October 22, 2019
In a world where traditional network boundaries no longer exist, VPNs are showing their age.
Virtual private networks (VPNs) have been around for over two decades, providing secure, encrypted tunnels for communications and data. While there are multiple types of VPNs — including SSL-VPNs and IPSec, to name two — the basic idea is the same regardless of the implementation. With a VPN, a secure IP transport tunnel is created that is intended to provide assurance that the data is safe because access is encrypted.
The concept of the software-defined perimeter (SDP) is somewhat newer, originally coming onto the scene in 2013, under the initial direction of the Cloud Security Alliance (CSA). With the SDP model, rather than just trusting an encrypted tunnel to be safe because it uses Transport Layer Security (TLS), there is no assumption of trust — hence the use of the term “zero trust” by many vendors in connection with SDP.
In a typical SDP architecture, there are multiple points where any and every connection is validated and inspected to help prove authenticity and limit risk. Typically, in the SDP model there is a controller that defines the policies by which clients can connect and get access to different resources. The gateway component helps to direct traffic to the right data center or cloud resources. Finally, devices and services make use of an SDP client which connects and requests access from the controller to resources. Some SDP implementations are agentless.
The basic premise under which VPNs were originally built and deployed is that there is an enterprise perimeter, protected ostensibly with perimeter security devices such as IDS/IPS and firewalls. A VPN enables a remote user or business partner to tunnel through the perimeter to get access to what’s inside of an enterprise, providing local access privileges, even when remote.
The reality of the modern IT enterprise is that the perimeter no longer exists, with staff, contractors and partners working on-campus locations, remotely and in the cloud and all over the world. That’s the world that SDP was born into and is aimed to solve.
VPNs are no longer the be-all and end-all solution for securing access that they were once promised to be.
VPNs today are still widely used and remain useful for certain types of remote access and mobile worker needs, but they involve a certain amount of implicit or granted trust. The enterprise network trusts that someone that has the right VPN credentials should have those credentials and is allowed access. Now if that VPN user happens to turn out to be a malicious user or the credentials were stolen by an unauthorized person that now has access to a local network — that’s kind of a problem, and a problem that VPNs by design don’t really solve all that well, if at all.
An SDP or zero-trust model can be used within the modern perimeter-less enterprise to help secure remote, mobile, and cloud users as well as workloads. SDP isn’t just about having a secure tunnel — it’s about validation and authorization. Instead of just trusting that a tunnel is secure, there are checks to validate posture, robust policies that grant access, segmentation policies to restrict access and multiple control points.
SDP moves beyond just pretending that the fiction of a hard perimeter still exists.
The increasing adoption of zero-trust security technologies by organizations of all sizes is an evolving trend. As organizations look to reduce risk and minimize their potential attack surface, having more points of control is often a key goal. Security professionals also typically recommend that organizations minimize the number of privileged users and grant access based on the principle of least privilege. Rather than just simply giving a VPN user full local access, system admins should restrict access based on policy and device authorization, which is a core attribute of the zero-trust model.
A well-architected zero-trust solution can also offer the potential benefit of less overhead, without the need for a physical appliance or client-side agents.
For business users, VPNs are a familiar concept for remote access and that is not something that is likely to change in the near term. For access to a local file share within a company, or even something as simple as accessing a corporate printer, a VPN will remain a reasonable option for the next two to three years. However, as more businesses move to SDP, even the simple access of a printer will be covered.
Within companies, internal threats in the perimeter-less enterprise are as likely as external ones, a zero-trust model is a useful model to limit insider risks.
For developers and those involved in DevOps, zero trust is a more elegant and controlled approach to granting access as well as providing access to on-premises, cloud, and remote resources. Development is distributed and simply tunneling into a network is not as powerful as what zero trust can enable.
The reality of the modern Internet is that threats come from anywhere, with the potential for any device or compromised user credential to be used as a pivot point to breach a network. A zero-trust approach can go beyond just relying on encryption and credential to minimize risk and improve security. SDP moves beyond just pretending that the fiction of a hard perimeter still exists.
Gilad Steinberg is CTO and Co-Founder of Odo Security. Prior to founding Odo, he was the Security R&D Team Leader for the Israel Prime Minister’s Office. This post is a repost of Gilad’s article originally published in Dark Reading, “How the Software-Defined Perimeter Is Redefining Access Control” October 9, 2019.