When was the last time you heard that an organisation had sensitive data stolen from a physical data center by cyber criminals sneaking in and stealing a server or hard drive? Not any time recently I am sure. Why is it then that data is stolen regularly via the internet? Quite often the weak point is the devices that are the entry to inside the organisation such as VPNs. VPNs are a 28 year old legacy technology that advertise an IP address to the internet that is quite often exploited.
Just recently CISA forced every US government agency to turn off their Ivanti VPNs with over 2,200 VPNs potentially compromised. Malicious individuals can exploit these VPN vulnerabilities to navigate through systems, steal data, and gain persistent access, ultimately leading to complete compromise of targeted information systems. Interestingly, a VPN risk report commissioned by Zscaler reveals that 88% of companies worldwide are worried that VPNs are putting their ability to maintain a secure environment at risk.
Although the process of shutting down the service may appear straightforward, it actually triggers a chain reaction that can significantly affect an organisation's productivity, connectivity, and security simultaneously. IT teams are now faced with the daunting challenge of swiftly addressing three critical aspects: (1) securing the communication between devices in the absence of the VPN, (2) guaranteeing remote staff's continued access to crucial files, and (3) minimizing any potential downtime that could result in inevitable productivity losses.
You might think that you're caught in a difficult situation, but that's not entirely true. Introducing: Zero Trust. The solution to this persistent dilemma is not a new concept and has been around for quite some time. However, there are numerous narratives circulating that have altered people's understanding of Zero Trust.
One True Zero Trust: What does it truly entail?
VPNs, by their very nature, do not align with the principles of Zero Trust. Zero Trust represents a distinct architectural approach that diverges from traditional firewall and VPN structures. Unlike these structures that necessitate traffic backhauling to intricate stacks of appliances, whether physical or virtual, zero trust delivers Security-as-a-Service directly from the cloud and at the edge. It offers secure connectivity in a one-to-one fashion, enabling any user to connect directly to any application. Zero Trust does not introduce any entities to the network as a whole and follows the principle of least-privileged access.
In other words, with Zero Trust, security and connectivity are successfully decoupled from the network, allowing you to circumvent the aforementioned challenges of perimeter-based approaches. However, with VPNs, lateral movements across the organisation’s network are commonplace, which can often lead to ransomware attacks. A Zero Trust architecture will:
- Minimise the attack surface by eliminating firewalls, VPNs, and public-facing IP addresses, allowing no inbound connections, and hiding apps behind a zero trust cloud.
- Stops compromise by leveraging the power of the cloud to inspect all traffic, including encrypted traffic at scale, in order to enforce policies and stop threats in real-time.
- Prevents lateral threat movement by connecting entities to individual IT resources instead of extending access to the network as a whole.
- Blocks data loss by enforcing policies across all potential leakage paths (including encrypted traffic), protecting data in motion, data at rest, and data in use.
Furthermore, Zero Trust architecture addresses numerous challenges associated with firewalls, VPNs, and perimeter-based architectures by improving user experiences, reducing operational complexity, saving costs for your organisation, and providing additional benefits.
How can Zscaler help with your VPN dilemma?
Zscaler’s cloud native zero trust network access (ZTNA) solution gives users fast, secure access to private apps for all users, from any location. Reduce your attack surface and the risk of lateral threat movement—no more internet-exposed remote access IP addresses, and secure inside-out brokered connections. Easy to deploy and enforce consistent security policies across campus and remote users.
Zscaler Private Access™ (ZPA) allows organisations to secure private app access from anywhere. Zscaler connects users to apps, never the network, with AI-powered user-to-app segmentation and prevents lateral threat movement with inside-out connections.
What’s more? Zscaler is also offering a 60-day free trial of our ZPA license for customers adopting zero trust architecture. This cloud native solution replaces VPNs, providing secure access with full deployment assistance in as little as 24 hours.
If you are looking for more technical breakdown on the Ivanti vulnerabilities, do check out the blog penned by our Chief Security Officer, Deepen Desai here.