For more than two decades, virtual private networks (VPNs) have been the go-to technology for enterprise remote access — and by extension, for enforcing remote access security. Even ubiquitous internet connections are often redirected via VPN to a central data center, where security enforcement occurs through various hardware appliances. From there, the traffic is forwarded onward to the internet. Of course, it must follow the same indirect path back on the response side.
As businesses began shifting applications to the cloud, they continued to utilize this legacy "hairpinning" network architecture despite a rapidly growing volume of cloud traffic driven by popular SaaS apps like Office 365, Google Workspace, SalesForce, Slack, Zoom, and others. It doesn’t take any expertise to realize that this architecture adds latency and negatively impacts user experience while putting a greater burden on security and networking equipment. The approach can also weaken a business's overall cybersecurity posture. For example, once a cyber attacker gains initial access to a remote endpoint, they can move laterally into the corporate network via the VPN connection in search of sensitive data and other high value assets.
One of the great attractions of a cloud-delivered service model is eliminating this hairpinning approach and dramatically simplifying network design. Businesses can now adopt a cloud-delivered security solution to secure user access instead of relying on VPNs and hardware appliances in a centralized data center.
Today several components make up a cloud-delivered security solution, including cloud access security broker (CASB) for accessing cloud services, zero-trust network access (ZTNA) for securing access to private apps, and secure web gateway (SWG) for protecting endpoints while surfing the web. Numerous cloud security vendors deliver siloed point solutions, some addressing only a single component, while others attempt to assemble a patchwork of products through integrations.
But fully replacing an overextended VPN architecture with cloud-delivered security can be complicated. The number of endpoint agents running on the endpoint device expands with each discrete cloud solution deployed. Independent agents may be needed to steer traffic to various destinations while coexisting with legacy VPNs. Unfortunately, this approach can create deployment and inter-operational issues, poor user experience, and a giant burden for IT and security.
Better security begins at the endpoint
Lookout facilitates VPN replacement while dramatically simplifying network design with the introduction of its Windows and macOS endpoint agents. These agents will help enterprises achieve true zero trust access and maximum data security in their environments without needing complex deployments and network migrations. This release facilitates the myriad of complex use cases supported by existing VPNs, and more.
Application (L4) and network (L3) level traffic steering
Most traffic steering agents today forward application traffic (TCP/UDP layer) only, focusing on the HTTP (port 80) and HTTPS (port 443) protocol used by web browsers and other major apps. Legacy VPN solutions, on the other hand, support more expansive forwarding capabilities, making full VPN replacement impractical in some cases with these agents. Here are just a few of the limitations of application layer traffic steering:
- Application-layer traffic inspection may only see some threats: While app-level traffic inspection monitors for hidden threats and data exfiltration, communications with command-and-control servers and even data exfiltration may occur over non-web protocols like DNS, FTP, and others. All traffic over any port or protocol must be inspected for maximum protection.
- Some enterprise apps use non-web protocols: App traffic-focused steering clients are not suitable for apps that use non-HTTP protocols. These clients do not make it any easier to steer traffic when an app uses multiple protocols. This can include apps like Outlook that use multiple protocols, Windows File Shares using SMB/CIFS protocol, SCCM, VoIP phone systems using session initiation protocol (SIP), and file transfers between computers using secure copy protocol (SCP) to name a few.
Lookout’s Windows and macOS endpoint agents support traffic steering at both the network and application levels, facilitating full VPN replacement without the loss of essential security capabilities.
Granular traffic steering to meet heterogeneous environments
Most enterprise environments are heterogeneous, incorporating a mix of managed and unmanaged devices and a diverse set of users including employees, contractors, partners, vendors, and others The profiles and access requirements for these groups can often be significantly different.
To accommodate this diversity, Lookout’s Windows and macOS endpoint agents support multiple types of traffic steering that can be selected according to user, device, and location contexts. For example, while direct employees might be granted full access to cloud services, private apps, and the web, contractors may be restricted to a select set of cloud and private apps only. Granular routing support allows IT security teams to further limit access to a mixture of machine or micro-segments within the enterprise network.
Enhanced user experience with multi-tunnel traffic steering
Although VPNs can be found in most network security architectures, the technology contains major security gaps. First, VPNs take an all-or-nothing approach to connectivity by allowing authenticated users to roam freely through the network once connected. This full network-level access sets the stage for lateral attacks. In other words, if bad actors can make it past the VPN, they have full access to all apps and sensitive data on the corporate network. Second, VPNs steer all traffic back to a central location where security enforcement happens, regardless of where that traffic is headed. This burdens the hardware appliances while impacting the user experience and business productivity.
Lookout's Windows and macOS endpoint agents help fill the security and user experience gaps that traditional VPN security approaches miss. The agent upholds the zero-trust principle of least privilege, which means users and managed devices have permissions to access only the apps, services, and systems they need to do their jobs. Users and devices must undergo continual authentication as they move throughout an IT environment, even if they are employees who have previously accessed a given resource. Lookout agents also consider risk contexts and data contexts in addition to identity. For instance, the system might deny an authorized user who usually logs in to an app in New York but suddenly tries to log in from London at an unusual time of day.
Rather than being centralized, traffic is automatically routed to one of Lookout's many cloud-edge locations distributed worldwide, providing the shortest path between the user and the enterprise. Further, the agent employs a multi-tunnel architecture to bifurcate traffic and steer it appropriately, whether destined directly to the internet or the enterprise. This multi-tunnel traffic steering ensures an optimal user experience and consistent security at all times.
Highly available redundant multi-path routing
Enterprise networks are highly distributed and can be accessed by multiple access points. In alignment with these principles, Lookout's Windows and macOS endpoint agents leverage the globally distributed Lookout Cloud Security Platform to offer end users a highly available security service edge (SSE) experience by leveraging advanced path selection and routing algorithms. This ensures end users have access to enterprise resources even in the case of multiple failures on the enterprise, cloud service, or both.
Consistent zero-trust enforcement with integrated endpoint security
Lookout's Windows and macOS endpoint agents continuously monitor endpoint posture integrating with endpoint protection platforms (EPPs), OS security centers, and other endpoint security products. This information is shared with the Lookout Cloud Security Platform in real-time to enforce consistent zero-trust access policies when any enterprise resource is accessed.
Data security combined with access and endpoint security
Lookout's Windows and macOS endpoint agents, operating with our Cloud Security Platform, extend full data protection and threat protection controls to private enterprise apps. This advanced data security includes data loss prevention (DLP) and enterprise digital rights management (EDRM) that proactively encrypts data as it leaves the enterprise controls.
While VPN use remains widespread, this traditional enterprise security approach contains inherent security gaps that zero-trust alternatives aim to fill. While experts agree a zero-trust model provides better outcomes than traditional VPN based perimeter security, IT and security teams must understand and consider the complex details related to traffic steering before tackling VPN replacement.
By introducing Lookout's Windows and macOS endpoint agents, together with the Lookout Cloud Security Platform, IT and security teams can shrink their network's attack surface while replacing legacy VPN technology altogether.
Better security begins at the endpoint!
Book a personalized, no-pressure demo today to learn:
Discover how adversaries use non-traditional methods for phishing on iOS/Android, see real-world examples of threats, and learn how an integrated security platform safeguards your organization.
Try the Lookout ZTNA Solution
Data-aware Zero Trust access to apps from any device with integrated DLP, continuous risk assessment, and minimal privilege access.