VPNs, or virtual private networks, were designed several decades ago to extend the reach of corporate data networks beyond their physical limits. The ubiquity of the Internet and its low cost of access was the trigger for companies to begin taking advantage of it to connect branches, customers, and suppliers in a single network, without the need to use expensive dedicated connections. The one big issue that made implementation difficult — and still does — was security. In the traditional network-centric work model, security risks increase exponentially as VPN-type accesses are added. A solution to this problem has now been found through non-network-centric alternatives to the traditional VPN model.
History of VPNs
Connecting remote sites to a company’s network via the Internet always posed a significant security risk, as data sent from one site to another goes through public links and can be seen by malicious eyes. That is why VPNs were created as tunnels through which information circulates in an encrypted manner so that it cannot be intercepted and used by strangers. Users with authorized access to the VPN tunnel must have the means to encrypt and decrypt the information as transparently as possible, in a way that doesn’t disturb or impede their common tasks. Although the VPN creates a virtual and encrypted channel between users and an organization’s network, its drawback is that any breach that occurs in that channel gives potential attackers unlimited access to all resources connected to the organization network, which creates a risk of great proportions. In addition, organizations with large numbers of remote users — for example, employees, customers, or suppliers — must manage access through the VPN for each of them, which means high maintenance costs. The scenario becomes even more complicated when relatively new devices, such as mobile or IoT, must be brought into the network. At that point is when the VPN stops being a solution and begins to become a serious problem.
Zero trust networks
In a zero-trust network model, the basic principle is that no one is trusted. Access of all users to network resources is restricted, regardless of whether they have accessed the same resource before or not. Any user or device attempting to access a resource within a zero-trust network must go through a strict — albeit fast — verification and authentication process, even if the user or device is physically within the organization. The zero trust model can add some complexity to your implementation. Permits and authorizations must be kept up-to-date and accurately defined. It requires a bit more work in that sense, but what you get in return is greater control over access to resources and a reduction in the surfaces vulnerable to attack. In addition, other benefits of modern alternatives to VPNs — such as zero-trust networks — include a better user experience for remote users, which is evidenced by higher quality video conferencing and more responsive applications. At the same time, managing access by specific resources reduces the risk of lateral movements, and consequently, the potential spread of ransomware.
No standards at the moment
While there are several initiatives to define protocols, procedures, and technologies for zero trust architectures, there are no industry-wide accepted standards yet. However, several zero-trust network solutions are emerging as leaders in this new segment, so they could well be the ones that end up setting the standards. Let’s take a look 👀 at them.
Perimeter 81
Perimeter 81 allows you to create, manage easily, and secure custom and multi-regional networks that interconnect to an organization’s on-premises or cloud environments. Perimeter 81’s Zero Trust Secure Network as a Service employs a software-defined perimeter architecture, which provides greater network visibility, flexibility for onboarding new users, and compatibility with leading cloud infrastructure providers. A network segmentation defined by trusted zones allows the organization to create internal trust boundaries that control the flow of data traffic in a granular way. Trusted zones are made up of sets of infrastructure elements in which resources operate at the same level of trust and offer similar functionality, minimizing the number of communication paths and consistently limiting threats. With Perimeter 81’s Zero Trust Network Access, it is possible to have a complete and centralized view of the organization’s network, ensuring least-privilege access to all valuable corporate resources. Its security features adhere to the SASE model, a term coined by Gartner that refers to the convergence of security and network management on the same platform.
Twingate
Offered as a cloud-based service, Twingate makes it possible for IT teams to configure a software-defined perimeter for their resources without the need to make any infrastructure changes, and centrally manage user access to internal applications, either on-premises or in cloud environments. Twingate significantly reduces the organization’s exposure to cyber-attacks, making the internal network completely invisible to the Internet. Resource-level access control prevents hackers from gaining access to the entire network, even when they manage to compromise individual users or resources. Twingate solution requires minimal maintenance and is capable of scaling from 10 to 10,000 resources. Access management to resources is carried out from a central web-based management console, called the Twingate controller. To authenticate users and ensure that each resource requirement comes from an authorized user, Twingate integrates with leading SSO (single sign-on) and identity providers. A distinctive feature of Twingate is Split Tunneling, which allows traffic to flow through the organization’s network only when necessary. This reduces latency in applications such as videoconferencing, where parties can be more directly connected. The Twingate service is charged at a per-user, per-month, which varies depending on the number of users. A free option is offered that supports up to 2 users, two devices per user, and one remote network.
NordLayer
NordLayer provides a full service for keeping the network secure and ensures secure remote access to your business data. It leverages innovative technologies within the Secure Service Edge framework derived from the Secure Access Service Edge model. Going beyond the conventional cybersecurity means, NordLayer supports a perimeter-less workplace. NordLayer supports many endpoint types, including Windows, macOS, Linux, Android, and iOS operating systems. Once NordLayer’s applications are installed, these devices can be used to access the internal company’s network. Their service delivery method is simple enough for casual users to set up on their devices while providing in-depth functionality for network administrators. That way, users get a simple service they can leave running in the background, while network administrators can take advantage of in-depth cybersecurity controls. Secure Web Gateways control the internal access as checkpoints for each incoming connection’s evaluation. The device’s security posture is checked with jailbroken device detection, weeding out suspicious devices that could threaten the network’s security status. As for user management, NordLayer emphasizes identity-based authentication. Your workforce can be placed in specific teams with adjustable access levels. Such employee segmentation increases network visibility by ensuring that employees are only accessing resources necessary for their work functions. Authentication itself can be enhanced by two-factor authentication using biometric data, a TOTP app, or SMS authentication. That way, the hackers would still easily infiltrate your network even if your employee’s credentials are exposed. While NordLayer started from a business VPN service, they have since expanded their suite, offering a comprehensive solution that is far superior in terms of security and features.
Cloudflare for Teams
Built on its own global infrastructure, Cloudflare for Teams service provides secure access to an organization’s devices, networks, and applications, replacing traditional network-centric security perimeters and making the Internet faster and safer for work teams distributed all over the world. Cloudflare offers zero-trust access to all applications in the organization, authenticating users through its own global network. In this way, it allows the incorporation of third-party users effortlessly and keeping a record log for each event and for each access request to a resource. The Cloudflare for Teams solution is built around two complementary products: Cloudflare Access and Cloudflare Gateway. The first fulfills a function analogous to that of a VPN: giving users access to the resources they need, avoiding exposing them to cyber threats. And the second is a firewall that protects users from malware infections, maintaining organization policies every time they connect to the Internet. Both Access and Gateway are built on top of the Cloudflare network. That means they are capable of delivering high speed, reliability, and scalability to even the largest organizations. The network is resistant to DDoS attacks and is milliseconds away from wherever users are. Cloudflare for Teams plans is divided into Free, Standard, and Enterprise. The Free version offers the essential tools to protect up to 50 users and applications. If the number of users is greater than 50, it is necessary to upgrade to the Standard version for a fee of $ 7 per user and per month, and if enterprise capabilities are required, such as 24x7x365 phone and chat support, certificate-based authentication, etc., you need to scale to the Enterprise version, for a cost tailored to each case.
Zscaler Private Access
Security-as-a-service company Zscaler offers a cloud-based zero-trust networking service — called Zscaler Private Access, or ZPA — that controls access to private applications, whether they run in public clouds or within a proprietary data center. ZPA ensures that applications are never exposed to the Internet, making them completely invisible to unauthorized users. The ZPA service connects applications with users through an inside-out approach, rather than by stretching the boundaries of the network to include users. Users are never within the network, minimizing the risks of lateral movement or the spread of ransomware. This zero-trust network access strategy supports both managed and unmanaged devices and also supports any kind of private application, not just web applications. Through the establishment of micro tunnels, ZPA gives network administrators the ability to segment by application, without the need to use classical network segmentation or to segment artificially by managing access levels or firewall policies. The use of tunnels with TLS encryption and personalized private keys (PKI) provides an extra level of security for accessing corporate applications. At a time when remote work seems to be here to stay, Zscaler is emphasizing supporting users so they can work from anywhere without losing productivity.
TeamViewer
TeamViewer solution proposes remote access to devices as an alternative to VPNs, offering advantages in terms of speed, security, functionality, and cost. TeamViewer is the most popular remote access solution, with more than 2 billion connected devices and 200 million active users. Connecting to a remote device via TeamViewer maximizes connection speed by sending only the information required to provide interactivity over the network, which reduces the volume of information transmitted. In turn, information security is ensured by end-to-end data encryption, coupled with additional security measures, such as two-factor authentication. With TeamViewer, remote devices can be shared among multiple users simultaneously. Besides, the solution offers extra functionality, such as file or screen sharing and session recording. The costs of setting up and maintaining a VPN are estimated to be several times higher than those of remote access solutions, which are free of complicated installation and configuration procedures. For those who are interested in using TeamViewer privately, there is a free version with which you can give friends or family remote access to your computer or device. This solution includes the possibility of sharing files and screens and maintaining communication by audio, video, or chat.
Taking care of the health of sysadmins
Zero trust solutions are, first and foremost, a cure for many headaches that sysadmins suffer from VPNs. Any business owner who wants to reduce medical expenses and stress treatments for their IT department should seriously consider adopting a good alternative to the almost outdated VPNs, such as the modern zero-trust networks and remote access options reviewed here.