Can Zero Trust security models work with your VPN?

zero-trust-blog-graphic

One lesson from the last year that most companies seemed to have learned is that cyber criminals don’t take time off. During the pandemic, cyberattacks increased with the FBI’s Cyber Division receiving between 3,000 and 4,000 cybersecurity complaints a day, compared to pre-pandemic rates of 1,000/day.

As bad actors took advantage of vulnerable work-from-home IT connections, attacks on industries such as healthcare and education also grew with cyber criminals targeting increased remote use and virtual learning that could provide entrance to a network.

As we move into 2021, there is new optimism regarding the pandemic. However, companies are signaling that employees will continue to work from home or work in hybrid environments such as one week in the office, one week at home. Many companies have also realized the benefits of allowing their teams to work from anywhere; the flexibility has increased productivity by allowing people to work where and when is best for them. While more workplace flexibility is good news to employees, it’s also good news for hackers, some of whom have turned their focus onto what they perceive as easier to penetrate home networks.

Indeed, the growing number of cyberattacks and security risks have companies investigating or moving to zero-trust strategies. Zero Trust isn’t a platform or device, rather it’s an initiative to protect digital environments based on the key principle that instead of first making services available and then locking down access to those services, no access is granted at all unless it is specifically and deliberately given. This principal is applied to users and devices.

It’s a simple and clear concept, but as with other more recent trends, the ‘how’ can vary depending on the way each vendor implementing the concept chooses to do so. At its core, it uses micro-segmentation to break up security perimeters into small zones to create separate access points for separate parts of the network. While access may be granted to one zone, access to other zones will require separate authorization. Policies are often set to give users the least amount of access needed to complete a task.

In addition, Zero Trust employs other security measures such as adding two factor authentication, identity and access management (IAM), and other verification methods, or by using an Identity Provider so that all authentication and authorization is centrally managed.

zero-trust-blog-graphic

With the rise in cyberattacks in 2020, many have pointed the finger at VPNs as an unwilling accomplice. Bad actors targeted VPNs as they knew that many companies, by quickly moving their employees to a remote working environment, were using older implementations of VPN protocols with exploitable security holes. In addition, employees were finding that, with older VPN technologies, their connection speeds were reduced resulting in them turning their VPN off and thus reducing security as they connected to their corporate network.

While there has been a rise in vulnerabilities of VPNs due to more usage over the last year, newer VPN technologies with advanced types of cryptography are evolving to ensure the protection of information transmitted across the internet. WireGuard® VPN for example, uses state-of-the-art cryptography, is one of the fastest VPN protocols and is becoming more popular.

However, Zero Trust can incorporate VPN technologies and build on the investments that have already been made. In a Zero Trust model, before access to anything is granted using VPN, the connection must receive explicit confirmation that the user has specifically and deliberately been given permission to access it. Many VPN technologies available are provided alongside technology that aids with assessing the permission, such as deep packet inspection, application awareness, and decryption and encryption.

While many of us would like to forget 2020, the amount and severity of cyberattacks cannot be forgotten. Network security teams need to make it harder for attackers to access critical information. By combining Zero Trust with newer VPN technologies, companies can protect their business, critical data and remote workers.