The Future of VPNs in the Zero Trust Era
I recently attended CloudNativeSecurityCon in Seattle. Most of the talks were about Zero Trust and how to implement these patterns in modern cloud architectures. Interestingly, there was no discussion about VPNs in any of the talks.
VPNs are increasingly seen as obsolete in the new world of Zero Trust. So what is Zero Trust, how is it different from VPNs, and do VPNs still serve a purpose, or are they just relics of an older era?
To see the difference, I’ll use the example of traditional office security versus modern office security.
In the past, you might have had a gate at the front of the office, with a guard checking badges and letting people in. This security only existed at the perimeter. Once people were in, they were free to move around, use the elevator, use the printers, and go into rooms.
Now think about a modern office. The doors, the elevators, the printers, the office spaces, all require a badge swipe for access, which verifies your identity and your permissions. It’s both more secure and more granular, allowing you to control who has access to what.
VPNs are a lot like that traditional security, checking traffic before it enters, but only securing the perimeter. Zero Trust is a lot like the modern office, where your identity is checked every time you access a resource. There is overlap in both directions, but that is in line with the general idea.
There’s a bit of a misnomer going on here though. Zero Trust isn’t something you can buy, you have to implement it. It’s like DevOps or Agile. It’s a methodology, a pattern, with the goal of “achieving zero trust.” While there are tools you can buy that help “enable” Zero Trust, the truth is that Zero Trust doesn’t exist without a holistic approach to enterprise security.
Meanwhile, an equal and opposite misnomer is being applied to the VPN. At its core, a VPN simply means encrypted, virtualized network connections, which are still used everywhere, including (spoiler alert) in Zero Trust! However, when the industry talks about VPNs, we tend to think of “legacy VPN products” rather than the concept of VPNs themselves, which causes some confusion. Now, there are “modern” VPN products that are significantly changing the way we think about these tools.
Let’s clear up these misconceptions and discuss why VPNs are still used and how they fit into a Zero Trust implementation.
Why VPNs Are Still in Use
There’s a pretty simple reason why so many organizations today are still using VPN solutions instead of Zero Trust: Zero Trust is hard. Zero Trust affects everything in the business, and without a unified approach that spans all of your resources, you can’t implement it properly. And like DevOps or Agile, it’s not just a framework, it’s a cultural shift. So first of all, it just takes time.
But even as companies implement Zero Trust, they still find use cases that fall outside of the frameworks they’ve implemented. I’ve worked with many companies that needed a solution to provide secure access to, from, or between sites that doesn’t fit within their current Zero Trust approach. In those cases, a VPN provides the solution they need.
This can be because the target resources are not controlled by the user, are on the edge, or belong to another organization. VPNs continue to have a strong presence here. Furthermore, for connecting sites, even with a Zero Trust solution, it is generally desirable to encrypt traffic between sites.
VPNs within Zero Trust
A principle of Zero Trust is to limit the “blast radius” of a potential breach, including both internal and external threats. This is where having a perimeter VPN still makes a lot of sense, using the “site-to-site” case mentioned above as an example. But generally speaking, think again about the modern office. Sure, you have smart security cards on the resources within the office, but wouldn’t you still want a gate, and wouldn’t a security guard help limit the chance of a malicious actor?
By combining a perimeter VPN with a Zero Trust architecture, you can have the best of both worlds. You also give yourself something to build on, with the VPN acting as your “minimum” security footprint, which you can make increasingly secure with Zero Trust principles.
Modern VPNs
Beyond a simple perimeter, modern VPNs are making a comeback as enablers and alternatives to Zero Trust patterns. These new VPNs are equipped with technology that helps accelerate a strong security posture.
Speed
Modern VPNs leverage new encryption methodologies like WireGuard, which dramatically increase connection speeds. While speed itself is not an enabler of security, it is often cited as a major reason not to use a VPN. After all, no one wants to cut their application speed in half, even if it were more secure. As a result, organizations have been hesitant to use VPNs in their infrastructure where fast data transfer is required, due to the latency of traditional VPNs. However, with modern WireGuard-based solutions, this limitation has been virtually eliminated, allowing the VPN to make a comeback in infrastructure-based use cases.
Point to point
Traditional VPNs were often point-to-site or site-to-site. Think Cisco AnyConnect, where you log in and get access to a corporate network, or Palo Alto, where you connect multiple offices and data centers into one big network.
In comparison, Point-to-Point VPNs connect a specific machine directly to another specific machine. This significantly limits the attack perimeter and allows for more granular access controls that can be built into a Zero Trust framework.
Combined with the speed advantage, this makes modern VPNs much more capable of integrating with corporate resources, connecting not just employee laptops and phones, but also servers, VMs, Linux containers, and more.
Blurred lines
With modern VPNs offering both high-speed and point-to-point connections, the line between VPN and Zero Trust is starting to blur. These VPNs are increasingly adding access controls that take over parts of a Zero Trust implementation. In fact, you’ll see some VPN products now advertising themselves as Zero Trust solutions.
Over time, we will likely see this confluence continue, with VPNs becoming more flexible and Zero Trust principles being implemented to provide both network-level security as well as resource-specific and identity-based authorizations.
Conclusion
With or without Zero Trust, VPNs are likely here to stay, with modern VPNs evolving to meet modern enterprise security needs. Establishing a network perimeter will help ensure a baseline of network security upon which organizations can implement Zero Trust principles, in addition to the edge cases that fall outside of any deployed Zero Trust framework. By using both, organizations can protect against attacks from both the outside and the inside.
We have highlighted the best security system for businesses.
This article was produced as part of TechRadarPro’s Expert Insights channel, where we showcase the best and brightest minds in the technology sector today. The views expressed here are those of the author and do not necessarily represent those of TechRadarPro or Future plc. If you’re interested in contributing, you can read more here: