As the security world rotated to a Zero Trust model for securing the enterprise, tried and true technologies such as VPN seemed to fall by the wayside. Yes, many organizations simply assumed VPN credentials were enough to have access to corporate resources and in fact this perimeter view gave rise to a Zero Trust philosophy where no user or device is allowed access without authentication and authorization.
But, the idea that you need to choose between VPN and Zero Trust ignores that fact that how products and technologies are implemented will ultimately dictate an organization’s level of protection. “VPN or Zero Trust” is a false choice. With the home as the current employee workplace, organizations are rapidly implementing a range of software and hardware VPN connectivity solutions to support work from home connectivity. But, with an eye towards Zero Trust, they are enhancing VPN security with key Zero Trust components to ensure the organization is protected.
While there a several different definitions for Zero Trust (including NIST), the basic principle is that no user or device can gain network access without authenticating and being assigned application layer access rights. As a result, most zero trust implementations will provide:
- A method for collecting and validating user or device credentials using a variety of techniques from 802.1x to multi factor authentication. Typically, the authentication process involves using a protocol such as Radius to interface with corporate identity systems such as Active Directory.
- The second key component is a Trust Broker—essentially a policy manager that will take validated credentials and assign IT access rights based on pre-determined corporate policies. If the Trust Broker is designed for enterprise environments, then the role-based access policy is independent of the type of access (e.g. wired, wireless, remote), which means that when an employee gains VPN access, the appropriate access policies are automatically applied.
- Next is enforcement. Enforcement can be done in a variety of network locations, but the optimal placement is at the point of VPN termination. Some organizations will install a separate firewall for this purpose but scalable VPN termination along with routing and other functions can easily provide the policy enforcement necessary to restrict access once the traffic is inside the corporate network.
- Finally, there is adaptive trust. Trust is not a permanent condition and based on what happens to the user or endpoint after initial access will determine what level of trust is provided on an ongoing basis. This means that status from across the security ecosystem must be sent and processed by both the Trust Broker and the corresponding enforcement point.
As organizations are overnight standing up thousands of new remote connections there is no need to sacrifice security for convenience. VPN is a foundational Zero Trust element. By combining it with zero touch setup, cloud management, seamless identity-based access control and headend policy enforcement, employees will operate in a Zero Trust environment no matter how or where they connect.
Learn more about Aruba VPN Services.
