Question
Some companies are getting away from VPNs in favor of zero trust systems. It can help save money on bandwidth and facilitate a better network performance when every employee is working remotely. Are NoVPN Services More Secure for a Given Enterprise? Is it recommended to use non-VPN services?
Answer
We think this is a debatable whether VPNs (Virtual Private Networks) make systems more secure.
Some sources recommend getting rid of a VPN, such as TechRadar. The recommended way of implementing NoVPN (or zero trust) services would necessarily handle, by design, a compromised system not leading to more sequential compromises. The exposed web services all require authentication individually, and thus some people believe getting rid of a VPN is preferred from a security perspective.
Conversely, others opine that there are security advantages to NoVPN services. The book Security for Web Developers (published in late 2015) says that VPNs offer security advantages (page 59). CI servers (such as Jenkins) are designed to execute arbitrary code [to test the code itself]. These servers represent a significant potential vulnerability. Some modern sources recommend a VPN to help secure a CI server (e.g., page 313 of Terraform Up and Running). Clearly monitoring and reviewing of logs of the VPN can help you detect a security breach. VPNs can reduce an attack surface. From one pragmatic perspective, the prospect of checking the logs in one entry point (such as a VPN) is less daunting than checking the logs of multiple web service endpoints (such as those associated with a zero trust network). However from another pragmatic perspective, an enterprise may overestimate how secure their inner network is. Inside the perimeter, you may still want zero-trust services. The U.S. Government provided a sobering message in 2017: "…The Task Force notes that the cyber threat to U.S. critical infrastructure is outpacing efforts to reduce pervasive vulnerabilities," (taken from NIST 800-53, Revision 5 https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf).
Here are sources that suggest there is such a thing as "best practices" for enterprise VPN implementations:
- https://www.focusdatasolutions.com/best-practices-for-vpn-use-in-your-small-business/
- https://jumpcloud.com/blog/vpn-best-practices-remote-workers
- https://www.esecurityplanet.com/networks/vpn-security/
- https://www.sdxcentral.com/security/definitions/what-are-vpn-best-practices/
But the utilization of a VPN would tend to refute the preference that many businesses have for zero trust or NoVPN solutions.
Here are sources that suggest there is such a thing as "best practices" for zero trust implementations:
- https://blog.checkpoint.com/2021/02/01/secure-third-party-access-best-practices-its-time-for-zero-trust/
- https://tcblog.protiviti.com/2021/03/02/five-best-practices-for-implementing-zero-trust/
- https://www.hysolate.com/learn/zero-trust/zero-trust-architecture-3-approaches-and-4-best-practices/
- https://docs.paloaltonetworks.com/best-practices/9-0/zero-trust-best-practices/zero-trust-best-practices.html
- https://www.exabeam.com/information-security/zero-trust-architecture/
- https://blog.devolutions.net/2019/02/the-basics-of-zero-trust-architecture-8-best-practices/
- http://www.centrify.com/blog/best-practices-zero-trust-security/
The DevOps Handbook suggests zero trust may be better than a VPN implementation because it says there is a myth in the I.T. industry that "[s]afety can be improved by more barriers and protection; more layers of protection results higher safety..." (page 360).
If you use Zero Trust, you will not use a VPN. The existence of best practices with each network security model suggests that there is a lack of consensus in the networking industry on the "best practice."
As an aside, all best practices are not practicable because they are sometimes incompatible. If you want to read about the controversy surrounding "best practices" versus "recommended practices" in I.T./software, see this posting.