For the last 20 years, Virtual Private Networks (VPNs) have been instrumental in enabling people to work remotely. VPNs allow users to use the public infrastructure of the internet to securely connect to private networks (such as their employer’s systems). These capabilities have, until recently, been key to ensuring that employees can securely access their employer’s platform from the comfort of their own home.
How do VPNs work?
In effect, VPNs create a separate, secure tunnel through the internet that connects a user’s device to the network they seek to access. Data passed through this tunnel is encrypted and therefore unreadable by other users of the public network. The result is (at least in theory) that only authorized machines and users are able to access the tunnel and the data and applications that it connects to.
With remote working fast becoming the norm, VPNs have become almost ubiquitous. They have however, several fundamental flaws that are eroding their dominance.
Single Point of Failure
For almost all VPNs, the authentication process represents a single point of failure. If a bad actor is able to circumnavigate it, they can and do cause immeasurable damage.
If we imagine a VPN as a tunnel, its defence procedures are akin to putting a security guard at the tunnel’s entrance. This security guard authenticates those who want to gain access to the tunnel, usually by requiring them to enter a password. Once the user is in, the security guard has done his job and the user has unfettered access to the entire network.
This would be fine if the authentication mechanisms were perfect and never failed, but unfortunately, as bad actors have become more sophisticated, they have found it easier and easier to bypass or fool the security guard and gain access to the tunnel.
Bad actors deploying malware like Remote Access Trojans (RATs), Credential Stuffing attacks, and Social Engineering techniques have been increasingly able to gain unauthorized access to corporate VPNs. RATs in particular are able to bypass the single authentication event with ease. All a bad actor has to do to fool malware detection software is turn it off at the point of authentication, then switch it back on once access is granted.
These vulnerabilities have led to a number of recent high-profile security breaches and a 238% increase in cyber attacks in Q1 -2 2020.
Vulnerable to BYOD working
To save cost, and cater to individual preferences, organizations are increasingly asking their workforce to adopt a “Bring Your Own Device” (BYOD) model. However, a user’s own device is inherently more at risk of compromise than a corporate machine.
Many users do not have anti-virus or malware protection software installed on their personal devices. They are also more likely to access higher risk services on their own machine, and inadvertently expose them to malware.
If devices that host malware are used for work, organizations run the risk of having their internal systems and data compromised with potentially catastrophic consequences. If organizations seek to adopt a BYOD model, it is vital that they ensure their network retains its integrity in the face of these risks.
These issues are making many organizations look towards a different model that mitigates against and manages the inherent weaknesses of a VPN.
What is Zero Trust?
Zero Trust is a philosophy that seeks to check the identity of the user and integrity of their device every time they seek to access a separate application or resource in the network. Instead of having a single security guard at the start of the tunnel, Zero Trust networks place a security guard at every access point, branch and exit in the tunnel network.
These security guards can also be programmed to check for different things. Perhaps the security guard that grants access to a user’s email address will verify the user’s identity and their device’s integrity, whilst the security guard that controls access to the organization’s word processing application is content to just check the user’s device for malware.
This philosophy removes the single point of weakness during the authentication stage. Bad actors who have deployed a RAT on a user’s device, for example, are unable to gain access to the wider resources of the network as the RAT detection software works at all stages of the user’s journey, rather than just at its beginning.
Although highly secure, the Zero-Trust approach has, until recently, been very hard to deliver. The time and effort required to integrate and orchestrate security for each individual component of a network has, understandably, been beyond most organizations. Similarly, clunky authentication processes have made interacting with the networks frustrating to say the least.
However, recent advances in orchestration layers and passive authentication technology have allowed organizations to make their zero trust dreams a reality quickly and cost effectively.
How can I make this happen?
To create a Zero Trust Network, an organization need three things:
- A way to govern the network. I.e. the ability to set out the security guards and give them their instructions.
- A way to confirm that the user’s device hasn’t been compromised, ensuring that malware cannot get into the system.
- A way to identify legitimate users and guarantee that only appropriate individuals can access data and applications – ideally with as little friction as possible.
In the past, this has meant a lot of coding. Teams would have to map out bespoke access processes for each individual resource, then integrate the relevant technology into the user journey. That’s why Callsign developed an approach that we call Zero Trust 2.0. Our platform gives organizations the tools they need to achieve this with a few clicks of a mouse, and no need to write a single line of code.
Callsign’s advanced orchestration layer allows organizations to create and govern access control policies quickly and efficiently. Using our simple drag and drop UI, analysts are able to decide what security procedures should be taken at each point in the user’s journey. The interface is completely self-service and allows a full network architecture to be established without the need to write a single line of code. API driven, any vendors technologies can be easily integrated in 3rd party software.
This capability ensures that even nontechnical analysts can create and modify Zero Trust access control policies quickly, without a dependency on technology teams. This greatly reduces the costs of creating a Zero Trust architecture and ensures that the organization can adapt to change with both agility and economy.
Callsign’s advanced threat detection capabilities identify and mitigate against a broad range of threats. Our device intelligence identifies user-side malware such as RATs and can identify scripted attacks from credential stuffing bots. We also highlight users who are seeking to hide their identity (through Tor, proxys or emulators) as well as devices that have been in some way compromised (for instance, those that have been rooted or jailbroken).
As a result, organizations can be sure that when access to an application or resource is granted, the machine that accesses it will not expose the wider network to risk.
Once it is established that the session is secure, Callsign ensures that the user is who they claim to be (find out more here). Our machine learning models ask, “given what I have observed from the user’s previous interactions, how likely is it that this interaction is genuine”. To achieve this, our platform gathers and analyses data from a wide range of sources, including device fingerprinting, behavioral biometrics, location data, and information from a user’s Mobile Network Operator.
The outcome is that organizations can ensure that users accessing their networks are who they claim to be. Our models identify users at an individual level, making them so accurate, they can spot a bad actor even if they know a legitimate user’s password.
Although the VPN is still a very useful tool, their inherent weaknesses are encouraging many organizations to move towards a Zero Trust model. This move is made possible by new, advanced orchestration, threat detection, and authentication technologies which make its implementation quick and cost-effective.