True Zero Trust Requires a VPN – Just Make Sure It’s a SmartVPN®
By Sam Koch, Mobolize | Solutions Engineer
Mobile VPNs, with their seemingly endless power to protect, secure, optimize, track, anonymize and mask, are one of the most controversial topics in security right now.
The gossip in the industry is that VPNs are no longer needed because of “secure cloud” and zero trust security. But don’t be fooled by current marketing messages that rename VPNs to hide the fact that they are a required tool to meet today’s mobile security needs. The reality is that zero trust for mobile devices requires a smarter VPN that meets the complexities and constraints of mobile, keeping people and organizations safe without compromising performance.
Traditionally, VPNs were used to extend a private network (think your company intranet) across a public network (the internet) and allow any users, no matter where they are, to interact with the private network as if their devices were directly connected to the private network. This has been especially useful for remote working.
However, most security experts rightly argue VPNs that simply extend private networks have many flaws. Having been designed nearly 20 B.C. (before cloud), VPNs were never built with the insight that the world would develop the complex cloud-based infrastructure (public, private and hybrid) we have today. Many VPNs currently deployed attempt to protect environments they were not built for, which are inefficient and create gaps in security. This is especially ideal for attackers – if they manage to get authorized to the VPN, they immediately have access to an entire private network. One result: mass data breaches and the open-ended costs associated with them.
On top of this fundamental issue, there are several additional issues that would normally come with traditional VPNs:
- slow performance (from the added relay latency)
- broken apps (that do not like VPNs)
- battery drain (from an always on VPN)
- high server costs (all traffic is handled server-side or in the cloud)
Has all hope for VPNs vanished and will the industry be subject to their limitations? Thankfully, that is not true and there is a smarter way. If VPNs are smartly designed using all the powers given to them and the devices they are deployed on, then mobile VPNs have a major role to play in mobile security, especially in zero trust.
The new security motto: have no fear, zero trust is here.
The zero trust security model requires strict identity verification for every user and device attempting to access resources on a private network. Those users could be sitting in their own home, a café or even places many of us are dreaming about returning to, such as airport lounges or simply our old office desks (where we left our favorite coffee mugs). Essentially, a mix of inside and outside of the private network.
Zero trust is becoming widely adopted for its added security, which governs with the principle that no one is trusted by default from inside or outside the private network. There is no single specific technology associated with zero trust, so you may be asking how it can, or more importantly should, be implemented.
To deploy zero trust across all types of devices (desktop, mobile, etc.), there needs to be a method of sending network traffic from the device to the cloud to handle the verification and resource access logic – this is where VPNs still have a role to play.
Basic deployments will use a ‘cloud-connector’, essentially an incredibly dumb VPN that makes an always-on TLS tunnel that creates a persistent connection from the device to the cloud.
Zero trust is about securing applications, files, and other content from organizations. In both the Managed (MDM) and Bring Your Own Device (BYOD) environments, users don’t just use their devices to access those types of resources, they also (if their work policy allows) watch YouTube, read news and send messages on WhatsApp that don’t need to go through a cloud. It is only the smart VPN that provides the ability to see what content is being requested and can steer that traffic directly to the public internet, avoiding the zero trust path, and improving performance. The same logic can be applied to apps that do not work when a VPN is running, solving the broken apps issue too.
When a device is already inside a secured private network (for example when connected to an office Wi-Fi with its extra layers of firewalls and SD-WAN) there is no need for the VPN to send the traffic away to a cloud and back. A smart VPN checks if the mobile device is connected to an already secured Wi-Fi by using multicast DNS on secure-aware Wi-Fi networks and automatically turns itself off until the network connection is no longer secure, then it turns back on automatically. The less time a VPN is managing traffic, the less battery it will consume.
Importantly, by reducing the network traffic sent to the cloud and letting it safely flow directly to the internet or an already secured network, server costs will be greatly reduced, performance will increase, and batteries will last longer. A VPN developed using the power of the current mobile device gives the highest level of security while drastically improving user experience.
Mobolize has a long history of using a SmartVPN® to power the rich features of its Data Management Engine that enables enhanced security and connectivity solutions on mobile devices. The SmartVPN® solves all the issues with traditional VPNs, offering zero trust support, no broken apps, minimal battery drain (less than 1% seen at scale) and improved performance by steering traffic safely to its destination using the fastest route and reducing cloud loads to save costs.
VPNs are not going anywhere and, in fact, are getting better as their capabilities evolve. We’ve amended the new security motto: have no fear, SmartVPN® is here. That’s smart. Mobolize smart.