Home Resources Blog You’ll Need Zero Trust, But You Won’t Get It with a VPN

You’ll Need Zero Trust, But You Won’t Get It with a VPN

Eyal Webber Zvik, Cato Networks
12.01.2023
image 4 Min read

Properly implemented, a zero trust architecture provides much more granular and effective security than legacy security models. However, this is only true if a zero trust initiative is supported with the right tools. Legacy solutions, such as virtual private networks (VPNs), lack the capabilities necessary to implement a zero trust security strategy.

Zero Trust Security is the Future

Castle-and-moat security models were common in the past, but they are ineffective at protecting the modern network. Some of the primary limitations of perimeter-focused security models include:

  • Dissolving Perimeters: Legacy security models attempt to secure a perimeter that encapsulates all of an organization’s IT assets. However, with growing cloud adoption, this perimeter would need to enclose the entire Internet, making it ineffective for security.
  • Insider Threats: A perimeter-focused security model lacks visibility into anything inside of the corporate network perimeter. Insider threats — such as attackers that breach an organization’s defenses, supply chain vulnerabilities, and malicious users — are all invisible to perimeter-based defenses.
  • Trusted Outsiders: Castle-and-moat security assumes that everyone inside the perimeter is trusted, while outsiders are untrusted. However, the growth of remote work means that companies need to find ways to account for trusted users outside of the perimeter, forcing the use of insecure and unscalable VPNs.

The zero trust security model was designed to address the limitations of these legacy security models. Under the zero trust model, all access requests are evaluated independently against least privilege access controls. If a user successfully authenticates, their session is monitored for suspicious or risky activity, enabling potential threats to be shut down early.

94% of companies are in the process of implementing zero trust, making it one of the most common cybersecurity initiatives. Some of the drivers of zero-trust include:

  • Corporate Security: Data breaches and ransomware infections are common, and, in many cases, are enabled by the remote access solutions (VPNs, RDP, etc.) used to implement perimeter-based security. Zero trust promises to reduce the probability and impact of these security incidents, decreasing enterprise security risk.
  • Regulatory Compliance: The zero trust security model aligns well with regulators’ goals to protect sensitive information. Implementing zero trust is best practice for compliance now and may be mandatory in future updates of regulations.
  • Incident Investigation: A zero trust security system tracks all access requests on the corporate network. This audit trail is invaluable when investigating a security incident or demonstrating regulatory compliance.
  • Greater Visibility: Zero trust’s stronger access control provides granular visibility into access requests. In addition to security applications, this data can also provide insight into how corporate IT assets are being used and inform infrastructure design and investment.

Zero trust overcomes the problems of legacy, perimeter-focused security models. As corporate IT environments expand, cyber threats mature, and regulatory requirements become stricter, it will be a vital part of a mature security policy.

A VPN Can’t Provide Zero Trust

The rise of remote and hybrid work has made secure remote access a vital capability for many organizations. VPNs are a well-established remote access solution, and many organizations turned to them to support their remote employees.

However, while VPNs offer employees secure remote access to the corporate network, they fail to provide crucial capabilities for a zero trust deployment. Some of the ways in which VPNs fall short include:

  • Access Management: VPNs are designed to provide an authenticated user with full access to the corporate network, simply creating an encrypted tunnel from the user’s machine to the VPN endpoint. Without built-in access controls, VPNs cannot enforce zero trust’s least privilege access policies.
  • Integrated Security: VPNs have no built-in security capabilities, meaning that traffic must be routed through a full security stack en route to its destination. With corporate assets scattered on-prem and in the cloud, this usually results in traffic being routed to a central location for inspection, increasing network latency.
  • Optimized Routing: VPNs are point-to-point solutions, which limit the routes that traffic can take and can cause significant latency due to suboptimal routing. This may cause security controls to be bypassed or disabled in favor of improved network performance.

Two of the foundational concepts of zero trust security are access control and monitoring for security issues during an authenticated user’s session. VPNs provide neither of these key capabilities, and their performance and scalability limitations mean that users may attempt to evade or bypass defenses to improve performance and productivity. While zero trust is rapidly becoming essential for corporate cybersecurity, VPNs are ill-suited to implementing a zero trust architecture.

Achieving Zero Trust with SSE and SASE

These two essential capabilities of zero trust — access control and session security monitoring — are the reason why Security Service Edge (SSE) and Secure Access Service Edge (SASE) are ideal for implementing a corporate zero trust program. SASE solutions include zero trust network access (ZTNA) functionality, which provides the ability to enforce least privilege access controls across the corporate WAN.

Alongside ZTNA, SSE and SASE solutions also offer a range of key security functions, including Firewall as a Service (FWaaS), an intrusion prevention system (IPS), a secure web gateway (SWG), and a cloud access security broker (CASB). Converging security functions with access control makes SASE an all-in-one solution for zero trust.

SASE’s design can also eliminate the network performance impacts of security. Deployed as a cloud-native solution on a global network of points of presence (PoPs), SASE can inspect traffic at the nearest PoP before optimally routing it to its destination. Cloud-native design ensures that converged security has the resources required to perform vital security functions without incurring latency.

To learn more about how a cutting-edge SASE solution can support your organization’s zero trust security goals, sign up for a free demo.

Learn More

4 Ways Where Remote Access VPNs Fall Short
SD-WAN and SASE
Eyal Webber Zvik, Cato Networks 09.01.23

The Global Content Delivery Network (CDN) market is expected to grow by $42.4 billion between now and 2032.

Read more
SASE vs. SD-WAN: A Quick Guide
SD-WAN and SASE
Miguel Fersen, Iberia & LATAM Regional Manager @ GlobalDots 09.05.22

New technologies have a wicked tendency to pile up. With cloud solution categories now emerging on a weekly basis, the result of bringing them into your estate is usually more complexity and confusion. But sometimes, a single new technology allows us to rid a bunch of old ones in a snap. SASE pretends to be […]

Read more
slider item
SD-WAN and SASE
Gershon Tchemakin, Solutions Engineer @ GlobalDots 08.11.21

Pronounced ‘sassy’, SASE (Secure Access Service Edge), is a terminology first proposed by Gartner. While there are many definitions of SASE, it can be simply said to be a network architecture that combines the capabilities of SD-WAN with network security functions and delivers it as a service delivered via the cloud. What is SASE used […]

Read more
Unlock Your Cloud Potential
Schedule a call with our experts. Discover new technology and get recommendations to improve your performance.
Book a Demo