I have “Zero Trust” in VPNs.

Published on 24th March 2022 Author: Eloghosa Obasuyi

You should probably have zero trust in your VPN service:

You’re enjoying a quiet Friday afternoon in your office when you receive a stomach-dropping alert from one of your systems. A co-worker of yours, Jane, has exfiltrated thousands of your customer records from the company database. A distraught Jane is questioned by human resources, she swears up and down that she didn’t do anything and no further evidence about her is brought to light. Confused, you begin looking for other evidence and find a notice from your VPN provider. They had a data breach which leaked the VPN credentials of millions of users, including people at your company. The VPN service which was supposed to keep your organization’s resources secure ended up being the attack surface which compromised everything.

This scenario could have been avoided if the company had chosen to implement a Zero Trust Architecture for resource access control, instead of using VPN. Let’s explore this better alternative.

But first: what is a VPN?

Virtual Private Networks (VPN) give an organization’s users online privacy and anonymity by creating a private network from a public internet connection. VPNs are able to mask your internet protocol (IP) address so your online actions are untraceable and invisible to outsiders. The more important aspect about VPNs is that they establish an encrypted connection. Organizations typically supply their employees with this networking tool since they are often handling and sending proprietary information.

With the mass exodus of on-site workers transitioning to the remote work environment and the further adoption and integration of cloud services, it’s more imperative than ever before that organizations have a way for their employees to connect to their environments securely. VPNs are also easy for organizations to deploy and are a lesser burden on your network engineers. However in spite of all of that, what if I told you that VPNs aren’t that great?

The Problem with VPNs

While VPNs have been the primary tool for secure communications, it still suffers from being able to properly authenticate its users. Organizations can not control which resource a user can have access to as long as that user has legitimate VPN credentials. Various internal systems and servers will automatically trust this connection. All potential attackers have to do is compromise the credentials of a VPN user and they will have access to your data. VPNs do not have proper mechanisms in place which can control who has access to your organization’s cloud resources as well as the resources on your internal services.

Another issue with VPNs is a black box when it comes to security and privacy. The general reason why people use VPNs in the first place is that you don’t trust your local connection to the internet. However, what some organizations don’t realize is that when enabling a VPN all you are doing is passing the burden of security from Internet Service Provider (ISP) to your VPN. You still have to trust that your VPN is doing a better job of securely handling your communications than your organization can. These are a few of the major problems that many organizations have with VPNs. Hence why a majority of them are transitioning or have already made the transition to a Zero-Trust Architecture (ZTA).

Zero Trust Architecture (ZTA)

ZTA is a more complex strategy. It consists of a set of different tools and services that is used to authenticate a user. Every connection and every stage in every digital interaction occurring on-premise or in the cloud must be verified and authenticated. In simpler terms, no connection is trusted and must authenticate itself at every step, regardless of where it’s coming from.

The benefit to this over VPNs is that:

Zero Trust Architecture provides better authentication for access to resources.
When an account gets compromised the impact is limited.
The Zero Trust Architecture provides better visibility into your cloud network.
You no longer have to rely on a third-party vendor to secure your network data.

In this diagram, I show how ZTA can be implemented for users who want to access cloud resources. There are several different ways to implement ZTA but this is an easy example that can illustrate it. Here in my diagram this is what will happen when a user attempts to access cloud resources:

In order for the user to access any resource, their connection must go through authentication mechanisms (Proxy Server, SSO Gateway, Active Directory (AD)) that are strictly controlled by and set by our organization. No cloud resource will be granted until that connection goes through your proxy. The SSO gateway checks if our proxy connection is legitimate and from there the credentials used to establish it will be checked by our AD. If all of that is clear then the user will be given access to cloud resources.

It’s time to switch to Zero Trust

As more organizations migrate to have all of their resources stored in the cloud, VPNs and VPN-like technologies are gradually being phased out of network environments.

VPNs lack the ability to give organizations the confidence that their data is not being read by their providers. They also lack the ability to completely authenticate users and prevent them accessing restricted resources. The Zero Trust Model, while more sophisticated, is more secure and organizations will completely replace VPNs in the near future.

Once your company finishes paying for Jane’s trauma counseling, the incident response team directs you to begin working on the company’s own implementation of Zero Trust Architecture.

Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.

Eloghosa Obasuyi

Eloghosa was a cybersecurity analyst at Fractional CISO from 2021-2022. He graduated from Columbus State University in Georgia in 2021. In college, he studied cybersecurity and has been honing his cyber skills for years through practice competing at capture-the-flag, cyber defense, and penetration testing events. Eloghosa is an AWS Certified Cloud Practitioner and is Security+ certified. Today, Eloghosa works at AWS as a Cloud Support Engineer - Security.