VPNs Aren’t Going Away, But They Are Rapidly Evolving
*This post originally appeared on the Pulse Secure blog prior to the acquisition in December 2020, when Pulse Secure became part of Ivanti.
VPNs, or Virtual Private Networks, have been around for a long time. VPN may mean different things for different folks. A VPN may be the hub and spoke model that was augmented by other technologies from MPLS to SD-WAN. Hub and spoke VPNs still exist. When the concept of Secure Remote Access comes up, VPN will commonly come to mind. This remote access may be a full layer 3 tunnel, which is not exceedingly secure because there is too much implicit trust, or it may be a browser-based, single application session, which is more secure. Today’s VPNs need to be as secure as possible, thus Zero Trust was born.
Gartner recently published the “Market Guide for Zero Trust Network Access”. There are a few key points in this guide that help explain the evolution to Zero Trust.
Removing excessive implicit trust. This applies to all types of access – physical, local, and remote. For example, accessing any and all applications when you’re on-premises shows how implicit trust can be granted with little thought or consideration. Recently, a customer told me that his management team believed that since someone is in the building, they must somehow be more trustworthy than someone outside. Excessive implicit trust lays the groundwork for attack opportunities, providing hackers with the entry points they need to access sensitive data. A network security practitioner should always consider all possible scenarios in order to remove any implied trust.
Being context-based. Context is important when trying to understand what’s happening. A stranger starting my car when it’s in the garage and the keys are in my pocket may cause me to panic. A “stranger” driving my car away, when I’m at the dealership for an oil change may be perfectly normal. Network and application access solutions must learn to be aware of context and must be able to take appropriate action. This context might include information about the user, the device, the gateway, and/or the application. This context will also include how all of these interact with each other during certain times of the day, day of the week, or based on user location. Once context is understood, appropriate, automated, and adaptive action is needed to help secure the network, data, applications, and/or services as soon as possible.
Vendors like Pulse Secure have been working with customers, partners, and analysts for years to be ahead of the attack curve. Our evolution from access to secure access to zero trust network access has been unfolding, developing, and improving since inception, which is why we continue to be trusted leaders in this space.