For years, the combination of a virtual private network (VPN) and firewalls has been the model of choice for enterprises seeking to secure connectivity to the internet. And for years, the model has been a highly successful one.
However, the era of perimeter security is almost over. Its demise has been accelerated by two trends:
Often, traffic from remote workers is backhauled over a VPN to a corporate data center or branch office, where it is subsequently re-routed over another VPN connection through less than optimal internet routes to IT services in the cloud. Such backhauling is slow and can introduce added cost, complexity and points of failure.
This eWEEK Data Points article contains industry information from Alexander McMillen, Vice-President of Operations for Security as a Service Platform provider OPAQ. McMillen, an expert in systems and network engineering, as well as IT operations, is founder of the Washington, D.C. chapter of the Vyatta Secret Society, a user group that enables companies to perform software-defined networking functions on commodity hardware.
The first step in creating a post-VPN security model is to eliminate the need for centralized firewalls and the related backhauling of traffic to a single location. This new approach involves connecting individual workstations and mobile devices to a cloud-based firewall service. These connections must be maintained in an always-on state behind the scenes without requiring any interaction from end users.
Such an architecture requires a service provider with a robust network that ensures end-users experience superior network performance wherever they travel. At the same time, this architecture should give IT security managers access to the same logs, dashboards, and security controls they are used to seeing from a traditional firewall.
Sophisticated proxies are essential to this new security architecture. Properly designed, these proxies should give corporate users easy access to internal applications via their web browsers. Users must be able to simply type a URL, knowing they don’t have to fuss with a VPN client connection first.
At the same time, these proxies protect applications from internet threats, giving IT departments complete visibility and control over who is using what services, from where, and when — all based on corporate policies, device and user identities and device configuration. The architecture enables IT to provide reliable services while managing applications in a central place.
At their core, proxies need an HTTPS gateway that protects applications while it authenticates users. Ideally, this gateway automatically provisions cryptographic client certificates to each workstation and mobile device based on the unique identity of that device and its user.
For cloud-based hosting of applications to function smoothly and securely, the network security architecture underpinning it should use multi-factor authentication (MFA) to grant or deny user access to applications. Meanwhile, endpoint devices and their activity should be monitored and audited, including system status and configuration information. Visibility into device state and behaviors can be used to determine risk and whether access to applications should be approved or denied.
Corporate networks will likely never disappear, nor will the threats that they face. For this reason, it is vital to remove trust from internal networks in order to prevent threats from spreading laterally. Implementing Zero Trust requires the dynamic segmentation of networks and enforcing firewall policies on each endpoint in real time as users and hosts interact. Ideally, policies should be fashioned around user and device identity, as well as traditional IP addresses, ports and protocols.
In the real world, Zero Trust segmentation means that two different users on different teams can be attached to the same local network while having access to different resources. Such segmentation greatly enhances the speed and accuracy of security staff in responding to a potential threat.
Today, the functionality of enterprise network security programs tends to be largely designed to meet compliance requirements. At the same time, these programs are becoming more distributed, making it more difficult for IT departments to effectively monitor security controls.
A post-VPN security architecture can greatly alleviate, even entirely eliminate such monitoring challenges by continuously collecting data on security controls used on each network firewall and endpoint device. In addition, this intelligence can be used to demonstrate compliance with regulatory mandates and security frameworks such as NIST, PCI, HIPAA, CIS, etc.
Despite their widespread adoption and effectiveness, traditional firewalls and VPNs are struggling to keep pace with the evolution of corporate network architectures, user access patterns and hybrid on-premises/cloud hosted resources. A distributed approach that places many of the security controls, policy enforcement and networking elements of traditional firewalls and VPNs in the cloud is emerging as an attractive alternative.