The limits of VPNs elevate the importance of zero trust

The pandemic and subsequent shift to support remote workers has put renewed focus on the limitations of relying on virtual private networks — and why zero-trust access controls offer greater long-term security.

“There are a lot of challenges around scaling VPNs. Agencies that have adopted zero trust earlier were able to get [their remote workforce] up and running quite simply,” says Jose Padin, federal director of sales engineering for public sector at Zscaler.

Padin discusses use cases that show zero trust’s value over traditional VPNs and how agencies benefit, by being able to reduce operating costs and scale access quickly to meet workforce demands. He also touches on ways agencies can establish quick wins with zero trust in a new podcast produced by FedScoop and underwritten by Zscaler:

Benefits of implementing zero trust

Padin says that when agencies look at their IT budgets, the costs that factor into managing and maintaining network security in a physical location are considerable. Compared to the savings of moving security into the cloud, the net savings can help justify the move in and of itself.

Often, the mindset among government leaders is that IT projects are large, multi-year programs. “But agencies can get these wins quickly, and roll out simpler, easier and more secure access for the users,” he says.

“So, you can start recouping the cost that you’ve invested right away, from there you could use [those budget dollars] to expand into additional use cases.”

The shortcomings of VPNs

VPNs were great and served a purpose when organizations primarily housed data and applications on-premises, and employees needed to get inside the network in order to get access. But cloud infrastructure has evolved how networks, applications and data are built and managed. The concept of creating a tunnel that puts a device inside a network really doesn’t apply today, Padin says.

“People are no longer in the four walls of the government agency … and we need to make sure that we can still give that secure access, have control policies, get visibility into that user, protect that user, and do so without forcing them to connect through a tunnel that brings that device — and everything where that user happens to be — into the network with them,” he explains.

Delivering quick wins for zero trust implementation

Padin cites five use cases that the National Institute of Standards and Technology cites in its latest Zero Trust Architecture draft that every government agency can start with to get wins in the short term, including:

• Agencies with satellite facilities
• Agencies that have multiple clouds
• Agencies that have contractors or non-government employees
• Agencies where there’s collaboration across boundaries
• Agencies that have public facing websites

Jose Padin has more than two decades of enterprise engineering and IT leadership experience and has worked with a wide range of federal agencies.  

Listen to the podcast for the full conversation on embracing zero trust in the age of telework. You can hear more coverage of “IT Security in Government” on our FedScoop radio channels on Apple Podcasts, Spotify, Google Play, Stitcher and TuneIn.

This podcast was produced by FedScoop and underwritten by Zscaler.