The VPN Dilemma: Moving Forward in the Ivanti Aftermath

Image created by DALL-E 3.

Have you ever watched a horror film and came to the realisation that a character is in for a bleak ending the moment the antagonist breaks through the defence of their house? Now, replace the character with your organisation, the antagonist with threat actors and home security with VPN and we are pretty much in a similar scenario. 

In recent weeks, we have seen advisories from various governing bodies advising organisations to disconnect from all instances of the Ivanti solutions and to continue monitoring for signs of compromise. And why is this such a bad thing, you may be wondering. Well for one, bad actors can now exploit the vulnerabilities to move laterally, perform data exfiltration, and establish persistent system access – resulting in full compromise of target information systems. Unsurprisingly, in a Zscaler-commissioned VPN risk report, we uncovered that 88% of companies globally are concerned that VPNs are jeopardising their ability to maintain a secure environment

While shutting down the service may sound like a simple task, this one step has a huge domino effect that can impact the organisation’s productivity, connectivity and security all at once. IT teams now have the mind-boggling task of quickly figuring out how to (1) secure the traffic to and from devices in the absence of the VPN, (2) ensure that remote staff still have access to vital files and (3) minimise any downtime that would lead to the inevitable lost of productivity. 

This may be starting to sound like you are stuck between a rock and a hard place but that isn’t necessarily the case. Enter: Zero Trust. The answer to this ongoing predicament isn’t an unheard one and has been around for years now. However, there are many narratives floating around that have significantly changed the understanding many people have on Zero Trust. 

One True Zero Trust: What does it truly entail? 

VPNs are inherently not Zero Trust in nature. Zero Trust is a completely different architecture than those built upon firewalls and VPNs. It delivers Security-as-a-Service from the cloud and at the edge, instead of requiring you to backhaul traffic to complex stacks of appliances (whether hardware or virtual). It provides secure any-to-any connectivity in a one-to-one fashion; for example, connecting any user directly to any application. It does not put any entities on the network as a whole, and adheres to the principle of least-privileged access. 

In other words, with Zero Trust, security and connectivity are successfully decoupled from the network, allowing you to circumvent the aforementioned challenges of perimeter-based approaches. However, with VPNs, lateral movements across the organisation’s network are commonplace, which can often lead to ransomware attacks. Zero Trust architecture:

  1. Minimises the attack surface by eliminating firewalls, VPNs, and public-facing IP addresses, allowing no inbound connections, and hiding apps behind a Zero Trust cloud. 
  2. Stops compromise by leveraging the power of the cloud to inspect all traffic, including encrypted traffic at scale, in order to enforce policies and stop threats in real-time. 
  3. Prevents lateral threat movement by connecting entities to individual IT resources instead of extending access to the network as a whole. 
  4. Blocks data loss by enforcing policies across all potential leakage paths (including encrypted traffic), protecting data in motion, data at rest, and data in use.

Additionally, Zero Trust architecture overcomes countless other problems associated with firewalls, VPNs, and perimeter-based architectures by enhancing user experiences, decreasing operational complexity, saving your organisation money, and more. 

How can Zscaler help with your VPN dilemma?

Zscaler’s cloud native zero trust network access (ZTNA) solution gives users fast, secure access to private apps for all users, from any location. Reduce your attack surface and the risk of lateral threat movement—no more internet-exposed remote access IP addresses, and secure inside-out brokered connections. Easy to deploy and enforce consistent security policies across campus and remote users.

Zscaler Private Access™ (ZPA) allows organisations to secure private app access from anywhere. Connect users to apps, never the network, with AI-powered user-to-app segmentation. Prevent lateral threat movement with inside-out connections.

What’s more? Zscaler is also offering a 60-day free trial of our ZPA license for customers adopting Zero Trust architecture. This cloud native solution replaces VPNs, providing secure access with full deployment assistance in as little as 24 hours.

If you are looking for more technical breakdown on the Ivanti vulnerabilities, do check out the blog penned by our Chief Security Officer, Deepen Desai here.