Friends Don’t Let Friends VPN
Please stop creating more VPNs... This is NOT the way.
Traditional VPN, while did a good job of separating trusted and untrusted networks, is too antiquated for modern cloud networks and distributed workforces. Companies are fully remote and even have near shore and offshore contractors and employees working on their environments with privileged access, using non-company issued or managed devices. It grants broad access to all systems, which is not optimal for security.
Does everyone need the same access to all systems?
A More Modern Approach to VPN
A more modern approach to privileged is using a multi-faceted approach based on:
Contextual Factors such as:
Last 5-10 logins
Even then, not everyone would have the same access to every system.
Everyday engineers can have access to systems, but maybe not privileged access.
Those with privileged access, should go through step-up authentication (which takes you through all of the above) before access is granted.
Notice I haven’t even used the word “Zero Trust” yet? Well, I just explained it to you.
Oh, you can also reduce all of the above by making everything stateless and through Infrastructure As Code (IAC). That way, the PR process is how changes are made to production.
To sum up, traditional VPN is not enough to provide secure access to applications and resources for modern cloud networks and distributed workforces. Zero-trust network access (ZTNA) provides a software-defined perimeter that ensures only authorized users and devices can access the network. ZTNA utilizes a multi-faceted approach based on a user's identity, device posture, and contextual factors to provide secure access to the systems they need to perform their jobs. By implementing ZTNA, companies can improve their security posture, reduce their attack surface, and stay ahead of emerging threats.
Last Week As A vCISO is a reader-supported publication. To receive new posts and support my work, consider becoming a free or paid subscriber.