Choosing Zero Trust Network Access Over Virtual Private Networks is a C-Suite Decision

You’re leading the company. Why do you need to care about your business’ network security approach? 

The answer comes from something all too familiar: the accelerated rate of change – and the quest by modern leaders to build a resilient company. PwC describes today as the “age of continuous reinvention” in its 27th Annual Global CEO Survey report. One of the most startling findings is that 45% of CEOs do not believe their company will be viable in 10 years if it stays on the current path.

Part of the challenge is knowing what could take your company down. Cybersecurity vulnerabilities at the network level are on the list. 

PwC’s report shows that CEOs who believe their organization is viable for more than 10 years perceive inflation (21%) and cyber risks (21%) as top threats with macroeconomic volatility (20%) just a half-step behind.

As FreeWave’s chief technology officer, part of my role is to find weak spots in a network connected to the industrial Internet of Things (IIoT). I talk to many senior leaders from companies in the oil and gas, agriculture, mining, water treatment, and other remote industries. What’s the number one pushback I run into? They tell me they use virtual private networks (VPNs). 

I call this “pushback” because we don’t let VPNs into our data platform.

At their most basic level, VPNs create a secure connection between a user’s device and the VPN server. Data is encrypted through that connection, and a user’s IP address is hidden. As a result, VPNs can allow remote users to securely access internal networks, including machinery, control systems, and databases. 

For those who may not be familiar with a VPN), here’s a simple analogy. Think of a VPN as a tunnel buried far below intersecting highways. One end of the tunnel is an IIoT device and the other end is the server. Your car is a data packet. Instead of traveling across potentially dangerous highways where threats abound, you take the tunnel built just for you and other authorized drivers you trust. 

The challenge today is that the tunnel is no longer safe.

  

Why Are VPNs Insecure?

Technology ages faster than a male tsetse fly. Our tiny-winged friends hit their teenage years by week two or so. In contrast, technology ages by the nanosecond.

I think many people use VPNs for the same reason hackers infiltrate them so easily. VPNs are old technology. They have long been the go-to solution for providing remote access to industrial control systems (ICS) and other critical infrastructure. 

They were born during the rise of the Internet late last century. One solution begets other problems. Between 1990 and 1995, the worldwide web went from 3 million to 16 million users (today, there are 5.45 billion users, around 67% of the population). 

As a result, a group led by Microsoft sought a solution to growing security concerns. That’s how VPNs were born.

There are ways to make VPNs secure, but the enormous expense doesn’t make financial sense for most companies. Here are three reasons why VPNs cause concerns when protecting an IIoT network:

  • VPNs have outdated authentication models. A username and a password are all you need. I can get into a VPN easily.
  • VPNs are a single point of failure. If something goes wrong with the server, you can’t get in. If I’m a hacker, the best way to take down every remote access in the world is to take down the VPN server. 
  • VPNs are hard to monitor. The actual traffic on the network makes it hard to identify nefarious activity flying across it.

Let’s say you have this machine on the edge (edge is simply the source of where your data is – this might be where oil is drilled in upstream oil and gas, for example). The data is processed on that machine (edge computing) and connected to the corporate network via a VPN. A disgruntled employee leaving the company can sit in their car and use their username and password to access the device through a cellular system. What is the potential damage? 

In 2020, several prominent VPNs experienced critical vulnerabilities that allowed attackers to bypass encryption and access systems. The Colonial Pipeline attack, for example, was traced back to a legacy VPN, according to then-CEO Joseph Blount. The East Coast company paid hackers $4.4 million to restore service quickly.  

VPNs create easy targets. Once you’re in, you have free rein to do what you want.

 

Solving the Challenge to Scale Network Security

A report by McKinsey and Company predicts 50 billion devices will be connected to the IIoT by 2025. According to the report, the pace of change has increased tenfold. This means the risks and insecurities behind VPNs for organizations, especially remote industrial leaders, are rising. 

I talked to a large agricultural company recently that uses a VPN. Here’s how the conversation went:

Them: How can we add 20,000 sites to our system? 

Me: We’d have to add 20,000 VPNs

Them: Wait, what?

Me: It’s really difficult. VPNs are hard to scale. One VPN is one thing, but many VPNs are a nightmare.

Zero Trust Network Access (ZTNA) is a better way to secure a network. ZTNA creates a network fabric using the principle of least privilege access (PoLP). The premise: trust no one. Each user accesses only the data they need. 

See how the lens flips from inside out to outside in? In a ZTNA, each user has a policy. This means they are authenticated for access to specific areas. 

The disgruntled employee mentioned earlier cannot go anywhere in the fabric without authorization. Even better, that user’s access can be easily removed or revoked. Afterward, they will never be able to access the network. 

Compare propagating VPNs to scale a network versus using Zero Trust.

Imagine a house. With a VPN, you can go to any room in the house once you get past the bolts on the front door. But what if every room has a locked door – on both sides of each door? This goes for machine-to-machine (M2M) communication too. With ZTNA, devices must be authorized (or authenticated according to policy) to “talk” to another device or the server.

The policy set for each user, device, or process dictates entry into each locked door. With a single policy, a user (let’s call her Diane) can access 20,000 locations across this network fabric. You can even get more granular. If you only want Diane to enter the living room and use the bookcase but not sit in the yellow chair, you can create network segmentations that define access to that level of detail.  

 

Modern CEOs, ROI, and Business Resiliency

ZTNA is how the modern company sets the stage for scaling the network, protecting the network, and building an impenetrable fortress rather than an air castle vulnerable to attack. This is why we won’t allow VPNs on our data platform. This outdated technology is not the trusted choice of the network.

Network vulnerabilities carry a financial risk. C-level executives readily admit that the ROI on Zero Trust is hard to quantify unless something goes wrong. However, it’s costly when it does. ZTNA is an insurance policy for business resiliency. 

You don’t want to join the 45% of PwC’s CEOs who believe their organization won’t be around in 10 years. Also, companies pay a lot of money for cybersecurity insurance. If they can prove, down to the granular edge, that their network is more secure, insurance costs go down. 

While many businesses have long used VPNs to create secure connections and gain remote access to industrial control systems and other critical infrastructure, the technology dates from the last century.

In contrast, ZTNA creates a network fabric using the principle of least privilege access: trust no one and protect everyone. Through a predetermined policy, ZTNA grants each user access to only the data they need. Security with a high level of granularity reduces risk across the entire network, thereby protecting people, sensitive data, and the business.

 

Richard Reisbick is Chief Technology Officer for FreeWave, a provider of IIoT solutions that create an intuitive path from operational data to decision-making for true business transformation at scale. As an inventor, he has prioritized the user experience and engineering architecture of hardware and firmware for more than 20 products utilizing MCU, DSP, and FPGA technologies.

 

Comments (0)

This post does not have any comments. Be the first to leave a comment below.


Post A Comment

You must be logged in before you can post a comment. Login now.

Featured Product

How to overcome GNSS limitations with RTK correction services

How to overcome GNSS limitations with RTK correction services

Although GNSS offers ubiquitous coverage worldwide, its accuracy can be hindered in some situations - signals can be attenuated by heavy vegetation, for example, or obstructed by tall buildings in dense urban canyons. This results in signals being received indirectly or via the multipath effect, leading to inaccuracy, or even blocked entirely. Unimpeded GNSS positioning in all real world scenarios is therefore unrealistic - creating a need for supporting technologies, such as real time kinematic (RTK) positioning and dead reckoning, to enable centimeter-accuracy for newer mass-market IoT devices.