Blog

Working at Home and Minimizing Your VPN Usage — Zero Trust Security

24 March 2020, 11:18

The coronavirus crisis is challenging everybody in different ways.
From a technical point of view, the sudden switch to remote working can be difficult for a lot of companies. A lot of employees and IT teams seem to be on the verge of a nervous breakdown due to connectivity, VPN and remote desktop issues.

For ML6, the technical impact has been extremely limited as long as our employees have a stable internet connection at home and the projects we are developing is done on Google Cloud or any other public cloud.
The main reason everything keeps working is the lack of a central VPN server since our internal applications and the managed Google services are protected by an Identity Aware Proxy.
Let’s dive in a bit of theory why this works and it is more secure than centrally managed VPN solutions.

Zero Trust Architecture

In traditional security architecture, every employee who wants to access applications or other services on a corporate network needs to be on the internal network. If you are not close to a local network, you have to join the network using a VPN.


The VPN and various firewalls are the perimeters you have to pass to get access. As soon as you are on the internal network, certain applications are protected by another layer of security but often network drives/databases/servers are accessible from a technical point of view.
If a hacker can get through the firewall or connect to your internal network you might have a security breach.

Zero Trust is a security concept centered on the belief that organizations should not automatically trust anything inside or outside its perimeters.
Every call to an application or service on the network should be verified before granting access. This boils down to 2 questions. Do we grant the user access? And do we trust the device?

This concept enforces more fine-grained control on application level and at the same time reduces the number of perimeters to manage.
Firewalls and networking routing is still essential but the more difficult to scale VPN layer can be removed for a number of applications.

This ensures that you can work safely without the need for any VPN or remote desktop client. In this scenario, it’s a no-brainer to enable MFA, multi-factor authentication for every user. MFA, preferably using hardware keys, is another modern layer of security to avoid unauthorised access.

Reference:https://www.microsoft.com/en-us/microsoft-365/blog/2019/09/18/why-banks-adopt-modern-cybersecurity-zero-trust-model/

Zero Trust Architecture on Google Cloud Platform

Google, with the BeyondCorp methodology, is a forerunner in zero trust architecture. Enabling zero trust security for web applications is straight forward using the managed Identify Aware Proxy service if your application runs on Google Cloud Platform.

First of all, you need to manage your users and devices using Cloud Identity, then follow the scenarios outlines in the Identity Aware Proxy documentation based on how your application has been deployed.

IAP for apps deployed on Google Kubernetes Engine

If you want to protect applications running on your on-premise network it’s required to setup a Cloud Interconnect or Cloud VPN to route traffic between the networks in a secure way. Compared to on-premise VPN solutions these services are easy to scale up and down and don’t require long-term license agreements.

IAP for apps deployed on-premise

If you are using AD, Active Directory, to manage your users it’s easy to provision these users in Cloud Identity using the Google Cloud Directory Sync service.

Check out the VPC Service Control service to reduce the risk of data exfiltration.

Conclusion

So let’s try to turn the coronavirus into a driver for innovation!
Check if zero trust security is a short-term or long-term solution to reduce the impact and costs of VPN on your organization.

We’ve added plenty of references to Google, open-source and other public cloud vendors zero trust solutions so happy reading and experimenting.

References about zero trust architecture
https://www.tijd.be/dossiers/coronavirus/thuiswerk-is-hindernisrace-voor-bedrijven/10214784.html
https://en.wikipedia.org/wiki/Zero_Trust
https://www.csoonline.com/article/3247848/what-is-zero-trust-a-model-for-more-effective-security.html
https://www.cloudflare.com/learning/security/glossary/what-is-zero-trust/

Zero trust on Google Cloud Platform
https://medium.com/google-cloud/what-is-beyondcorp-what-is-identity-aware-proxy-de525d9b3f90
https://cloud.google.com/beyondcorp/
https://www.blog.google/products/google-cloud/how-use-beyondcorp-ditch-your-vpn-improve-security-and-go-cloud/
https://www.blog.google/products/google-cloud/preparing-for-a-beyondcorp-world-at-your-company/
https://cloud.google.com/beyondcorp/#researchPapers

Zero trust @ public clouds & other open-source solutions
https://zero.pritunl.com/
https://www.microsoft.com/en-us/security/business/zero-trust
https://www.microsoft.com/en-us/microsoft-365/blog/2019/09/18/why-banks-adopt-modern-cybersecurity-zero-trust-model/
https://aws.amazon.com/blogs/publicsector/how-to-think-about-zero-trust-architectures-on-aws/
https://teams.cloudflare.com/access/index.html
https://www.hashicorp.com/resources/how-zero-trust-networking
https://www.akamai.com/us/en/solutions/security/zero-trust-security-model.jsp