Every day hundreds of organizations are breached in an attempt to steal corporate secrets and personally identifiable data. The most prolific attacks end up on the mainstream media. Still, countless data breaches go unnoticed by the media or even by the organizations themselves.

Bad actors are continually discovering new ways to breach organizations. They are also sharing their techniques with a much broader audience on the dark web. These data breaches can cost organizations several million dollars to mitigate, while the bad actors sell corporate information and collect ransom money.

Public-cloud companies have entire teams of security specialists dedicated to supporting their customers. However, organizations with private datacenters and on-prem applications lack the capabilities necessary to keep up with constant software updates, data and log analysis, pen testing, and more. A single misstep has the potential to harm organizations.

There are many attack vectors utilized by bad actors. A reasonably common target is known vulnerabilities in VPN solutions to gain full access to internal networks. A recently disclosed zero-day hack not only had the VPN solution compromised, but the vendor itself was compromised in the zero-day vulnerability.

A VPN tunnel into a datacenter enables remote user access to the entire corporate network, even though an end user might only require access to a small subset of apps based on their role and job function. Opening access to the entire corporate network increases the threat surface and significantly increases the probability of an attack.

However, today, there is a better way to provide users with access to internal applications that do not rely on VPN servers or open firewall ports. It’s part of being compliant with the zero trust framework.

Zero trust is achieved by implementing a framework or a collection of products with zero trust principles built in and integrated into a collective approach to achieve business outcomes.

For this specific problem, VPN-less access to internal applications is the right approach. A connector software is deployed on-premises, acting as a bridge between enterprise web apps and globally distributed cloud-service points. No inbound connections are ever used to access internal applications. All connectivity is outbound from the datacenter to the users, without even a firewall port opening.

A TLS cryptographic protocol connection between the connector and the cloud-service secures on-premises apps enumerated into the cloud service that acts as an authentication and traffic proxy for all incoming user connections.

Implementing simple zero trust concepts, organizations can eliminate the need to maintain VPN servers that are available to every remote user, perhaps limiting access to them to just a few specific IP addresses — or even removing them completely.

Citrix maintains globally distributed cloud-service points of presence (PoPs) that securely connect to the web apps hosted in your on-premises datacenter. IT admins can configure the Citrix Workspace app to include access for all applications required by the employees and other SaaS and virtual apps and desktops.

Among other benefits, customers realize:

  • Easier management
  • Reduced attack surface
  • Better security context
  • No traffic backhauling

This simple approach enables an essential aspect of the zero trust model. Access is granted only to specific apps required for employees to do their job.

Get started today, and learn more about migrating from a traditional VPN to a VPN-less solution.