What is VPN used for in a company?
Virtual Private Networking, or VPN for short, is not simply a protocol for routing communications securely over untrusted networks, like open Wi-Fi hotspots. While that is what VPN is synonymous with, it also offered organizations a low-cost way to extend their network footprint, simply by connecting two or more physically segmented networks together over an inexpensive, yet secure connection. The end result? Users would only see one giant network, making accessing work-related resources painless.
The upfront investment necessary to procure hardware, software and the cabling that ties them all together was easily remedied with a leased line from your ISP and a few less expensive pieces of equipment, like VPN concentrators and a RADIUS server for authentication, to bridge the disparate networks and provide end-users safe, secure access to any of it, once authenticated.
This made VPN a “must-have” technology, especially for businesses that relied on a mobile workforce. See, the ability for end-users to access company resources when connected within the same physical network is much more manageable for IT and Security teams to keep users, endpoints and corporate data safe. However, this challenge becomes considerably more difficult once remote access is required due to all the variables included that affect the safety of the devices, users and network connections being used to access corporate data. The capability of VPN to address these concerns truly made it worth its weight in digital gold as part of a comprehensive enterprise security strategy.
Now that touched upon what VPN does, let’s take a brief stroll through memory lane for a little history lesson as to how VPN came to be, shall we?
VPN - A star is born
Picture it: 1996, while some of us were rocking out to grunge music and wearing really baggy pants by JNCO, a Microsoft employee named Gurdeep Signh-Pall developed Peer-to-Peer Tunneling Protocol (PPTP) jointly with U.S. Robotics, the precursor to VPN as we know it. His contribution was not only recognized as the Innovation of the Year by PC Magazine in 1996 but really came to embody securing communications. In his own words, Gurdeep explained how “It really allowed people to work effectively and securely from home.”
Smoke on the water
As discussed previously, VPN security addressed several pain points for enterprise customers,
while providing end-users the safety and security necessary to work out of the office – whether from home, on the road or from thousands of miles away from their headquarters with minimal sacrifice to security.
That’s right, sacrifice to security, though minimal, still represented a compromise that IT and Security teams would need to make when deploying VPN technology as it was not all cotton candy and gummy bears as it would seem.
"Global adoption of VPN technology used to encrypt traffic over unsecured communication lines grew in 2020...with 43% of users admitting that 'I know what it is, but I do not use one.'", according to the Security 360: Annual Trends Report by Jamf.
What kinds of risks and misconceptions are prevalent with VPN use, you ask?
- Your Internet-based actions are not completely anonymous. Even though your IP address may be masked, technologies such as device fingerprinting and tracking cookies can be used to track your movement. Furthermore, while the data transmitted through VPN’s encrypted tunnel is scrambled, connection requests to/from websites are not.
- VPN works on Layer 3 (network) and/or Layer 4 (transport) of the Open Systems Interconnection (OSI) model. The universal standard of communication functions of network systems. This means that communications, software and networking that occurs on Layer 2 (data link) are often not fully supported, requiring non-native alternatives (if available) to fill in the functionality gaps.
- Access granted to VPN users provides holistic access to the entire network – whether they require it or not to remain productive. Often, this broad access undermines established security best practices, like the principle of least privilege.
- Per-user access is permitted based on the user’s account, not centrally managed. This presents a greater problem, especially when combined with the above bullet point. If a user’s account is compromised, a threat actor will have access to the entire network and all the privileges the compromised user’s account is granted until the account is disabled. In contrast, if an account is disabled, the end-user will effectively have no access to corporate resources(i.e., they cannot work) until re-enabled.
- Little to no granularity in logs or ability to audit records means monitoring and logging actions are severely limited. This amounts to a lack of accountability due to the difficulty in accessing logging data without centralization. Furthermore, it may not provide adequate data, missing the historical context required when determining if a breach has occurred, such as: when did it occur, how was it performed, by whom and so on.
- There is a false sense of security often associated with VPN connections. Users feel as though they are protected against bad actors or attacks. This couldn’t be further from the truth, since VPN only provides confidentiality for the data transmitted to/from – it does nothing to check if that data is malware, a known attack or other such malicious threat.
- Support for VPN-based connections and accounts is typically higher, due in part to the decentralized nature of the technology. This often results in IT and Security teams spending more time manually supporting VPN-related management tasks and issues reported by end-users. This places an additional burden on helpdesks and takes away resources, like time, away from support teams while increasing the costs of doing business.
The king is dead (VPN), long live the king (ZTNA)
With the numerous changes that have occurred within computing in the last twenty-five or more years, modern computing has seen several industry-defining changes within the last decade that have not only radically changed how an organization:
- utilizes endpoints in remote and hybrid work environments,
- stores data in the cloud and leverages a variety of app types
- to access this data at any time, while granting employees
- the ability to work from anywhere and on any device, securely.
In short, the network’s edge has been eroded in favor of permitting users to be productive where they feel best, where they can – in turn – be at their most comfortable and productive.
In the scramble for organizations to quickly establish business continuity resulting from the global pandemic, many organizations that switched to a remote or hybrid work environment realized employees no longer needed to be tethered to the corporate office (if they didn’t want to be) in order for them to stay productive, or even become more so.
This of course included the unintended consequences of addressing security concerns brought to light when migrating from the legacy work environment to one that was remote or hybrid in focus. Issues like those mentioned in the previous section struck at the heart of VPN usage. Bringing to light the misconceptions and more importantly, security threats that the legacy technology was simply incapable of addressing.
Enter Zero Trust Network Access (ZTNA). The modern endpoint security solution for addressing your modern computing and security-related issues. Designed with current and future needs in mind, ZTNA establishes a secure foundation for all current device and OS types – desktop and mobile devices – based on the zero-trust security model of “never trust, always verify”.
This means devices are never to be trusted implicitly by default, regardless of whether they are company-owned, connected to a “trusted” network, like the organization’s internal wireless network or the corporate LAN – even if the device in question has previously been granted access to the requested app or service. All users, on any device, must mutually authenticate the identity and integrity of their devices – before access will be provided. Access to apps & services is contingent upon the confidence of the device’s identity, and the device’s health standing, together alongside successful authentication by the user – irrespective of their location.
As per the Security 360 report on ZTNA technology, Jamf's solution is found to "mitigate risk and safeguard data, while being flexible enough to ensure that personal apps and data remain private."
Additionally, the perimeter less security solution, Jamf Private Access* provides:
- Secure connectivity: Utilizing application-based microtunnels, access to apps and services is enforced using the least privilege, preventing lateral network movement, both securing the app/service and the network if access becomes compromised. Furthermore, with each app requiring a separate tunnel for connectivity, if one should be compromised, the others remain protected, allowing end-users to remain productive while maintaining security.
- Granular reporting: Constant monitoring and logging of critical elements occur per device, per user, per session, meaning that all the data necessary for IT and Security teams to identify, triage and remediate issues can be viewed from the web-based console.
- Centralized management: Speaking of the console, since ZTNA is cloud-based by design, access to all the requisite security and management tools is available anytime, anywhere for admin teams to work their magic. No complex software to configure, hardware infrastructure to maintain or support contracts to deal with – just the administrative controls needed to enable secure device access.
- Identity-centric model: Policy enforcement is consistent across all data centers, clouds and SaaS applications. Furthermore, only authorized users can connect to business apps/services regardless of the device type or the type of network you’re communicating over.
- Integration support: Thanks to its cloud-based design, integration with services, such as Identity Providers (IdP), eliminates the need to manage certificates by enabling Single Sign-On (SSO), leveraging secure user authentication across your entire organization and all endpoints, providing work from anywhere, anytime access to keep productivity up and security threats down.
- Device health checking: Preventing access to unapproved devices, disabled user accounts and/or devices that may be compromised or simply have unsupported configurations and apps installed aids your organization’s security posture. Not only that, but the “zero trust” security model requires each request to verify that they should be granted access based on the integrity of the device and authentication credentials – not implicitly, by default.
- Policy-based risk awareness: Working hand in hand with the above, risk-aware access policies not only prevent access to questionable users and devices but also provide remediation workflows to triage and mitigate issues. For example, a device that has been rooted or jailbroken may require an OS update in order to correct the issue. This helps enforce compliance with organizational policies as well as governmental regulations.
- Preserve end-user privacy: With support for various device ownership models, like BYOD/CYOD/COPE, balancing endpoint security and end-user privacy doesn’t have to be a sacrifice of one over the other any longer. Intelligent split tunneling technology ensures business connections are secured and protected, while non-business connections are routed directly to the Internet, preserving end-user privacy while keeping devices secured.
- Unified access: ZTNA works over all connection types (Wi-Fi, wired and cellular), on all modern operating systems, all device types (laptops, desktops, workstations, tablets and smartphones) and spans all hosting locales(on-premises, private and public clouds and SaaS applications and services. All this protection occurs across all management paradigms, as well, for a fully protected and secure computing environment regardless of where, when and how users are connecting to company resources.
- Lightweight & efficient: Establish microtunnels that occur automatically when necessary to connect securely to apps and services. Similarly, if a disruption occurs, ZTNA will also reconnect seamlessly to the user to continue uncompromised, secure access to business apps/services. All this occurs in the background while operating silently so as to not interfere with the end user's experience and with minimal impact on battery life – thanks to ZTNA’s small footprint and fast, efficient design.
*As of February 2023, Jamf Private Access capabilities are included with Jamf Connect.
What are you waiting for to upgrade your endpoint security to a newer, dynamic method of protection? A free sample?!
Well, here you go then. Simply contact Jamf or your preferred representative to replace your legacy VPN solution and start reaping the benefits of ZTNA in your organization.
Have market trends, Apple updates and Jamf news delivered directly to your inbox.