Why VPN is no match for Zero Trust - Image by Gerd Altmann on Pixabay March 2020 was an incredibly turbulent time for even the most robust of organisations.

When society went into lockdown overnight, companies were forced to react and adapt in ways previously unimaginable. It left offices deserted that had previously been frequented on a daily and weekly basis for decades.

Organisations had no choice but to enable their employees to work remotely. And where they had to leave behind traditional ways of working and attempt to become digital-led businesses in the blink of an eye, many turned to virtual private networks (VPNs) as key pillars of their IT infrastructure.

This decision, on the face of it at least, initially made sense. Acting as an extension of a company’s on-premises IT infrastructure, the use of a VPN would allow home workers to sustain access to centralised on-premises networks. They were already a familiar way of privately and securely sharing data across distributed locations.

Inherent issues with VPNs quickly uncovered

VPNs are costly to run and drastically heighten IT workloads. This is because managers are forced to review and administer access requests for multiple users, thus draining IT resources.

They also stifle productivity. VPNs are unsuitable for supporting the remote access needs of entire organisations and are not designed for remote operating models. They’re fine where 20 per cent of the workforce is remote. But when an entire organisation attempts to connect to a network via VPN, that network quickly becomes overwhelmed. It results in bottlenecked traffic and delayed access to key files and resources.

This, in turn, can create security issues. Huge latency and connectivity problems can frustrate employees with sluggish workflows and sub-optimal productivity. It means they may turn to working directly on their local desktops, leaving key company files, data and information vulnerable to attacks.

Many of the most common cyberattacks focus on infiltrating the endpoint. Traditional malware attacks, for example, operate by infecting an endpoint with a downloadable payload that facilitates the installation of malicious code on a system’s hard drive.

Fraught with resource-, productivity-, and security-related challenges, VPNs are simply not a viable nor productive long-term solution for remote and hybrid working models. These are, in many instances, here to stay because they have a plethora of benefits versus the conservative office-based nine to five.

And while there was little time for organisations to evaluate such challenges in the face of a pandemic-shaped emergency, it’s clear that a rethink is now required.

VPN versus zero trust

What’s promising is that many recognise that an IT overhaul and operational transformation are necessary to succeed long term in this new normal.

According to a Menlo Security report, which surveyed more than 500 IT decision makers in the US and the UK, three quarters (75%) of organisations continue to rely on VPNs for controlling remote access to applications (this rising to 81% for organisations of 10,000-plus employees).

However, the report also reveals that the same number (75%) are re-evaluating their security strategy with remote and hybrid working, and the growth in cloud application use, in mind.

This willingness to adapt and improve is vitally important should organisations achieve optimal productivity and security moving forward. Yet what is equally important is that this focus is nurtured in the right way. Organisations need to make the right changes that are futureproof, scalable, productive and secure.

Enter zero trust

Zero trust is an IT and security concept that has been built with a cloud-first mindset.

It is renowned as an effective way to simultaneously maximise productivity while ensuring safe email and web access can be achieved. It allows IT teams to comprehensively protect against a multitude of modern cyberthreats.

Some of the most significant cyberattacks that have come to light since the pandemic first began, such as the SolarWinds breach that affected several major organisations and government agencies, were the result of hackers being able to move laterally with ease once gaining access to their target networks, exfiltrating data and elevating privileges without any significant resistance.

Zero trust addresses this weakness.

Many traditional security policies and protocols take an outdated ‘castle and moat’ approach. They only defend the perimeter of their network from outside exposures and assume everything within a network can be trusted.

Zero trust addresses this. It recognises trust as a vulnerability and takes a default ‘deny’ approach to security. In essence, it demands that all traffic, from emails and webpages to videos and documents, must be verified regardless of their origin.

Its success is based on three key principles:

  1. Continuous authentication: Where all data points must be verified, regardless of their origin.
  2. The principle of least privilege: Network users are limited to accessing only the specific applications and areas of the network that they need to work effectively.
  3. Assuming that a breach is always imminent: By always expecting an attack, security becomes a critical pillar that is factored into all decision making. This reduces the possibility of vulnerabilities.

How can zero trust be achieved?

Zero trust is an ideal policy well suited to cloud-based remote working environments. It ensures organisations can be both productive and secure day to day. It also increases the speed of access and scalability, reducing the burden on IT departments.

Yet Menlo Security’s survey reveals that a zero trust approach forms part of the remote access strategy of just 36 percent of organisations currently.

75 percent of organisations are re-evaluating their security strategy with remote and hybrid working in mind. It presents an opportunity for a marked uptick in zero-trust implementation. But what does zero trust look like in practice? And how can it be achieved?

At Menlo, we advocate isolation as the most effective way to reach a high-performance zero trust architecture.

An innovative technology, isolation removes any chance for hackers to infiltrate an organisation’s network. It creates a 100 per cent effective barrier that bars malicious payloads from reaching their target endpoints.

IT shifts activities such as browsing and reading emails from the desktop to the cloud. This creates a digital gap between all data and the endpoint. All content is safely rendered through this method, providing organisations and their employees alike complete peace of mind. Even if a malicious payload is downloaded, it will not reach the endpoint.

All content is made visible, with the user experience identical to one found directly on the desktop. More importantly, security takes precedence.

In this sense, isolation technology allows zero trust to be achieved in its truest sense. It stops any cyberattack, threat actor or malicious payload in its tracks, without fail.

Menlo SecurityMenlo Security protects organizations from cyberattacks by eliminating the threat of malware from the web, documents, and email. Menlo Security’s isolation-powered cloud security platform scales to provide comprehensive protection across enterprises of any size, without requiring endpoint software or impacting the end user-experience. Menlo Security is trusted by major global businesses, including Fortune 500 companies and eight of the ten largest global financial services institutions, and is backed by Vista Equity Partners, Neuberger Berman, General Catalyst, American Express Ventures, Ericsson Ventures, HSBC, and JP Morgan Chase. Menlo Security is headquartered in Mountain View, California. For more information, please visit www.menlosecurity.com.


Please enter your comment!
Please enter your name here