VPNs are a way of stitching together separate networks, often physically separate ones, such that they resemble a single logical network. They are (mis-)used heavily these days on the mistaken premise that the network inside any given firewall is somehow secure and the network outside that firewall is somehow less secure. The idea of not trusting the network at all, the foundation of several of the services developed in the 1980s under MIT's Project Athena, such as Kerberos, is returning. Zero Trust is the new name for the networking concept in which no part of the network is considered secure, whether inside or outside a firewall. The pendulum is swinging back and multiple articles this year cover the fact that Zero Trust Networking is trending.
VPNs are part of a security strategy based on the notion of a network perimeter; trusted employees are on the inside and untrusted employees are on the outside. But that model no longer works in a modern business environment where mobile employees access the network from a variety of inside or outside locations, and where corporate assets reside not behind the walls of an enterprise data center, but in multi-cloud environments.
Gartner predicts that by 2023, 60% of enterprises will phase out most of their VPNs in favor of zero trust network access, which can take the form of a gateway or broker that authenticates both device and user before allowing role-based, context-aware access.
Is this a case of what's old is new again or merely a case of being so obvious that no one bothered to mention it and thus it got forgotten because it largely went unsaid? VPNs have a place, but the way in which they are often used amounts to just more snake oil. Many have long pointed out that if a product or service cannot exist online without a firewall then it should never have been connected to the network in the first place.
See also
SC Magazine: Kill the VPN. Move to Zero Trust
Zscaler blog: Zero trust is shaking up VPN strategies
Business Wire: New Research Reveals Widespread Movement to Replace VPNs With Zero Trust Network Access
Techzine: 'Companies want to replace VPN with Zero Trust Network Access'
(Score: 5, Informative) by maxwell demon on Wednesday December 18 2019, @09:00PM (3 children)
The article sounds as if the VPN would be the magic key that allows you access to everything. That is not my experience. The VPN gives me exactly two things: First, a way to get my packets from my computer to the target network without anyone in between being able to observe or modify them. All an outsider sees is the VPN tunnel itself. And second, when accessing anything in the internet, it goes through that internal network, so from an outside point of view, it originates there.
If I want to access anything inside the network (other than the things that are freely accessible from outside anyway), I still need to authenticate to the computer or web interface in question. Just like I do when working from the desktop computer in the office; well, actually even more so, because to access e.g. my files, I still have to remote login into that internal computer.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 4, Informative) by arslan on Wednesday December 18 2019, @09:40PM (1 child)
Didn't read TFA, just the TFS, and I'm confused too. I've heard a lot about zero trust but mostly with respect to networks zones, i.e. the concept flattening the DMZ and private internal zones behind the corporate firewall and just treat everything as untrusted - even behind the corporate firewall which we will not remove just because we do zero trust.
It is a sound concept in that if everything is zero trust, developers are forced to bloody think about security instead of assuming internal network behind corporate firewall will protect everything. Of course that doesn't stop millennial startups or con-sulting firms like Gartner to push products, buzzwords and services.
I'm not clear how VPNs figure into this - you still need VPNs to allow you to be part of the network, tunneling through another, even if it is a zero trust network inside and outside. Security isn't just a single layer thing, going zero trust doesn't mean you strip out everything else like your firewall.
(Score: 4, Funny) by driverless on Thursday December 19 2019, @05:22AM
That's because it's Gartner marketing gibberish:
So they're telling you that enterprises are phasing out VPNs in order to replace them with words-describing-a-VPN-but-not-calling-it that.
Thankyou, Gartner [imgur.com], you're really giving us value for money on our $50,000 annual subscription.
Next up from Gartner, users are phasing out web browsers in exchange for remote-markup-with-embedded-content-viewing-applications. Full reports starting at $3,000.
(Score: 0) by Anonymous Coward on Wednesday December 18 2019, @10:41PM
1. Yes, some organizations treat being on the internal network as a magic key.
2. It doesn't have to be "everything" to be dangerous.
Everywhere I've worked there are at least some services on the internal network that provide some privileged level of information and/or control without any kind of authentication. Where I am now, this is still the case for logging and production monitoring at least.
Many things have moved toward "zero-trust", but mass migration is stifled by authentication making things hard. Developers are lazy. They will work around incomplete security policies that can't handle the distinction between keys-to-the-kingdom and logs-that-leak-some-whitebox-info-like-server-version.
(Score: 4, Interesting) by nobu_the_bard on Wednesday December 18 2019, @09:04PM (11 children)
I haven't yet seen anything substantive about this. I keep hearing stuff like "the problem with VPNs is they have this restriction and that limitation" and then "Zero Trust solves those problems! Brought to you by Startup Company!" instead how they actually accomplish the claim.
(Score: 0) by Anonymous Coward on Wednesday December 18 2019, @09:08PM
I'm sure the is a formal name for the outdated model that VPNs have been used to keep around longer than has been useful, but it can be summed up as hard on the outside and chewy on the inside.
(Score: 3, Insightful) by epitaxial on Wednesday December 18 2019, @09:16PM
All part of the "not invented here" mentality. They didn't invent the idea therefor its garbage. Also that and not knowing history. Like when someone discovers the virtues of thin clients and fat servers? Gee we haven't seen that idea over the decades.
(Score: 2, Informative) by Anonymous Coward on Wednesday December 18 2019, @09:27PM (4 children)
The modern "Zero Trust" movement really got its start in Google's BeyondCorp where the big idea was to move everything from "behind the firewall [TCP/IP]" to "behind the proxy server [HTTP(S)]".
"BeyondCorp is a Zero Trust security framework modeled by Google that shifts access controls from the perimeter to individual devices and users. The end result allows employees to work securely from any location without the need for a traditional VPN. ... BeyondCorp dispels the notion of network segmentation as the primary mechanism for protecting sensitive resources. Instead, all applications are deployed to the public Internet..." https://www.beyondcorp.com/ [beyondcorp.com]
(Score: 5, Informative) by NotSanguine on Wednesday December 18 2019, @10:28PM (3 children)
This is just another prong in Google's (and other "cloud" providers) attempt to deprecate corporate networks in favor of "someone else's servers."
Proxy servers, VPNs and partitioned networks are important, despite what some start-up with a vested interest in charging folks money to manage AAA services [wikipedia.org] might say.
However, that's not the whole picture. Another poster [soylentnews.org] referred to the Skittles security model -- hard on the outside, with a soft, chewy center. This has *never* been the prescribed mechanism (even if it has been widely used) for securing enterprise environments.
Defense-in-depth [wikipedia.org] is, and always has been, the best set of methods to secure information/assets.
This includes:
1. VPNs -- Ensure that when traversing uncontrolled networks, that data integrity and non-repudiation can be maintained;
2. Proxy Servers -- Ensure that connections to/from devices on uncontrolled networks are made to/from hardened platforms;
3. Packet filtering -- Ensure that malicious data/connection patterns from *any* network are detected and blocked;
4. Authentication/Authorization* -- Ensure that access to networks/platforms/information, whether interactive or programmatic is made only by those who can both sufficiently identify themselves *and* may only access stuff for which they are specifically authorized;
5. Physical security -- Ensures that access to physical assets (whether those be bearer bonds, trade secrets or servers/switches/routers/etc.) is limited (via a variety of mechanisms) to those with legitimate access requirements;
All of the above are *necessary* in securing enterprise environments. An old maxim that remains true (despite the claims of those with vested interests in ignoring it) is that "if you connect something to the Internet (uncontrolled network), you must expect that it will, eventually, be pwned."
That's not to say that devices *not* connected to uncontrolled networks won't be pwned. Which is why defense-in-depth is so important.
*This is, perhaps, the most important piece and deserves additional discussion. Authentication and authorization is actually a well-studied domain, and a wide variety of tools are available to implement them across an IT infrastructure:
1. Network access -- X.509 certificate-based (client and server) authentication, including 802.1x [wikipedia.org], VPN connectivity, TLS-based MTA connections, Proxy servers/packet filtering;
2. Platform access (1) -- Strong authentication including, but not limited to (some or all, depending on the sensitivity of the platform/access to that platform) physical token-based authentication, Kerberos [wikipedia.org], key-based authentication (ala ssh), password hashing, centralized/federated authentication systems (SSO), etc.
3. Platform access (2) -- Granular authorization mechanisms including, but not limited to user/group defined filesystem/database permissions, admin/maintenance privilege levels, strong access policies/procedures, etc.
4. Programmatic access -- I separate this from (2) and (3) above, as special focus and consideration must be given to both application integration and development practices to mitigate data leakage due to poor coding/integration. Including strict authentication and authorization that reliably interfaces with the strong authentication/authorization mechanisms above is critical. Too often application developers/integrators use overly broad access to platforms/data sources to simplify/hide deficiencies in integrating with existing mechanisms and (poorly) attempt to provide such controls on the front end. That is, perhaps, the biggest risk to data security right now.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 0) by Anonymous Coward on Wednesday December 18 2019, @11:50PM
Exactly. These two security models aren't even opposite sides of the same spectrum, but are orthogonal to each other. You can have a zero-trust setup with or without a VPN. You can also have a full-trust setup with or without a VPN. The dichotomy is not zero trust + no VPN versus full trust + VPN.
Although I do find it somewhat interesting that the same people at my day job who preach defense in depth and requiring MFA are the same ones arguing to remove a layer of defense and authentication factor.
(Score: 0) by Anonymous Coward on Thursday December 19 2019, @02:35AM (1 child)
Read the article, and your post pretty much confirms what I expected. "Zero trust" is a bullshit marketing scam. Though it does accurately describe Google and Microsoft, since both are primarily in the corporate intelligence business now, rather than the software business.
(Score: 3, Insightful) by NotSanguine on Thursday December 19 2019, @04:04AM
I don't really agree with that characterization.
I would say that while the term *is* being used as a bullshit marketing term, the conceptual basis for zero trust networks [wikipedia.org] is both valid and quite simple:
Not trusting *unauthenticated/unauthorized* systems/users is, and has been for quite some time, crucial for securing networks and platforms both on controlled (internal) and uncontrolled (external) networks. Which is why encryption and certificate-based technologies such as 802.1x authentication/authorization, federated/centralized AAA systems and other mechanisms are necessary to secure access to both sets of networks.
However, these are not new or particularly profound concepts. As to subject of the article, VPNs still have their place, and will continue to have that place for the foreseeable future.
That doesn't mean that you can't have strong authentication/authorization/encryption without a VPN.
As with everything, context is important. There are situations where SSL/TLS connections directly to a proxy via the browser may be preferred over a heavier-weight VPN client. And there are situations where they're not -- even when that VPN client utilizes SSL/TLS to create its tunnels.
From an InfoSec standpoint what's really important is:
1. Making sure that authorized users (and no one else) may access data/information for which they have been granted access and that access should be as granular as possible;
2. Ensuring that data/information, while traversing *any* network, cannot be intercepted, blocked or modified;
3. Providing (1) and (2) in a way that's both usable and cost-effective, relative to the value of the data being accessed.
tl;dr: The *concept* expressed by "Zero Trust" networks is just one piece of an InfoSec strategy to secure assets without placing too high a burden on users or budgets. The marketing hype, as you correctly surmise, is just that.
No, no, you're not thinking; you're just being logical. --Niels Bohr
(Score: 4, Interesting) by meustrus on Wednesday December 18 2019, @10:48PM
Every startup idea started as a real solution to a real problem. Zero-trust being no different.
Now, whether the product they ended up building meets their marketing hype is a completely different story.
To directly address "anything substantive", though, consider this: most enterprises have non-technical managers, customer support, building security, cleaning staff, etc. on the internal network. Do those people have any business accessing production admin tools? If your security model is "internal network === trusted", they have access. "Zero-trust" at its core just means actually authenticating the keys to the kingdom as if they were on the public network, which they might as well be when Pointy Haired Boss is just one phishing email away from causing a multi-million dollar data breach.
(I don't work for a "zero-trust" provider and honestly don't even know what their marketing claims are, but I'm sure that given their audience, those claims have very little to do with the scenario above)
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 5, Insightful) by The Mighty Buzzard on Thursday December 19 2019, @03:15AM (2 children)
See, this is what happens when you let professors teach this shit instead of folks who actually do it for a living. Zero Trust never actually went away. It's been being practiced by us older folks who knew our asses from a hole in the ground, and anyone we taught, the entire time. VPNs are handy for one layer of defense out of many but that's all they ever were.
If you want to be an admin, there is no such thing as too paranoid.
My rights don't end where your fear begins.
(Score: 2) by canopic jug on Thursday December 19 2019, @05:55AM (1 child)
See, this is what happens when you let professors teach this shit instead of folks who actually do it for a living. Zero Trust never actually went away. It's been being practiced by us older folks who knew our asses from a hole in the ground, and anyone we taught, the entire time. VPNs are handy for one layer of defense out of many but that's all they ever were.
Nah. Those are just M$ resellers that got onto the faculty via hefty "donations" from Redmond to both the institutions as a whole and individual researchers working on a PhD. Notice all the buildings named after Bill or all the "... and M$ Research" by lines on articles. The latter, especially, appears to be just money thrown at a starving student in exchange for pretending to share credit in the work. Actual researchers are becoming very, very rare because few are replacing the old ones. Most of the visible ones are very old now, say Dan Geer or Eugene Spafford. However, there is the problem that if the situation goes on long enough some people in some places will start to mistake the M$ resellers for university employees, because one of the tricks is to get them onto the university payroll.
But yeah, zero trust has been around since at least the 1980s when it didn't have a name and was just the normal way of going about building things on the net. The articles are mostly bullshit and marketing hype, I can barely read them because my filter keeps kicking in. The interesting part is that there are so many from different sources spread throughout this year. However it looks like the startups and other bullshitters have started to produce a positive impact through raising awareness of the old, established concept in this new, post-knowledge era by giving it a proper name. The hype has been thick on this topic since this spring though, so it is very easy to just roll one's eyes.
Money is not free speech. Elections should not be auctions.
(Score: 3, Funny) by The Mighty Buzzard on Thursday December 19 2019, @01:34PM
That was never in question for those of us in Gen-X. We can "whatever" and eye roll at the same time without even trying. Damned good thing we can too with all the call for it there is lately.
My rights don't end where your fear begins.
(Score: 0) by Anonymous Coward on Wednesday December 18 2019, @10:28PM (3 children)
Many also believe in getting shit done, at the lowest cost possible consistent with a given risk profile. Fun idea but totally falls apart when the networks need to start being used to do things.
(Score: 4, Funny) by meustrus on Wednesday December 18 2019, @10:50PM
That's why you need Framework⢠to do security for you! Just give us a ton of money and you can get shit done just as fast as before without even thinking about security!
If there isn't at least one reference or primary source, it's not +1 Informative. Maybe the underused +1 Interesting?
(Score: 2) by canopic jug on Thursday December 19 2019, @06:00AM (1 child)
... consistent with a given risk profile ...
I've seen the type. Your risk profile is all about getting paid and moving on before everything you uploaded or even touched goes up in flames, tips over, and sinks into the swamp. Many have cleaned up after sabateurs like you. You are a drain on society.
Money is not free speech. Elections should not be auctions.
(Score: 0) by Anonymous Coward on Thursday December 19 2019, @01:44PM
Just build another one!
(Score: 2) by Snotnose on Wednesday December 18 2019, @11:14PM
The only time I turn my VPN on is when I want to, um. Oops.
*cough* Jeopardy *cough* Survivor*.
Torrents? Never heard of them. Cut the cord 2 years ago and got a VPN for, um, reasons. That's all you need to know, reasons.
Porn. Yeah, I don't want don't want Facebook to know about my pissing midget porn. Not that there's anything wrong with that. But that's why I have a VPN.
When the dust settled America realized it was saved by a porn star.
(Score: 0) by Anonymous Coward on Thursday December 19 2019, @02:46AM (1 child)
on the Internet, this is 10,001.
Same mentality as ever: "All these half busted implementations suck! Hey, I've got a great idea, lets create a new implementation!"
Brands don't solve security problems. Fixing other peoples busted code does.
(Score: 0) by Anonymous Coward on Thursday December 19 2019, @05:29AM
Fixing other peoples busted code does
Everyone elses code is busted. But not mine. /s