Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Wednesday December 18 2019, @07:54PM   Printer-friendly
from the what's-old-is-new-again dept.

VPNs are a way of stitching together separate networks, often physically separate ones, such that they resemble a single logical network. They are (mis-)used heavily these days on the mistaken premise that the network inside any given firewall is somehow secure and the network outside that firewall is somehow less secure. The idea of not trusting the network at all, the foundation of several of the services developed in the 1980s under MIT's Project Athena, such as Kerberos, is returning. Zero Trust is the new name for the networking concept in which no part of the network is considered secure, whether inside or outside a firewall. The pendulum is swinging back and multiple articles this year cover the fact that Zero Trust Networking is trending.

VPNs are part of a security strategy based on the notion of a network perimeter; trusted employees are on the inside and untrusted employees are on the outside. But that model no longer works in a modern business environment where mobile employees access the network from a variety of inside or outside locations, and where corporate assets reside not behind the walls of an enterprise data center, but in multi-cloud environments.

Gartner predicts that by 2023, 60% of enterprises will phase out most of their VPNs in favor of zero trust network access, which can take the form of a gateway or broker that authenticates both device and user before allowing role-based, context-aware access.

Is this a case of what's old is new again or merely a case of being so obvious that no one bothered to mention it and thus it got forgotten because it largely went unsaid? VPNs have a place, but the way in which they are often used amounts to just more snake oil. Many have long pointed out that if a product or service cannot exist online without a firewall then it should never have been connected to the network in the first place.

See also
SC Magazine: Kill the VPN. Move to Zero Trust
Zscaler blog: Zero trust is shaking up VPN strategies
Business Wire: New Research Reveals Widespread Movement to Replace VPNs With Zero Trust Network Access
Techzine: 'Companies want to replace VPN with Zero Trust Network Access'


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Informative) by Anonymous Coward on Wednesday December 18 2019, @09:27PM (4 children)

    by Anonymous Coward on Wednesday December 18 2019, @09:27PM (#933914)

    The modern "Zero Trust" movement really got its start in Google's BeyondCorp where the big idea was to move everything from "behind the firewall [TCP/IP]" to "behind the proxy server [HTTP(S)]".

    "BeyondCorp is a Zero Trust security framework modeled by Google that shifts access controls from the perimeter to individual devices and users. The end result allows employees to work securely from any location without the need for a traditional VPN. ... BeyondCorp dispels the notion of network segmentation as the primary mechanism for protecting sensitive resources. Instead, all applications are deployed to the public Internet..." https://www.beyondcorp.com/ [beyondcorp.com]

    Starting Score:    0  points
    Moderation   +2  
       Interesting=1, Informative=1, Total=2
    Extra 'Informative' Modifier   0  

    Total Score:   2  
  • (Score: 5, Informative) by NotSanguine on Wednesday December 18 2019, @10:28PM (3 children)

    by NotSanguine (285) <NotSanguineNO@SPAMSoylentNews.Org> on Wednesday December 18 2019, @10:28PM (#933950) Homepage Journal

    This is just another prong in Google's (and other "cloud" providers) attempt to deprecate corporate networks in favor of "someone else's servers."

    Proxy servers, VPNs and partitioned networks are important, despite what some start-up with a vested interest in charging folks money to manage AAA services [wikipedia.org] might say.

    However, that's not the whole picture. Another poster [soylentnews.org] referred to the Skittles security model -- hard on the outside, with a soft, chewy center. This has *never* been the prescribed mechanism (even if it has been widely used) for securing enterprise environments.

    Defense-in-depth [wikipedia.org] is, and always has been, the best set of methods to secure information/assets.

    This includes:
    1. VPNs -- Ensure that when traversing uncontrolled networks, that data integrity and non-repudiation can be maintained;
    2. Proxy Servers -- Ensure that connections to/from devices on uncontrolled networks are made to/from hardened platforms;
    3. Packet filtering -- Ensure that malicious data/connection patterns from *any* network are detected and blocked;
    4. Authentication/Authorization* -- Ensure that access to networks/platforms/information, whether interactive or programmatic is made only by those who can both sufficiently identify themselves *and* may only access stuff for which they are specifically authorized;
    5. Physical security -- Ensures that access to physical assets (whether those be bearer bonds, trade secrets or servers/switches/routers/etc.) is limited (via a variety of mechanisms) to those with legitimate access requirements;

    All of the above are *necessary* in securing enterprise environments. An old maxim that remains true (despite the claims of those with vested interests in ignoring it) is that "if you connect something to the Internet (uncontrolled network), you must expect that it will, eventually, be pwned."

    That's not to say that devices *not* connected to uncontrolled networks won't be pwned. Which is why defense-in-depth is so important.

    *This is, perhaps, the most important piece and deserves additional discussion. Authentication and authorization is actually a well-studied domain, and a wide variety of tools are available to implement them across an IT infrastructure:
    1. Network access -- X.509 certificate-based (client and server) authentication, including 802.1x [wikipedia.org], VPN connectivity, TLS-based MTA connections, Proxy servers/packet filtering;
    2. Platform access (1) -- Strong authentication including, but not limited to (some or all, depending on the sensitivity of the platform/access to that platform) physical token-based authentication, Kerberos [wikipedia.org], key-based authentication (ala ssh), password hashing, centralized/federated authentication systems (SSO), etc.
    3. Platform access (2) -- Granular authorization mechanisms including, but not limited to user/group defined filesystem/database permissions, admin/maintenance privilege levels, strong access policies/procedures, etc.
    4. Programmatic access -- I separate this from (2) and (3) above, as special focus and consideration must be given to both application integration and development practices to mitigate data leakage due to poor coding/integration. Including strict authentication and authorization that reliably interfaces with the strong authentication/authorization mechanisms above is critical. Too often application developers/integrators use overly broad access to platforms/data sources to simplify/hide deficiencies in integrating with existing mechanisms and (poorly) attempt to provide such controls on the front end. That is, perhaps, the biggest risk to data security right now.

    --
    No, no, you're not thinking; you're just being logical. --Niels Bohr
    • (Score: 0) by Anonymous Coward on Wednesday December 18 2019, @11:50PM

      by Anonymous Coward on Wednesday December 18 2019, @11:50PM (#933983)

      Exactly. These two security models aren't even opposite sides of the same spectrum, but are orthogonal to each other. You can have a zero-trust setup with or without a VPN. You can also have a full-trust setup with or without a VPN. The dichotomy is not zero trust + no VPN versus full trust + VPN.

      Although I do find it somewhat interesting that the same people at my day job who preach defense in depth and requiring MFA are the same ones arguing to remove a layer of defense and authentication factor.

    • (Score: 0) by Anonymous Coward on Thursday December 19 2019, @02:35AM (1 child)

      by Anonymous Coward on Thursday December 19 2019, @02:35AM (#934068)

      Read the article, and your post pretty much confirms what I expected. "Zero trust" is a bullshit marketing scam. Though it does accurately describe Google and Microsoft, since both are primarily in the corporate intelligence business now, rather than the software business.

      • (Score: 3, Insightful) by NotSanguine on Thursday December 19 2019, @04:04AM

        by NotSanguine (285) <NotSanguineNO@SPAMSoylentNews.Org> on Thursday December 19 2019, @04:04AM (#934093) Homepage Journal

        "Zero trust" is a bullshit marketing scam

        I don't really agree with that characterization.

        I would say that while the term *is* being used as a bullshit marketing term, the conceptual basis for zero trust networks [wikipedia.org] is both valid and quite simple:

        Zero Trust is an information security framework which states that organizations should not trust any entity inside or outside of their perimeter at any time

        Not trusting *unauthenticated/unauthorized* systems/users is, and has been for quite some time, crucial for securing networks and platforms both on controlled (internal) and uncontrolled (external) networks. Which is why encryption and certificate-based technologies such as 802.1x authentication/authorization, federated/centralized AAA systems and other mechanisms are necessary to secure access to both sets of networks.

        However, these are not new or particularly profound concepts. As to subject of the article, VPNs still have their place, and will continue to have that place for the foreseeable future.

        That doesn't mean that you can't have strong authentication/authorization/encryption without a VPN.

        As with everything, context is important. There are situations where SSL/TLS connections directly to a proxy via the browser may be preferred over a heavier-weight VPN client. And there are situations where they're not -- even when that VPN client utilizes SSL/TLS to create its tunnels.

        From an InfoSec standpoint what's really important is:
        1. Making sure that authorized users (and no one else) may access data/information for which they have been granted access and that access should be as granular as possible;
        2. Ensuring that data/information, while traversing *any* network, cannot be intercepted, blocked or modified;
        3. Providing (1) and (2) in a way that's both usable and cost-effective, relative to the value of the data being accessed.

        tl;dr: The *concept* expressed by "Zero Trust" networks is just one piece of an InfoSec strategy to secure assets without placing too high a burden on users or budgets. The marketing hype, as you correctly surmise, is just that.

        --
        No, no, you're not thinking; you're just being logical. --Niels Bohr