It's Time to Ditch the VPN for Zero Trust

Be careful when bringing up the topic of VPNs (virtual private networks) with Anton Chuvakin, head of security solution strategy at Google Cloud. He doesn’t like them much. “They break,” he says. “They break a lot. And at the worst times.”

Chuvakin’s skepticism is well founded. In the past ten months, he’s witnessed an unplanned experiment in real time. A fellow Google employee who accessed Google work resources with zero-trust access (which, in most scenarios, requires the authentication of every device and every user before network access is granted) had no connection issues. Meanwhile, the man’s wife, who used a VPN for her work access, fought with network connection issues at least once a day. The frustration of trying to work that way, says Chuvakin, “is your brain on VPN.” 

The hassles of using VPNs and the security issues they present to the remote workforce — VPNs are great if maintained and configured correctly, but don’t protect against threats carried in through a home network —are very much on Chuvakin’s mind, as are the other challenges enterprise technology faced last year. With workers suddenly beyond their firewalls, security teams raced to safeguard them with the anti-malware software and monitoring systems the office network once provided.

As remote work continues to solidify into the world’s new normal, these teams must now ensure that authentication is informed, secure and easy to use across the entire enterprise. Many must do this across complex hybrid cloud environments, or struggle with legacy systems and old applications.

[Read also: Why complexity isn’t the enemy of security]

It’s Chuvakin’s job to tackle the timely need for secure remote access. He brings to the role a formidable background. In addition to previously serving as head of Google Chronicle’s security strategy, he served as a research vice president and distinguished analyst at market research firm Gartner. There, he covered security information and event management, log management, security monitoring, security operation centers, security analytics, and user and entity behavior analytics, among other disciplines. Chuvakin, a physicist, has also built an impressive online following through his Twitter account and his online writing.

Chuvakin recently spoke with Endpoint to discuss the security issues facing enterprises as they embrace a future with a workforce that will continue to work remotely, and how security teams are turning to zero trust to secure workers and networks. 

How does a zero-trust security model align with CISO’s current priorities?

When companies shifted to work from home last year, many relied on their VPN servers to enable remote access. But it proved troublesome when they found themselves having to scale from 1,000 remote employees to 50,000. It was a tricky position because not only did they have to pay for more VPN access, but they also had to scale those systems differently. 

The aim of zero trust is to secure computer networks from malicious intrusion. It does that by treating every device that tries to log on as a potential threat. Zero trust is a more straightforward answer to the remote access problem than VPNs. 

That’s why now is a good time for it. It’s an age where effective, easy, secure, stable, zero-trust remote access is very much a need. That is the primary reason. But there are others.

What are they?

They include the number of applications and services that companies access via browsers, which is already relatively high and getting higher. In the past, if you needed direct network access, you’d use the VPN, and once you were in, you were in, and you could access many things. Today, we believe, in the world of browser apps and API [application programming interface] access, it’s a lot easier for security teams to provide secure access to these applications, and it’s a lot easier for employees to access these applications. 

[Read also: Experts share advice on getting started with zero trust]

This is one of those rare cases where you can have a balance of easy yet secure. And this is a crucial point. I know it sounds like vendor market propaganda: “Oh, it’s secure and easy.” But we can prove it. It’s more secure because you do get more granular access controls, and people do not get blanket permissions to do things. It’s easy because users don’t have to think about launching a VPN client or configure digital certificates or any stuff like that. That’s all taken care of.

How does zero trust help enterprises manage complex hybrid environments?

“Hybrid cloud” means there are certain apps on-premises, and certain apps in the private cloud, and certain apps in multiple clouds. I insert the concept of “multicloud” into hybrid cloud, even though it’s not always the expectation. 

This is part of a significant challenge. Today’s enterprise IT is layering stuff from years ago, with technologies layered on top. Almost no technology ever dies. Think about it: Mainframes didn’t die. Clients talk to us about the complexity of their overall environments. They have Unix servers, Windows servers, data centers and Amazon and Google clouds. They want to know what to do to manage them all better. 

Back in my Gartner days, I saw many clients who were super-scared to manage and secure the environments where they have stuff built in the 1970s, 1980s, 1990s, 2000s, 2010s, and now it’s 2020s — from mainframes to containers.

To me, the hybrid-cloud challenge is a subset of that broader challenge.

Zero trust, and more specifically our BeyondCorp Enterprise product, is useful in these environments because we cover apps inside Google Cloud. And within clouds generally and on-premises. BeyondCorp Enterprise lets you either transition to the cloud or use hybrid environments. This is what matters most.

As you developed this, you worked with clients to move to zero trust. What lessons did you learn from them?

Organizations often say to us: “Well, you guys have this amazing system that works well. It’s buttery smooth. It’s secure. It gives you all the telemetry you need.” What they forget is it took Google — with some of the best engineers on the planet — roughly ten years to get to this buttery smooth, super-secure, super-easy system. 

Customers also say that Google never had to contend with a lot of legacy technology. That’s right. Nobody at Google has a mainframe.

But if you’re an insurance company in the Midwest, you would have a fairly complex enterprise IT environment inclusive of some really old tech.

So the question is: Can zero-trust access work there? I say that it’s going to be hard, but the motivation to do so is even stronger, even more important. Because if they don’t do it, the pyramid of complexity will bury them.

What advice do you give them?

This stuff is really hard. That’s the recurring theme with a lot of the customers I encounter. But, ultimately, they have to transition to this model. If they don’t, it’s very likely that all the IT layers, with all the individual authentication access methods, would crash on them. 

You need to have these high-risk environments done the modern way, through zero trust. It’s not manageable to have one VPN over here and another VPN over there. Eventually, the complexity would kill you.