SoylentNews is people
SoylentNews
VPNs are a way of stitching together separate networks, often physically separate ones, such that they resemble a single logical network. They are (mis-)used heavily these days on the mistaken premise that the network inside any given firewall is somehow secure and the network outside that firewall is somehow less secure. The idea of not trusting the network at all, the foundation of several of the services developed in the 1980s under MIT's Project Athena, such as Kerberos, is returning. Zero Trust is the new name for the networking concept in which no part of the network is considered secure, whether inside or outside a firewall. The pendulum is swinging back and multiple articles this year cover the fact that Zero Trust Networking is trending.
VPNs are part of a security strategy based on the notion of a network perimeter; trusted employees are on the inside and untrusted employees are on the outside. But that model no longer works in a modern business environment where mobile employees access the network from a variety of inside or outside locations, and where corporate assets reside not behind the walls of an enterprise data center, but in multi-cloud environments.
Gartner predicts that by 2023, 60% of enterprises will phase out most of their VPNs in favor of zero trust network access, which can take the form of a gateway or broker that authenticates both device and user before allowing role-based, context-aware access.
Is this a case of what's old is new again or merely a case of being so obvious that no one bothered to mention it and thus it got forgotten because it largely went unsaid? VPNs have a place, but the way in which they are often used amounts to just more snake oil. Many have long pointed out that if a product or service cannot exist online without a firewall then it should never have been connected to the network in the first place.
See also
SC Magazine: Kill the VPN. Move to Zero Trust
Zscaler blog: Zero trust is shaking up VPN strategies
Business Wire: New Research Reveals Widespread Movement to Replace VPNs With Zero Trust Network Access
Techzine: 'Companies want to replace VPN with Zero Trust Network Access'
(Score: 5, Informative) by maxwell demon on Wednesday December 18 2019, @09:00PM (3 children)
The article sounds as if the VPN would be the magic key that allows you access to everything. That is not my experience. The VPN gives me exactly two things: First, a way to get my packets from my computer to the target network without anyone in between being able to observe or modify them. All an outsider sees is the VPN tunnel itself. And second, when accessing anything in the internet, it goes through that internal network, so from an outside point of view, it originates there.
If I want to access anything inside the network (other than the things that are freely accessible from outside anyway), I still need to authenticate to the computer or web interface in question. Just like I do when working from the desktop computer in the office; well, actually even more so, because to access e.g. my files, I still have to remote login into that internal computer.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 4, Informative) by arslan on Wednesday December 18 2019, @09:40PM (1 child)
Didn't read TFA, just the TFS, and I'm confused too. I've heard a lot about zero trust but mostly with respect to networks zones, i.e. the concept flattening the DMZ and private internal zones behind the corporate firewall and just treat everything as untrusted - even behind the corporate firewall which we will not remove just because we do zero trust.
It is a sound concept in that if everything is zero trust, developers are forced to bloody think about security instead of assuming internal network behind corporate firewall will protect everything. Of course that doesn't stop millennial startups or con-sulting firms like Gartner to push products, buzzwords and services.
I'm not clear how VPNs figure into this - you still need VPNs to allow you to be part of the network, tunneling through another, even if it is a zero trust network inside and outside. Security isn't just a single layer thing, going zero trust doesn't mean you strip out everything else like your firewall.
(Score: 4, Funny) by driverless on Thursday December 19 2019, @05:22AM
That's because it's Gartner marketing gibberish:
So they're telling you that enterprises are phasing out VPNs in order to replace them with words-describing-a-VPN-but-not-calling-it that.
Thankyou, Gartner [imgur.com], you're really giving us value for money on our $50,000 annual subscription.
Next up from Gartner, users are phasing out web browsers in exchange for remote-markup-with-embedded-content-viewing-applications. Full reports starting at $3,000.
(Score: 0) by Anonymous Coward on Wednesday December 18 2019, @10:41PM
1. Yes, some organizations treat being on the internal network as a magic key.
2. It doesn't have to be "everything" to be dangerous.
Everywhere I've worked there are at least some services on the internal network that provide some privileged level of information and/or control without any kind of authentication. Where I am now, this is still the case for logging and production monitoring at least.
Many things have moved toward "zero-trust", but mass migration is stifled by authentication making things hard. Developers are lazy. They will work around incomplete security policies that can't handle the distinction between keys-to-the-kingdom and logs-that-leak-some-whitebox-info-like-server-version.