Rethinking Remote Access Security: Can Zero Trust Replace VPNs?

Virtual Private Networking (VPN) has been at the core of remote access solutions for years. VPN is well understood by IT, but it can be complex to deploy and secure. And the global health pandemic has helped to expose some of its shortcomings. VPNs don't always scale well to meet increasing demand. As many organizations have discovered, VPNs can reach capacity quickly, preventing users establishing new sessions and providing a poor experience for users who are already connected.

As hackers focus their efforts on remote workers, providing all-or-nothing remote access to corporate networks increases risk, especially where IT staff and external contractors need privileged access. Gone are the days when hackers are on the outside and users on the inside of a corporate network. All access requests should be treated as potentially malicious because intranets aren't a secure fortress.

As organizations look to provide ways to secure and deploy remote access solutions to an ever-growing number of employees, many are turning to zero-trust models to replace aging VPN solutions. Zero trust can be less complex to deploy and maintain than VPN. And by design, zero trust solutions are more secure, reliable, and better performing.

What is the zero-trust security model?

The zero trust security model was developed by former Forrester analyst John Kindervag more than 10 years ago. And since then, it has gone on to be adopted by Microsoft, Cisco, Palo Alto, Symantec, and many others. More recently, NIST and National Center for Cyber Security Excellence have published a document called NIST SP 800-207 Zero Trust Architecture.

The primary concept of zero-trust security is:

“Every user and connection should be verified before accessing IT resources, regardless of where the connection originates.”

Zero trust improves security by requiring secure and authenticated access to all resources. And least privilege is used to limit access to only the resources that users require to do their jobs. When organizations reach full zero-trust maturity, they must inspect and log all activities using Security Information and Event Management (SIEM) systems like Azure Sentinel and Splunk.

How security vendors help enable zero trust

Security vendors, such as BeyondTrust and Microsoft, let users access corporate assets using single sign-on and multifactor authentication without needing to establish a VPN connection. These zero trust solutions can replace VPN and reverse proxies. Microsoft’s Application Proxy service runs in the cloud and network traffic is terminated at Microsoft's servers. Likewise, BeyondTrust takes the same approach with their Privileged Remote Access solution. Organizations just need to deploy one or more on-premises connectors or endpoint agents so that the cloud services can connect to intranet-based assets.

Privileged Remote Access and Application Proxy simplify remote access because they don't require inbound connections from the Internet. All traffic is outbound on ports 80 and 443. A DMZ isn't required, but if organizations choose to deploy one, servers in the DMZ don't need to be joined to a domain. And because both solutions are cloud services, Microsoft and BeyondTrust each manage security, high availability, scalability, and distributed denial-of-service (DDoS) protection.

7 steps to zero trust maturity

To help organizations implement zero-trust security solutions, Microsoft promotes the following 7 steps to full zero trust maturity:

1. Secure identity with zero trust
2. Secure endpoints with zero trust
3. Secure applications with zero trust
4. Secure data with zero trust
5. Secure infrastructure with zero trust
6. Secure networks with zero trust
7. Provide visibility, automation, and orchestration with zero trust

The first two steps are the most important to implement initially:

Secure identity with zero trust: Multifactor authentication and passwordless sign-in both provide strong authentication for user identities. Azure AD evaluates risk factors during user logon sessions, and it provides real-time sign-in risk detection.

Secure endpoints with zero trust: Devices should be compliant with corporate policies before users connect to applications. Mobile Device Management (MDM) enrollment with Intune and Azure AD Conditional Access policy ensure devices are healthy and compliant before remote connections can be established.

Zero trust - next steps

While VPNs have their place, that scope is getting smaller and smaller. Zero trust is more secure, reliable, and flexible, while also providing better performance than VPNs. If privileged users need access to remote systems, zero trust can protect systems better by providing the necessary checks, session monitoring, and analysis of log data at every step. Least privilege security is also important to apply to deliver adequate protection against today's threats, regardless of which remote access solution you deploy.

To learn more, check out my on-demand webinar: Is VPN Dead?

BeyondTrust provides secure remote access, without a VPN, and helps organizations align with zero-trust initiatives. Learn more: