steve Caimi is principal product marketing manager at Cloudflare.

Tags:

Cloudflare