Thinking beyond the VPN

When forced to allow the majority of staff to work from home when the COVID-19 pandemic hit, many organisations made boosting their VPN capacity a top priority. Now, more than 12 months later, growing numbers are choosing a different path.

While VPNs were effective when limited numbers of people were working remotely, they were cumbersome and expensive to expand to meet the demands of larger numbers. Performance degradation also became an issue as limited connection capacity had to be shared by multiple users.

To overcome these challenges, many organisations are starting to embrace a zero trust strategy. This approach eliminates the need for a VPN while offering strong security for both users and corporate IT resources.

Zero trust removes the need for a secure perimeter. It relies on users to authenticate  before being allowed to connect. This removes the bottlenecks often associated with VPNs and improves overall levels of performance.

It should be noted, however, that not all zero trust services are the same. Some are hosted as fully cloud-delivered services that are managed by the security vendor. Others are deployed as on-premises gateways hosted and managed by the customer themselves.

Achieving the business benefits of zero trust

As well as providing an effective and scalable way of delivering secure connectivity, zero trust also provides business managers with the ability to drive the secure transformation of their operations.

For example, it aids the adoption of cloud-based resources and services, including those providing security. Indeed, industry research has found that more than 80 percent of businesses expect to increase their consumption of security-as-a-service (SaaS) technologies in the post-COVID-19 environment.

Cloud-delivered zero trust services will become the preferred option for businesses going forward since they offload the management of security infrastructure to the vendor and ensure scalability and availability as part of their service level agreement. There are no appliances to manage or network infrastructure to set up that would slow down the move to cloud.

Businesses must also ensure that access to apps is rooted in zero trust. The ability to use identity and defined business policies to connect authorised users directly to applications ensures that the business never has to place users onto its network.

This means that no network resources ever need to be exposed to the internet and that access to applications is always secure. This makes it much easier for a business to embrace cloud.

Zero trust also supports the need for users to have the ability to work from anywhere. Because it is based on identity and business policies, the cloud service automatically selects the fastest access path, so the physical location of the user no longer matters. A user working in the office has the same exact access experience as when working from home.

Putting zero trust to work

Once the decision is made to embrace a zero-trust strategy, there are some key steps that should be followed. These include:

  • Create a master plan: This plan should incorporate all required elements including an identity provider, access service, endpoint security solution, and SIEM solution. There is no silver bullet zero trust solution, and so each of these are key ecosystem players are designed to integrate with each other using APIs.
  • Examine your attack surface: Identify where your weaknesses exist and determine how your attack surface can be reduced. Consult with your chosen zero trust vendor about running an assessment to determine whether your existing network environment is currently too exposed to the internet.
  • Identify shadow IT: Carefully review all applications being run and determine whether any fall into the category of shadow IT. There is a good chance that there are SaaS apps or private apps being used today of which the IT team is not aware.
  • Choose an initial set of users: Carefully select a subset of employees that will benefit most from a zero-trust plan. These could be C-levels who are often important for any key decisions around IT, or partners who need access to your business applications.
  • Select core applications: Place initial focus on the business applications that currently present the greatest risk to your organisation. In this way you will get quantifiable benefits as quickly as possible.

Remote working is going to remain a feature of the business landscape for the foreseeable future. For that reason, it makes sense to embrace zero trust and take the necessary steps to put a strategy in place. The potential benefits are too big to ignore.

Steve Singer is Regional Vice President and Country Manager - Australia and New Zealand for Zscaler.