Matthias Reinwarth and Alexei Balaganski look at the potential alternatives to VPNs and security gateways.
KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
Matthias Reinwarth and Alexei Balaganski look at the potential alternatives to VPNs and security gateways.
Matthias Reinwarth and Alexei Balaganski look at the potential alternatives to VPNs and security gateways.
Welcome to the KuppingerCole Analyst Chat. I'm your host. My name is Matthias Reinwarth. I'm an analyst and advisor at KuppingerCole analysts. As per tradition of this podcast, I have a guest joining me, a fellow analyst or another interesting partner, and we will have a 15 minutes or so chat around current topics, My guest, today is Alexei Balaganski, he's a lead analyst for KuppingerCole analysts. Hi Alexei. Hello. Thanks for having me again. Great to have you again, and especially because our topic today sounds very, very fast wordage. We are talking about zero trust from the cloud.
So this sounds interesting. Two buzzwords, zero trust and the cloud, but where should we start? I think the current starting point that we could begin with is the way that currently people working from home, but also administrators, whatever are accessing corporate networks, typically via very old fashioned infrastructure and called VPN virtual private network. And that is, that is usually only considered to be as an access method.
The, the, the mere access to a network. Is that true?
Well, that's exactly the point. It's even in the name. So virtual private network in very simple terms mean that you connect a remote networking device, like your laptop, for example, to a corporate network, through a gateway. And then you pretend being on premises, kind of you pretend being directly in the corporate network, being in it from a single connection, you have full access to your whole local area network in your office. That was the whole point whole original idea of VPN.
Back to those times when a typical corporate network was still seen as a castle with the wall and the moat, and the only secure place into that castle was through a gate, basically the VPN gateway. And as you rightfully mentioned, or for many people, VPN is still the main for ensuring network access, whereas security, authentication, and authorization or auditing. And so all other important aspects are of modern cyber security are considered secondary to that initial goal of the VPN, Right?
So the, the, these, these users that use a VPN, they, as you said, they, they can act after the, they have made the connection as if they were in the corporate network. So there is no additional level of control, no matter from where they are connecting, no matter what they're actually doing, or if it's even really the rightful user to access the system. So it's really just another virtual cable into a corporate network with all the dangers that come with it.
Well, to be fair, there are some, or more and more than VPN solutions, which try to alleviate this inherent problem by adding some additional security controls on top of that, some companies would even go a step further and say, okay, we will ensure that when you are working from home, for example, or from a remote location, you will have to work completely through our VPN gateways with escalate back hole, all your traffic into our network. You're on our stack of security, appliances, firewalls, antiviruses, and so on, on your traffic.
And then back to the internet, this works to a certain extent, especially for large enterprises who can afford having a really huge sort of say, connecting this to the internet, but even for them, this traffic backhauling is first of all, really expensive. And second of all, it creates this bottleneck single point of failure, because if that gateway is somehow no longer working, the whole operation stops because nobody can work neither from the office or from anywhere else.
And this is something that we know from larger organizations, especially just in this pandemic situation that we have now than early in March this year, that they all really were relying on VPNs, and we all are relying on it. Nobody can use it. And really was this bottleneck it's just broke down with nobody being able to work. So there is some conceptual mistakes within the concept of VPN when it comes to maintaining a large number of users. So that needs to be changed. I assume.
So this, this VPN access is really not no longer adequate for the 2020s. I assume that must be better, right?
Oh, VPN again, VPN has a really big problem. It's been used for things it was never designed to be used for right now, nowadays, you can hear suggestions to run your like Netflix subscription through a VPN or whatever. Obviously it's just ridiculously misguided attempts to reuse very old and legacy technology for things it was never supposed to be working.
So yes, of course are more, more than alternatives. And they've been available for years now. Unfortunately with all those advantages of the new approach, it still takes some moment for a company to make the switch and many companies, the larger ones just have too much inertia to, to make this jump. But I believe that this whole pandemic whole working from home crisis, we are still currently experiencing. It's really the best opportunity to change your mind and to amend on old school VPN in favor of a more modern alternative. And this alternative of course, is coming from the cloud.
Hence our topic for today, zero trust from the cloud, you probably heard about companies like
Basically your connection is working much faster when it's then being back, hold back to your office because you are connecting to all the major internet resources through the closest path. At the same time, those secure cloud gateways can apply a multitude of inline security tools through your traffic. Some are really kind of security focused, like for example, the what's current for malicious domains commands and controls for botnets malware, obviously, and stuff like that. So we will protect you from phishing campaigns, Trojans, and other types of malware.
On the other hand are as a company, you can benefit a lot from the compliance perspective. Basically you can ensure that that security cloud gateway will terminate your workers, SSL connections, decrypt them, and look for sensitive data leaks, right? Throw the best point or this or that. It's all configurable extensible. The only limit is your credit card.
So to say, and it does not require to deploy any hardware on prem. You just connect it to the cloud and it works from there. Does this have any implications on where your actual services are run? Do they need to be in the cloud or is this also really a dispatching towards the original on premises network? If there are highly secure resources that need to be run There?
Well, this is where we are slowly coming towards the buzzword in our title. There's zero trust. So just to remind you that zero trust in this radical alternative approach to designing your corporate networks. So when you're talking about zero trust, we are talking about your quote unquote previously internal network, like before you had this castle with the wall and moat the land local area network, and you had the rest of the world and you could apply or really could have blind trust for policy to your land.
And the rest would be handled by a firewall and the VPN server nowadays zero trust suggests that you have to consider every device, every user resource, regardless where they're located and trusted by default. So trust but verify. So there is no longer Elaine as opposed to on the internet, any excess to any resource, whether it's inside or outside of your own prem network or your own data center or your own virtual private cloud in the cloud should work. So the same access controls through the same security policies. So the same auditing layer, if you will.
And this is exactly where this whole idea of security cloud comes into play because of course you can build the zero Tufts network yourself using the existing on-prem hardware or special specialized so-called software defined perimeter solutions, which you would have to deploy inside your data center or inside your office network and so on.
But why not just outsource all this complexity to the same security cloud, you would only need to have one connector inside your internal network, for example, and that connector would be able to establish secure encrypted, fully audited and offer authorized tunnel, connecting your user, working from home from their own laptop directly to a specific internal application running within your data center and only to net application.
So the teller would only work for a specific IP address, the protocol or a port on a specific server will work transparently, regardless whether that application is running inside or outside of your previously local network, if you will, this is the whole idea of zero trust approach. Okay, I got it. So it doesn't make sense then to go the whole way and to consider the internal network within an organization also just as insecure and just apply the same mechanisms when you're working formerly on premises. That's the whole idea of zero trust as a final goal on the long journey.
This is probably a noting that zero trust is not a product we couldn't just buy or a service. It's a, it's a mindset change. It's a paradigm shift.
So yes, in the end, we will end treating any device, any location, any user, any service, the same way, regardless of whether it's inside or outside or somewhere else, but you don't have to go all the way in a single huge step. You can start small. And obviously it was the first smallest step. The first quick win is to get rid of your VPN for, yes, you can still keep your lamp. You can still keep your office network for compatibility reasons, but instead of having a VPN gateway consider setting up a gateway to a security cloud, this way, you will kill two birds with one stone.
You will provide your end-users with ring of security capabilities, quote, unquote for free. And of course you will enable them to access the necessary resources within your corporate network in a secure audited and compliant manner, right?
Even I can think of another bird to kill with the same stone, because I've been talking to larger companies, international or multinational companies recently, which had the situation that they need to make sure that depending on in which country you are actually located as one part of the organization that you need to fulfill different data, residency regulations, for example, think of China or Russia or Iran, where they need to make sure or the EU and the can comes to GDPR. They need to make sure that they access the right services when they are approaching from the right country.
That could be something that is built into the policies that, that apply when you're connecting to the security cloud, right? When you are connecting to the internet through a security cloud, you are no longer limited to this hub and spokes architecture you might have had previously because the VPN gateway, basically your user is located in the U S would automatically connect to the internet through the US-based server. You users fro like say Germany based cloud data center and Asian users through whatever Japanese data Phantom.
And again, this is something which happens automatically, or they do not have to make a choice. They just connect to the geographical, the nearest one, and they are automatically compliant. That sounds promising. And it's so much better than the VPNs that we are all still used to the, when I say VPN, I mean the old traditional one, potentially even with some, some hardware token to, to, to make sure that you can prove who you are. So that really looks like a much more modern, much more adequate and much more scalable approach for dealing with this topic.
So it's no longer just work from home and enabling this because this is just one little slice of the overall challenge. So it's, but it's work from anywhere and anywhere could be somewhere between the beach, the, the, the, the coffee, but also your on premises network, but always a uniform access to the services you require. That sounds really interesting.
And yes, it's really nice that you mentioned that word scalability because obviously a company, even the largest international company like Facebook, or maybe Facebook is a bad example because they probably have a huge own network around the world. But most of our, our slightly oldest school businesses, they cannot, they cannot compete in the scale on their networking infrastructure with a company running in the cloud like
And this is exactly what we had just a couple of months ago in which we're kind of still slowly recovering from north cloud infrastructure will still work. Yes. They had few kinks maybe for the first days of the pandemic crisis, but now they have proven that they can work, that they have been battle tested. They have upgrading their infrastructure, worked out the problem.
So yeah, they are working now and they are even offering substantial discounts to test it. Now start small and then grow with their own needs. So chances are that many organizations once this crisis has been solved, at least partially that they will really move towards this more modern approach. I assume that that USDA experts and we as KuppingerCole have information available on that topic.
Oh, absolutely. First of all, we have already reviewed quite a few notable vendors working on this market and they will find those reviews on our website, the KC plus led forum. And I am currently working on a more general approach to the whole market, to what we call kind of market compass on cloud delivered security solutions. So we will be talking about a security aspect of the CPA replacement.
So here, definitely just reach out to cooking a call and we are always here to help to answer your questions. Great. Thank you. That sounds really interesting. And this is certainly something that I will also look into afterwards because this really looks like a system that you don't have to protect yourself, but that is protected for you. And that you just can configure that. That is really a more adequate approach, especially in this swiftly and rapidly and continuously changing environment with the more and more devices connecting.
So I think we should talk about this market compass later, once it is finished and look at more of these individual solutions and maybe compare them in a further version of this podcast, but for the time being, thank you very much, Alex, for being here. Thank you for your work in this topic. That is really interesting and enriches our, our research. Thank you for your time and thank you to the audience for listening. Thank you. Thank you. Bye-bye