Zero Trust vs Remote Access VPN for Building Control Systems

Zero Trust architecture fundamentally transforms how organizations secure their building automation networks by addressing the inherent vulnerabilities of traditional remote access VPN-based security.

 

What is a Remote Access VPN?

A remote access virtual private network (VPN) enables users to connect to a private network remotely. This kind of VPN is used by employees or contractors who need access to a company’s network from off-site locations. Once connected, users have full access to all of the network’s resources just as if they are connected locally on-site. Remote access VPNs work by building a private tunnel between an external user and the internal network and encrypting the data.

If an unauthorized remote user gets access to the network, they will essentially have free reign to explore the network just as an authorized remote user.

What is Zero Trust?

Zero Trust is a security model that requires strict authentication / verification for every user and device attempting to access resources on a network, regardless of whether they are inside or outside the network perimeter. It operates on the principle of “never trust, always verify,” ensuring that no user or device is automatically trusted and that access is continuously monitored and validated.

 

At a high-level, remote access is a method to grant access to a network from an off-site user that results in full access to building network resources as if located on-site. Zero Trust ensures that users or devices are authorized to use network resources.

 

Protecting Against Lateral Attacks

Here’s how Zero Trust mitigates lateral attacks more effectively than VPNs:

1. Access Scope: Least Privilege vs. Broad Network Access

• VPNs:
  • Grant users broad access to the entire network once authenticated, creating a “trusted” zone.
  • Attackers who breach a VPN connection can move laterally across systems and resources unchecked (“east-west” movement).
• Zero Trust:
  • Enforces least privilege access, granting users and devices access only to specific resources they need (e.g., a single device, application, or database).
  • Limits lateral movement by default, as attackers cannot pivot to other systems without explicit authorization.

2. Continuous Verification vs. One-Time Authentication

• VPNs:
  • Authenticate users once (e.g., via password or MFA) and grant persistent access for hours or days.
  • Compromised credentials or devices can go undetected, enabling attackers to linger and move laterally.
• Zero Trust:
  • Validates every request in real time, checking user identity, device health, location, and behavior. Each data packet can also be authenticated.
  • Revokes access immediately if anomalies (e.g., unusual login times) are detected, cutting off attackers before lateral movement begins.

3. Network Segmentation: Micro-Segmentation vs. Flat Networks

• VPNs:
  • Often lead to flat network architectures where all resources are interconnected.
  • Attackers exploit this to pivot from low-value systems to high-value targets (e.g., moving from an edge device to a system controller).
• Zero Trust:
  • Implements micro-segmentation, isolating devices and data into secure zones (secure enclaves).
  • Even if a breach occurs, attackers are contained within a single segment, unable to traverse the network.

4. Attack Surface Reduction

• VPNs:
  • Expose the entire network to authenticated users, creating a larger attack surface.
  • Vulnerabilities in one system (e.g., an unpatched server) can be exploited to compromise others.
• Zero Trust:
  • Minimizes the attack surface by hiding resources from unauthorized users.
  • Only exposes the specific devices, applications or data a user needs, reducing opportunities for lateral exploitation.

5. Device and Identity Security

• VPNs:
  • Rarely validate device security posture (e.g., outdated OS, missing patches).
  • A compromised device can serve as a launchpad for lateral attacks.
• Zero Trust:
  • Continuously checks device health (e.g., encryption status, patch levels) before granting access.
  • Blocks compromised or non-compliant devices from connecting, preventing them from becoming pivot points.

6. Encrypted Context-Aware Communication

• VPNs:
  • Encrypt traffic between the user and network but do not inspect internal traffic for threats.
  • Malware or attackers inside the network can operate undetected.
• Zero Trust:
  • Encrypts all communications end-to-end (device-to-device) and may inspect traffic for malicious activity at every step.
  • Uses contextual policies (e.g., user role, data sensitivity) to detect and block suspicious lateral traffic.

 

Key Advantages of Zero Trust Over VPNs

Aspect	VPNs	Zero Trust
Access Scope	Full network access	Least privilege, per-resource access
Authentication	One-time at login	Continuous, context-aware verification
Lateral Attack Risk	High (flat networks)	Low (micro-segmented environments)
Attack Surface	Large (exposes entire network)	Minimal (only exposed resources)
Device Security	Rarely enforced	Continuously validated

 Example: Stopping Lateral Movement

Imagine an attacker compromises a user’s credentials:

• With VPNs: The attacker accesses the network, moves laterally to steal data from multiple systems, and deploys ransomware.
• With Zero Trust: The attacker has to be authenticated, is restricted to one application, blocked from accessing other systems, and flagged by anomaly detection for unusual behavior.

Why Organizations Are Shifting to Zero Trust

VPNs were designed for a perimeter-based world, but modern threats demand a more granular approach. Zero Trust’s focus on continuous verification, least privilege, and micro-segmentation directly counters the tactics used in lateral attacks, making it a critical upgrade for defending against today’s sophisticated adversaries.

Learn about DOME, a zero trust cybersecurity solution for building controls and smart buildings.

—
Blog Post Summary – All of our recent posts listed on one page