In zero trust "exposed to the internet" is a bit of a misnomer compared to how traditional security would use the term. A better description might be "you're allowed to form a session to it from over the internet but only after your identity and set of rights have been verified". From this view: "zero trust" < "vpn" < "wide open" (in terms of exposure).
So it's essentially a more seamless and granular analog of a VPN? A device sits in front of the network and requires some sort of authenticated handshake (ideally all SSO) before passing packets through to a target endpoint?
Yes, that's zero trust in a nutshell: A VPN that does a tunnel per TCP connection instead of one tunnel for all TCP connections.
The other salient point is that all connections are established outbound through a broker, and importantly this is the case from both sides: The appliance at the terminating end of the tunnel establishes reverse tunnels to the broker for the connections, so it's never "exposed to the internet".
The broker can then push to your SIEM or whatever so you can have your SOC log jockeys harass your employees for accidentally leaving NordVPN on after watching international sports.
There are actual benefits: You can do things like allow logins to system A from anywhere, but system B only from your home country, you can do JIT network access requests, etc... but mostly it's vendor marketing to get you to spend too much money.
Something I'll add to the other responses is "the network" isn't an assumption of zero trust. Whether it's a single server on the private corporate network or a multi-cloud multi-region service hosted on the internet zero trust treats them the same.
My way of mapping it to VPN mindset is "per app clientless VPNs straight to where the things are hosted". In an extremely open ruleset with all of the servers on a corporate network this could theoretically devolve into "a traditional clientless VPN to the office".
They can be implemented using a variety of technical patterns but they all share a common "each request is authenticated, encrypted" property instead of "anything goes once the tunnel is up" property.
HTTPS calls with any kind of authentication (cookies, tokens, even basic auth) are one way to be "authenticated, encrypted" for "each request". If they go to a reverse proxy at the entrance of a company network (a common setup for every internet facing http server) they are a way to do without a VPN.
And yet every customer of mine have some of their servers on a VPN. At the very least they enable ssh only on ports on the private network.
Think machine certs (stored in a TPM). Plus perimeter-enforced username/password/2FA. Plus additional policy checks, like making sure your machine is up to date on security patches.
It doesn’t matter what network you are connecting from, but it does matter that you’re connecting from a company-issued laptop that’s in a trustworthy state.
Sounds like multiple single points of failure to make a security infrastructure so hostile to the end user it would be considered the equivalent of being under persistent attack.
The big difference is once you’re in, with a VPN you have direct access to the whole network.
With a zero trust setup, access has to be granted to you (or your ACL group) on a per-application basis. It makes it much harder for an attacker to move laterally when everything is default-deny.
But you can combine VPNs with SSO and limited permissions. Real networks all work that way these days. Logging into the VPN doesn't get you very far, you'll need to be provisioned with specific apps and permissions too.
- You must "VPN in" to access any corporate resources of any type, even ones on the corporate network when you're sourcing from the corporate network
- The client forms a separate "VPN connection" (can be clientless, but same concept) per app you access, rather than assuming a single parent VPN server can get them to any resource
- Every default ruleset started with deny all and only specific allow rules were added over time
Then you've got enough to call it a zero trust implementation. You can also take things the other way, i.e. you could "deconfigure" a zero trust setup to look and function almost exactly as a normal corporate VPN tunnel.
Rather than go through this whole thread each time, people just refer to all of this as "zero trust networking".
At the end of the day "you get access to things based on proving your identity" is not a novel concept. How you deploy, operate, and enforce that is where the differences in technologies lie.
In a pure implementation, the same level of trust is implied (absolutely none at all) whether a device is connecting to a resource from the public internet or the same subnet.
Arainach is advocating for something called "Zero Trust" which, from a user's perspective, is very much like a VPN.
It's software your employer pre-installs on your work PC, that asks you to log in with your work SSO credentials, performs some endpoint security checks, then routes your traffic over a virtual network adapter, and thereby allows you to access workplace resources, even when working from home.
The main difference is it adds some semi-authenticated states. Correct device, username, password, and 2FA, but failed a device posture check because they plugged their phone into their laptop to charge it? The 'Zero Trust' system can block some systems, while letting them retain access to others.
The other big difference is the pricing - rather than paying a five-figure sum upfront for networking hardware, you instead pay $25 per employee per month, forever.
Zero trust is when every session with every service is like its own VPN, independently authenticated and encrypted. Consider the way an HTTPS session between a server and a browser is created anew every time the browser accesses a domain, and ends after a short flurry of requests needed to load a page.
There's a significant difference which my original message hints at and is subsequently clarified: there's still an intermediary. If there's an exploit in the service, like this case, it's still not directly exposed. The intermediary device is still sitting in between and won't allow any old traffic through without separate authorization
With a VPN the attack surface of this vulnerability would have been miniscule compared to a publicly accessible zero-day RCE
(And it's not like you have to allow carte-blanche access behind the wall)
Defense in depth!