Mar 16 2020

Is VPN Still Valuable in a Zero-Trust Environment?

Agencies can shift away from perimeter-based defenses and toward zero trust to enhance their cybersecurity.

Zero-trust cybersecurity represents a mindset shift for federal agencies, in which every transaction is verified before access is granted to users and devices. Under zero trust, every user and transaction must be validated for access to be granted. 

Identity management and authentication are central to zero trust, and zero trust enables more granular control related to access in an organization’s environment.

According to a recently released survey, “Security Without Perimeters: Government’s Shift to Identity-Centered Access,” nearly half (48 percent) of federal government IT decision-makers reported that their agency is “substantially on their way to adopting an identity-focused approach to protecting access to agency resources.”

The survey, produced by FedScoop and underwritten by Duo Security, surveyed 171 prequalified government and industry IT decision-makers in November 2019. 

The survey notes that recent federal government mandates — from the Federal Data Strategy action plan to the OPEN Government Data Act — are placing greater demands on agencies to use and protect government data more effectively. Meanwhile, many private sector firms and agencies are shifting away from traditional VPNs and perimeter defense tactics. 

Such tools may no longer be “effective by themselves in protecting sensitive data from hackers and insider threats,” the report notes. 

However, 3 in 10 federal government respondents say their agencies still rely heavily on perimeter defense tools or policies.

What Is Zero-Trust Cybersecurity?

In February, the National Institute of Standards and Technology released a second draft special publication for public comment on zero trust. “A single enterprise may operate several internal networks, remote offices with their own local infrastructure, remote and/or mobile individuals, and cloud services,” the NIST publication says. “This complexity has outstripped traditional methods of perimeter-based network security as there is no single, easily identified perimeter for the enterprise. Perimeter-based network security has also been shown to be insufficient since once attackers breach the perimeter, further lateral movement is unhindered.”

The special publication is designed to give federal IT leaders a “conceptual framework” using vendor-neutral terms, Scott Rose, a computer scientist at NIST, said in January at Duo Security’s Zero Trust Security Summit, presented by FedScoop.

“It’s where the emphasis of zero-trust implementations lie — whether identity or the actual micro-segmentation or the underlying network itself,” Rose told FedScoop after his panel. “Every good solution has elements of all three, it’s just: What is the key turning point for the organization?”

READ MORE: Follow these tips to protect a VPN in the face of major vulnerabilities. 

As NIST notes, zero trust refers to an “evolving set of network security paradigms that narrows defenses from wide network perimeters to individual resources.”

A zero-trust architecture uses zero-trust principles to plan enterprise infrastructure and workflows, according to NIST. “Zero trust assumes there is no implicit trust granted to assets or user accounts based solely on their physical or network location (i.e., local area networks versus the internet),” NIST says. “Authentication and authorization (both user and device) are discrete functions performed before a session to an enterprise resource is established.” The NIST publication gives general deployment models and use cases where zero trust could improve an enterprise’s overall cybersecurity posture.

MORE FROM FEDTECH: Find out how to choose between software-defined perimeters and VPNs.

How Agencies Are Shifting to Zero Trust

According to the survey, 50 percent of government respondents said their agencies have strategies to meet the Office of Management and Budget’s Federal Identity and Access Management (FICAM) policy requirements

The further along agencies are to realizing a FICAM strategy, “the more advanced they are in consolidating identity and access controls to agency resources,” according to the survey. 

However, between 41 and 48 percent of respondents are still in the early stages of taking inventory of the people and/or devices accessing their organizations’ networks. 

The survey found that federal IT leaders are moving toward a passwordless user experience, with a little more than half planning to do so within the next two years. Respondents ranked multifactor one-time passwords (33 percent), randomly chosen passwords/PINs (22 percent) and out-of-band authenticators (20 percent) as the top three types of MFA their agencies will increase investment in over the next two years.

If agencies want to move to a zero-trust environment, they will need to adopt a combination of capabilities, the survey notes. Those include the ability to determine which systems and devices are owned or managed by the enterprise and which are not; making all communication to agency resources secure regardless of whether it’s from inside or outside the network perimeter; and ensuring access to individual enterprise resources is granted on a per-connection basis.

Nearly half or more of respondents said their agencies had minimal to average capabilities in determining which devices are owned by the enterprise and which are not and whether communications and individual connections are secure.

Sandipkumar Patel/Getty Images