Why zero-trust security tops VPN for remote work — using AI

When Oklahoma shifted into remote work at the start of the pandemic in 2020, the security issues involved with having employees working from home manifested almost immediately. Like many other organizations in that situation, the state government turned to a VPN — or virtual private network — in an attempt to provide secure remote access to work applications and data.

As a technology that first emerged in the early years of the internet, the VPN was built for a very different time. And it showed, as the state’s 30,000 employees tried to use the system from their homes. 

“Many of our state agencies initially experienced outages as networks were overwhelmed with external logins and service requests,” said Matt Singleton, CISO for the state of Oklahoma, in an email. “Our legacy VPN solutions simply could not meet the increased volume and scalability demands. This resulted in a surge in calls to service desks and hundreds of VPN tickets a day, as well as increased cyber risk.”

As a result, the state government went looking for a better remote access solution — and ultimately turned to cybersecurity vendor Zscaler, a provider of zero trust network access (ZTNA) technology. Zscaler’s cloud-based platform not only addressed the scalability issues, but also boosted security by ensuring that only authorized users could connect to applications, Singleton said.

The remote access approach is described as “zero trust” because it essentially assumes that users are unauthorized, by default — and it requires more proof of their legitimacy than traditional methods. To achieve this, ZTNA vendors such as Zscaler consider additional context factors beyond just authentication of identity, such as the security posture of a user’s device and the application or data they’re trying to access. Irregularities and unusual behavior can thus be identified immediately, and malicious actors can be denied access.

At the core of Zscaler’s products is its Zero Trust Exchange, which combines a cloud-based secure web gateway with cloud-delivered ZTNA.

Powered by AI/ML

“Having 30,000 remote workers would have meant 30,000 ‘branches’ in a traditional network, each of which pose a potential security risk,” Singleton said. “With the Zscaler Zero Trust Exchange, all users were enabled to securely and productively perform their jobs from any remote location.”

And to help make this all possible, Zscaler’s platform leverages advanced artificial intelligence (AI) and machine learning (ML) technology, according to Howie Xu, vice president of machine learning at AI at the company.

For ZTNA to work optimally for an organization, the system really requires policies that are personalized, granular, and dynamic. But at a certain scale, that’s an extremely difficult thing for a company to implement manually — and the fact that many workers are remote only adds further complexity, Xu said.

With zero trust, “you have to leverage AI machine learning at some point,” he said. “Once the scale reaches a certain level, it’s impossible to write rules anymore.”

To manually maintain personalized and dynamic policies for a large organization, you would likely need dozens of staffers devoted to just doing that, Xu said. Zscaler’s AI/ML, however, can serve as an “assistant” on this work that takes away much of the manual effort required, he said.

“You still need to do some work. AI/ML is not a robot that can do anything and everything. We are not there today,” Xu said. “But it alleviates [the manual work] tremendously.”

And compared to VPN, the use of AI/ML with ZTNA is a major part of why it’s superior from a security perspective, he noted. Attempting to use VPN to achieve “granular, personalized, dynamic, contextual policies” is “not even possible,” Xu said. “You have to use more intelligent policies for this purpose.”

Granular approach to AI-powered security

The state of Oklahoma is currently in the midst of rolling out AI-powered intelligent policies as part of the Zscaler Private Access (ZPA) product, Singleton said. “ZPA Intelligent Policy will help develop an incredibly granular approach to segmentation of applications — and ultimately users,” he said. “This is huge for improving the cybersecurity posture of organizations with large remote workforces, as enterprise assets must co-exist with consumer/commercial products and environments.”

If these advantages weren’t enough for an organization to consider switching from VPN to ZTNA for their hybrid workforce, one can also consider that VPN has had a hand in enabling some major breaches, such as the Colonial Pipeline ransomware attack in June 2020. The attack led to a shutdown of a 5,500-mile gas pipeline for five days, resulting in a fuel shortage that affected more than 10,000 gas stations across the Southeastern U.S.

Without a doubt, breaches such as the Colonial Pipeline ransomware attack have shown that VPNs can be a serious liability, said Jay Chaudhry, founder and CEO of Zscaler.

In the Colonial Pipeline breach, the attackers stole VPN credentials, “got on the network, moved laterally, found a high-value billing application – and then encrypted it and stole the data,” Chaudhry said. “It highlighted the notion that VPNs [can be] dangerous – dangerous because they put you on the network, and then you can move laterally.”

By contrast, the idea of zero trust is to “connect users to applications – just applications, not to the network,” he said.

ZTNA growth

By many indications, zero trust network access is starting to gain some major momentum as many organizations settle into a permanently hybrid approach for their workforce. At least 40% of remote access to corporate resources will be provided “predominantly” through ZTNA by 2024, according to research from Gartner. That’s compared to less than 5% in late 2020, Gartner reported in November, during its Security & Risk Management Summit — Americas virtual conference.

Because of all the scalability and security benefits of ZTNA — including minimization of lateral movement and personalization of access policies for workers — the zero trust approach brings significant advantages over VPN, according to Thomas Lintemuth, senior director and analyst at Gartner.

“ZTNA does push beyond ‘good enough,’ into having a really great product from a security standpoint,” Lintemuth said during a session at the recent Gartner security conference. “When we look at the battle between ZTNA and VPN, the winner of this battle is ZTNA.”

That’s not to say there aren’t challenges around moving to a zero trust architecture, he noted. For one thing, an organization must have a comprehensive understanding of the applications that its users need access to — and many organizations do not, Lintemuth said.

For this and other reasons, a gradual approach to phasing in ZTNA is often warranted, said Banyan Security cofounder and CEO Jayanth Gummaraju. The ability for ZTNA and VPN to coexist for some period of time can be necessary in order to help customers make the shift, Gummaraju said.

And so can AI/ML. At identity and access management vendor ForgeRock, for instance, the company’s AI-powered Autonomous Identity platform brings automation for role-based access control (RBAC), a key element of  establishing a zero trust architecture. 

Achieving ‘least privilege’

AI enables RBAC, which is also a feature of Zscaler’s zero trust platform, to fulfill its potential for determining and enforcing an appropriate level of access for each individual user. This allows an organization to get to the point of establishing “least privilege” access, where users only get access to what they really need, according to the company.

By automating role-based access control, “it helps companies use minimal resources to maintain their RBAC environment,” said David Burden, CIO of ForgeRock, in an email.

The added complexities of securing the remote workforce has only made automation of RBAC even more essential, Burden said. With a distributed workforce, “it has been difficult to box employees into certain roles or types of access,” he said. “For many employees these days, they’re wearing multiple hats at work and need permission to access all sorts of systems and data that normally would be contained to a single role.”

This new reality leads to “massive overhead” in maintaining the proper access for workers, Burden said. “It is extremely time-consuming to manually create, review and approve or remove user access in traditional systems.”

That’s where a more autonomous approach can make a big difference, he said. As an example, ForgeRock Autonomous Identity enables the automatic approval and certification of high-confidence, low-risk access requests, as well as automatic revocation of stale user access rights and user removal, according to Burden.

“This AI-driven analysis reduces operational access request burdens, and accelerates certification campaigns across the organization,” he said.

Tightening up security with AI

Leveraging AI is now essential in order to achieve accuracy with securing permissions, ForgeRock CEO Fran Rosch said. He cited an example of a recent customer that increased its entitlement rejections by 300% after deploying ForgeRock.

“Because it was previously all done by these rules, and people were rubber-stamping these entitlement requests, they were letting these things go that they should never have approved,” Rosch said. “That was increasing the risk to the company. Because there were people who had no business accessing HR data, and no business accessing sales data, that were getting that information. So by leveraging the AI, a 300% increase in request rejections really tightened up the security of the organization.”

Crucially, ForgeRock’s AI-driven zero trust system also provides explainability about why rejections take place, including with a visual representation, he said.

“Companies want to know why. They don’t just want to know that ‘the secret algorithm rejected this.’ Well, why? What was it about this user behavior?” Rosch said. “So having that explainability front and center is really important. Because a lot of times you have to explain that to the user. Why did we reject this? Well, because here’s what was going on with your behavior.”

The bottom line is that while AI-powered zero trust is not a silver bullet to address all of the challenges of securing a remote workforce, it can play an essential part — particularly when used in concert with other cybersecurity technologies, such as detection and response platforms and email security. 

The AI advantage

With Microsoft’s view into many of the applications and endpoints used by businesses, the company aims to offer customers the full package pertaining to security — across zero trust identity security and threat detection. And the tech giant is making heavy use of AI/ML to accomplish this, said Alex Weinert, partner director of identity security at Microsoft.

Thanks to the company’s “massive investments in data science and AI,” Microsoft is able to process tens of billions of logins per day via its Azure Active Directory (AD) identity authentication service, Weinert said. 

Azure AD enables zero trust security via conditional access, the mechanism used for considering contextual factors in deciding whether to grant a user access. Microsoft then correlates that data with telemetry from endpoints (those that are secured with Microsoft Defender) and from email accounts (in Microsoft Exchange), he said.

Bringing all of that together, and using AI/ML technologies such as predictive algorithms, customers are provided with an accurate picture of what is truly happening in their environment, Weinert said.

Ultimately, adopting a zero trust approach brings a shift of mindset toward getting “proactive about security,” he said. “Zero trust is about saying, ‘Let’s prepare the ground so that we have the best possible advantage against the attackers.'”