Overcoming the Limitations of VPN, NAC, and Firewalls with Zero Trust Access
During 2020 and 2021, we’ve seen ransomware-as-a-service wreak havoc in the IT supply chain and critical infrastructure. Below we explore how technologies and approaches to help protect organizations from these types of attacks.
By Burjiz Pithawala, CPO & Co-Founder, Elisity
We live in a world that is making a transformational leap into uncharted territory out of necessity. The pandemic has challenged us both at home and at work. We now live and work differently than a couple of years ago. What was called the “new normal” has become the “now normal”: the hybrid workspace, with users working alternatively from home and on campus. This rapid change is still in progress and challenges networking and information security teams in many novel ways. This article focuses at a high level on some of the problems and solutions derived from the need to secure remote access to enterprise resources, the sprawl of IoT, the growth of shadow IT, and the acceleration of the migration to cloud infrastructure.
Trends making implicit trust security controls obsolete
As a result of the pandemic-driven changes in the workspace and IT environments, bad actors have adapted rapidly to tap into a growing attack surface. During 2020 and 2021, we’ve seen ransomware-as-a-service wreak havoc in the IT supply chain and critical infrastructure just at a time when IT organizations were migrating infrastructure and applications to the cloud and trying to secure access for an all the sudden majority of remote workers. It’s been a rollercoaster across all industries for organizations of all sizes, to say the least.
Users, devices, applications, and data have for the most part left the traditional perimeter, and as a result, traditional security controls are failing to secure them. The enterprise networks have become more challenging than ever before to secure against these ever-growing cyber threats from outside and inside the new perimeter. Rogue applications, unmanaged IoT devices, and overlap of IT and Operational Technology (OT) networks add more to these difficulties, with growing risks as the attack vectors multiply. In the end, network availability and productivity are suffering too due to the lack of scalability of traditional cyber defenses.
These trends resulted in a re-definition of the enterprise perimeter which is now centered around the identities of users, devices, applications, and data. It is being said that identity is the new perimeter. By now, you should have read about the Zero Trust model enough to be confused by the sheer amount of spin around this information security concept. To make it simple, short, and sweet, let’s stick to the fact that Zero Trust is not a product, but a premise from which to derive a ubiquitous information security strategy and the controls that help operationalize it. Zero Trust is based on the assumption that all network communications are compromised and therefore should be untrusted regardless if these occur within or outside a network’s boundaries. The solution to minimizing risk under that premise demands for identities to be continuously verified and access authorized regardless of location in the network.
Zero Trust is essentially a journey towards the aspirational elimination of the attack surface. In this regard, identity has a central role. But identity alone is not enough. It’s behavioral intelligence that should deliver the power of end-to-end protection for all of your assets, regardless of location. There is a pressing need to contextualize three things: identity, environment, and behavior. This new fluid perimeter is a combination to be managed by organizations with a simple business logic policy to securely connect all of the assets across every domain: campus, branches, data center, cloud, and remote.
Although the concept of Zero Trust has been here for a decade or so, it was always challenging to operationalize it because the traditional security controls, designed under the premise of Implicit Trust, are inefficient and ineffective to enable it at scale. Let’s list some of the limitations of these legacy security controls.
Virtual Private Networks (VPN)
User-to-application access from outside the traditional network perimeter has been traditionally secured with VPN, but:
- VPN cannot limit access control after authentication and can’t provide continuous verification that would prevent the ability to traverse the network unhindered (East-West/North-South movement).
- It’s inefficient to drag all user traffic back to the corporate data center, and split-tunneling brings loss of visibility and control.
- VPN provides an inefficient traffic path for SaaS and cloud applications or services, delivering a bad end-user experience.
- No policy can be defined when a user is within the network perimeter, and not using VPN.
- VPN concentrators are expensive and complex to deploy and manage.
Network Access Control (NAC)
NAC technology has been around for a while but it is showing its age vis-à-vis of the evolving threat landscape.
- NAC provides binary network access (either on or off) and has limited granular control and segmentation capabilities.
- It typically has no supplicants for wired users or unmanaged devices such as IoT and OT, and provides limited access control for such devices.
- With NAC, there is no continuous verification of authorization. User identity is verified at the point of authentication, limiting the ability to monitor for threats post-authentication, changes to permissions, and abnormal behavior.
- Typical NAC solutions cannot manage and deploy NAC policies to cloud infrastructure.
- Most NAC solutions have separate policy management systems for remote access VPN and firewall configuration.
- As with most security controls designed under the old Implicit Trust model, traditional NAC solutions can be highly complex and expensive to deploy and maintain.
Firewalls
Deploying and managing firewalls across an SD-WAN is quite an undertaking, and firewall policy drift is a common ailment. This is why:
- IP-based policies are hard to manage and do not provide micro and nano-segmentation capabilities.
- Firewalls policies are statically configured and cumbersome to manage and update, and are often based on traditional networking constructs.
- True micro-segmentation to limit lateral movement within the network requires a proliferation of firewalls, which is costly and resource-intensive to deploy and manage.
- Access is based on location, i.e., inside or outside the moat: the network perimeter. Once a user is inside the network perimeter, they are inherently trusted and free to roam the network.
- It is challenging to unify policies for on-prem and remote users (i.e., behind the firewall and outside remote users).
Solving for the long run
All these limitations drive the requirements for the transformation of network security and how information security is approached altogether. Some of this transformation was in progress before the pandemic, but it accelerated rapidly out of necessity when it struck. Zero Trust is still riding the hype curve, and many fragmented point solutions exist that address specific use cases without accounting for the bigger picture. This bigger picture is the need to decouple security from the underlying network construct to avoid the traditional cybersecurity vs. networking trade-offs that either cripple network availability or the security posture.
There is also a need for ubiquitous access policy management (across all domains) and simplification via automation of cybersecurity operations to accelerate detection and response times. An ideal Zero Trust Access (ZTA) platform should deliver full visibility about what’s flowing through the network (users, devices, apps) by integrating with existing identity providers (IDP). The solution should also provide a unified policy management plane across multiple domains that would address the need for ubiquity and agility.
It’s just then, through a single pane of glass across all domains, that the never-ending Zero Trust journey to eliminate the attack surface can start. Organizations can begin by securing the crown jewels first, or by piloting Zero Trust Network Access (ZTNA) to secure access for the hybrid workforce. Alternatively, Network Security Architects may choose to learn the ropes of Zero Trust network security by addressing the sprawl of IoT in the workplace. Whatever the most pressing use case may be, the worst they can do is to lose sight of the long game: that the same solution should address all use cases and avoid network chokepoints that prevent scalability.
The ideal end game is a distributed architecture where multi-domain policies are managed centrally but distributed and enforced as close to the resources as possible, with continuous identity verification via integration with any flavor of IDP, including those providing telemetry about health status and other contextual attributes alongside identity. By making identity, context, and behavior the new (and now dynamic) enterprise perimeter, it becomes easier to manage risk and implement a potent cyber defense system that works under the Zero Trust paradigm.
About the Author
Burjiz Pithawala is the CPO and co-founder of Elisity. Burjiz’s experience as a leader and technology visionary spans 23 years with deep roots in networking, cloud transformation, and enterprise software. Prior to Elisity, Burjiz led many of Cisco’s best-recognized routing and switching product groups with teams of 15 to 300 people. Burjiz is an Internet Task Force (IETF) author and patent holder for technologies ranging from routing, switching, and predictive cloud management.
Burjiz co-founded Elisity, now a series A start-up, to address the challenges depicted in this article. Elisity offers an identity-driven control plane for corporate networking and remote access without tying customers to a particular network or network security technology. Its Cognitive Trust platform, delivered as a cloud-based service, is deployed as an overlay or underlay on whatever WAN and/or SD-WAN infrastructure an enterprise prefers to protect data, users, devices, and applications in the data center, the cloud, at home, and everywhere. Based in San Jose, Elisity is backed by Two Bear Capital, AllegisCyber Capital, and Atlantic Bridge. Burjiz can be reached online at LinkedIn and at our company website: www.elisity.com