Why VPNs and Firewalls Can’t Build a Zero Trust Architecture
In today's rapidly evolving threat landscape, it’s clear that traditional perimeter security measures can’t protect organisations from sophisticated cyberattacks. The rise of remote work, cloud computing, and sophisticated AI-related cyberthreat has brought newly dangerous cybercrime to light. As a result, organisations face an urgent need for a more proactive security strategy. In the age of sophisticated cyberthreat, it’s crucial to adapt quickly and provide robust protection for sensitive data and critical systems.
Implementing a zero trust architecture is strongly recommended as a force against this advanced threat landscape, but what is zero trust architecture? Some vendors are using the term “zero trust” loosely and presenting solutions that simply repackage existing perimeter-based security tools.
Whether tools like firewalls are deployed as hardware or as virtual appliances in a cloud instance, they are no match for the relentless and advanced cyberattacks that organisations face today. These approaches operate on the assumption that everything outside the network is untrusted, while everything inside is trusted. With perimeter based security, the network is still exposed, and placing more firewalls in the cloud doesn’t live up to the scalable, multitenant, cloud-first architecture that is necessary when securing your users, workloads, and devices with a true zero trust architecture.
Perimeter-based security has weaknesses
Perimeter security has a glaring weakness—a lack of control across resources once a bad actor has accessed the network. Traditional perimeter security controls interact with the whole network—where IP addresses are left exposed. These exposed IP addresses can easily be exploited by attackers. Once they have access to the network through exploiting these public IP addresses, they can move laterally across the network, find valuable data, and exfiltrate it.
Another weakness of perimeter security comes from attackers who exploit social engineering tactics or vulnerabilities in the network infrastructure. Bad actors are always looking for ways to penetrate enterprise networks. They do this through attacking IP addresses, social engineering, and various infrastructure vulnerabilities. Once inside, attackers can easily bypass perimeter security controls and access any resource they please.
A cloud native zero trust architecture has 4 key principles
To address these weaknesses and provide a more robust security approach, organisations need to adopt a zero trust architecture. At the core of zero trust is the assumption that all users, devices, and traffic, whether inside or outside the network perimeter, are untrusted by default. This approach eliminates the concept of a trusted network and instead verifies every access request, regardless of its origin. Zero trust enforces strict identity verification, least-privileged access, and continuous monitoring and analysis of network traffic to ensure that only authorised users have access to the resources they need.
Implementing zero trust requires organisations to embrace key principles:
- Never trust, always verify: All users, devices, and traffic must be verified before being granted access to any resources. Trust is not assumed, but earned through rigorous verification processes—including using context signals as a key verification point.
- Least-privileged access: Users should only be granted the minimum level of access necessary to perform their job duties. This principle ensures that even if a user's credentials are compromised, the potential damage is prevented.
- Continuous monitoring and analysis: All network traffic must be continuously monitored and analysed for any signs of suspicious activity. This proactive approach allows organisations to detect and respond to potential threats in real-time.
- Assume a breach, evaluate risk: This principle operates on the assumption that a breach has already occurred or will occur. By adopting this mindset, organisations are better prepared to detect and respond to potential breaches, minimising the impact on their networks and resources.
Why firewalls and VPNs fall short of true zero trust architecture
While firewalls and VPNs have traditionally been used to secure networks, they are not sufficient for delivering robust zero trust security. Firewalls and VPNs operate on the principle of perimeter security, assuming that everything outside the network is untrusted, and everything inside the network is trusted. However, this approach falls short in the face of today's sophisticated cyberattacks.
While firewalls and VPNs are included by many vendors as part of their “zero trust” solutions, they shouldn’t be confused with zero trust architecture.
Firewalls can help block unauthorised access to the network, but they cannot prevent lateral movement by attackers who have gained access unless you spend an exorbitant amount of money continuously buying more and more firewalls. VPNs can secure remote access to the network, but they cannot prevent attackers from exploiting vulnerabilities in the network infrastructure. To implement a zero trust architecture, organisations need to adopt a comprehensive approach that doesn’t put the whole network at risk.
Zscaler is a Leader in zero trust architecture
When it comes to implementing zero trust architecture, organisations can turn to Zscaler, the leader in zero trust. The Zscaler Zero Trust Exchange provides a comprehensive approach to securing access to applications for users, workloads, IoT/OT, and third parties in any location.
Zscaler's Zero Trust Exchange is a cloud native platform with high availability and scalability. It offers an intelligent switchboard that connects users, workloads, B2B partners, and devices to resources directly. Zscaler also provides advanced security functionality like least privileged access, continuous monitoring, and risk evaluation. This approach protects organisations and data from various threats by ensuring no one is put on the network directly. The Zscaler cloud secures 400B+ transactions per day across more than 40% of the Forbes Global 2000 companies.
Zscaler's Zero Trust Exchange is supported by a 24/7 customer support team experienced in deploying and managing zero trust architecture.
Article by Sid Bhatia - Sr. Product Marketing Manager, Zscaler
If you would like more information about zero trust solutions from Zscaler, please contact Matrium Technologies;
P: 1300 889 888
E: info@matrium.com.au