Stories
Slash Boxes
Comments

SoylentNews is people

VPNs Fade From Popularity as Awareness Rises for Zero Trust

posted by Fnord666 on Wednesday December 18 2019, @07:54PM   Printer-friendly
from the what's-old-is-new-again dept.

canopic jug writes:

VPNs are a way of stitching together separate networks, often physically separate ones, such that they resemble a single logical network. They are (mis-)used heavily these days on the mistaken premise that the network inside any given firewall is somehow secure and the network outside that firewall is somehow less secure. The idea of not trusting the network at all, the foundation of several of the services developed in the 1980s under MIT's Project Athena, such as Kerberos, is returning. Zero Trust is the new name for the networking concept in which no part of the network is considered secure, whether inside or outside a firewall. The pendulum is swinging back and multiple articles this year cover the fact that Zero Trust Networking is trending.

VPNs are part of a security strategy based on the notion of a network perimeter; trusted employees are on the inside and untrusted employees are on the outside. But that model no longer works in a modern business environment where mobile employees access the network from a variety of inside or outside locations, and where corporate assets reside not behind the walls of an enterprise data center, but in multi-cloud environments.

Gartner predicts that by 2023, 60% of enterprises will phase out most of their VPNs in favor of zero trust network access, which can take the form of a gateway or broker that authenticates both device and user before allowing role-based, context-aware access.

Is this a case of what's old is new again or merely a case of being so obvious that no one bothered to mention it and thus it got forgotten because it largely went unsaid? VPNs have a place, but the way in which they are often used amounts to just more snake oil. Many have long pointed out that if a product or service cannot exist online without a firewall then it should never have been connected to the network in the first place.

See also
SC Magazine: Kill the VPN. Move to Zero Trust
Zscaler blog: Zero trust is shaking up VPN strategies
Business Wire: New Research Reveals Widespread Movement to Replace VPNs With Zero Trust Network Access
Techzine: 'Companies want to replace VPN with Zero Trust Network Access'

Original Submission

 
This discussion has been archived. No new comments can be posted.
VPNs Fade From Popularity as Awareness Rises for Zero Trust | Log In/Create an Account | Top | 23 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 0) by Anonymous Coward on Thursday December 19 2019, @02:35AM (1 child)

    by Anonymous Coward on Thursday December 19 2019, @02:35AM (#934068)

    Read the article, and your post pretty much confirms what I expected. "Zero trust" is a bullshit marketing scam. Though it does accurately describe Google and Microsoft, since both are primarily in the corporate intelligence business now, rather than the software business.

  • (Score: 3, Insightful) by NotSanguine on Thursday December 19 2019, @04:04AM

    by NotSanguine (285) <{NotSanguine} {at} {SoylentNews.Org}> on Thursday December 19 2019, @04:04AM (#934093) Homepage Journal

    "Zero trust" is a bullshit marketing scam

    I don't really agree with that characterization.

    I would say that while the term *is* being used as a bullshit marketing term, the conceptual basis for zero trust networks [wikipedia.org] is both valid and quite simple:

    Zero Trust is an information security framework which states that organizations should not trust any entity inside or outside of their perimeter at any time

    Not trusting *unauthenticated/unauthorized* systems/users is, and has been for quite some time, crucial for securing networks and platforms both on controlled (internal) and uncontrolled (external) networks. Which is why encryption and certificate-based technologies such as 802.1x authentication/authorization, federated/centralized AAA systems and other mechanisms are necessary to secure access to both sets of networks.

    However, these are not new or particularly profound concepts. As to subject of the article, VPNs still have their place, and will continue to have that place for the foreseeable future.

    That doesn't mean that you can't have strong authentication/authorization/encryption without a VPN.

    As with everything, context is important. There are situations where SSL/TLS connections directly to a proxy via the browser may be preferred over a heavier-weight VPN client. And there are situations where they're not -- even when that VPN client utilizes SSL/TLS to create its tunnels.

    From an InfoSec standpoint what's really important is:
    1. Making sure that authorized users (and no one else) may access data/information for which they have been granted access and that access should be as granular as possible;
    2. Ensuring that data/information, while traversing *any* network, cannot be intercepted, blocked or modified;
    3. Providing (1) and (2) in a way that's both usable and cost-effective, relative to the value of the data being accessed.

    tl;dr: The *concept* expressed by "Zero Trust" networks is just one piece of an InfoSec strategy to secure assets without placing too high a burden on users or budgets. The marketing hype, as you correctly surmise, is just that.

    --
    No, no, you're not thinking; you're just being logical. --Niels Bohr