In a Hybrid World VPNs Can No Longer Keep Up
Imagine an isolated fortress on a vast plain. Protected by an order of well-armored knights, it is widely regarded as impenetrable. That is, until a clever attacker shows up and breaches the perimeter. Suddenly those fortified walls are obsolete, and the armor on the knights standing guard does little beyond weigh them down.
This is the current state of cybersecurity in many organizations. The advent of cloud architecture spelled an end to the “walled fortress” model of security. The rapid transition to a remote workforce has only further driven home the idea that the perimeter as we once knew it is long gone.
The world has evolved and businesses need to evolve with it.
A crucial first step in this evolution — in resecuring modern hybrid work environments — is to embrace the principles of Zero Trust Network Access (ZTNA). Businesses must rethink their approach to network monitoring and reimagine the fundamentals of user management, endpoint security, and access control. This demands that organizations transition away from a technology that until recently has been a fixture — the virtual private network (VPN).
Built for a Bygone Era
The first VPN was invented in 1996. While the technology has admittedly evolved considerably since then, from an access perspective, its core functionality has changed little. A VPN grants a user access to a corporate network by extending it — and by association, your security perimeter — to the user.
From a security perspective, the main issue with this approach is that it’s typically predicated on granting implicit trust to anyone inside a perimeter. Unfortunately, like the fortress on the plain, that perimeter is no longer secure. For evidence of precisely how this can go wrong, one need look no further than last year’s Colonial Pipeline breach, which investigators determined was directly tied to the company’s legacy VPN.
It's not just the security angle hastening the demise of VPNs. Advances in cloud virtualization have played a part as well. Infrastructure and network functions can increasingly be offloaded to the cloud, with critical workloads like packet forwarding and traffic management handled largely via cloud appliances.
Hybrid work is at the heart of this evolution, necessitating the adoption of both virtual infrastructure and cloud software. As the pandemic forced the closure of many corporate offices, creating a mass transition to a remote workforce, we at BlackBerry sought ways to help our customers cope with securing operations beyond the perimeter. We applied our expertise to developing a new product built on the foundation of ZTNA, then embarked on an aggressive “customer zero” program, deploying the technology internally to optimize and modernize our own hybrid environments.
Devising the Foundation for Zero Trust
Enhanced by artificial intelligence, CylanceGATEWAY™ is a cloud-native solution that delivers scalable, outbound-only access to critical on-premises applications and assets. Elastic, intuitive, and flexible, it empowers businesses with simplified policy automation and advanced endpoint protection. BlackBerry’s CylancePROTECT® endpoint protection platform (EPP) and CylanceOPTICS® endpoint detection and response (EDR) solution further augment CylanceGATEWAY, while CylancePERSONA™ adds continuous authentication.
Internally, we use CylanceGATEWAY to optimize our hybrid environment for distributed work, while also taking a more cloud-centric approach to our operations and security. This has enabled us to considerably reduce the workload of our IT operations and security operations teams. More importantly, we’ve balanced zero trust with “zero touch,” helping us ensure our security practices also empower our employees.
One of the most significant changes we saw from the CylanceGATEWAY deployment was in our network monitoring practices.
Historically, most businesses have relied on a very network-centric monitoring model, examining traffic to identify suspicious activity. With the inclusion of remote staff and the Internet of Things , the network has grown so large and complex that monitoring it in its entirety verges on impossible. There’s simply too much noise and too much “junk data” that has little bearing on actual security.
Leveraging CylancePROTECT and CylanceOPTICS, CylanceGATEWAY provided us with a starting point from which our SecOps team could pivot to ZTNA. By extending security to the endpoint in this fashion, we can more effectively investigate potential incidents. More importantly, CylanceGATEWAY gives us considerably more control over how and when people connect.
A New Approach for a New Landscape
Overall, our customer zero program has been a resounding success for both operations and end users. It’s also helped us optimize CylanceGATEWAY in numerous ways, while also revisiting and revising our own internal practices. Through CylanceGATEWAY, we’ve pivoted to adopt a new, more modern approach to network access.
Now that we’ve proven the value and efficacy of the solution, we’re ready to deploy CylanceGATEWAY externally to support the retirement of outdated VPNs and adoption of a modern ZTNA approach for our customers.
The perimeter walls have been breached, leaving that once-impenetrable fortress open and unprotected. VPNs are no longer able to maintain security for our extended and geographically disbursed workforce. It’s time for a more modern, agile, flexible, intrinsically secure approach.
That’s exactly what CylanceGATEWAY represents.
To learn more about our deployment of CylanceGATEWAY, read the full case study here.