This is part of the Children's Guide to Zero Trust series.
Alice peeked over the couch. "Hey DevMom, can we use VPNs?"
DevMom didn't look up from her computer. "What's got you curious about VPNs all of a sudden?"
"Well, Bob told me he uses VPNs to pretend he's at home when he's really somewhere else," Alice said, hanging upside down on the couch before flopping onto the floor.
DevMom glanced over her screen at Alice. "Are you trying to play Minecraft at school?"
"No," Alice responded with a straight face. "I'm just wondering why you and DevDad don't use VPNs for work."
DevMom decided to entertain the question. "Alright, I'll explain. VPNs create tunnels through network perimeters."
"What's a network perimeter?" Alice asked.
"It's like the protective walls around our house," DevMom gestured at the walls. "You know how there are BadHats trying to get in and cause trouble? The network perimeter is like our walls, and many workplaces have similar protections. A tunnel makes the walls weaker."
"What's a tunnel? Like a car tunnel?"
"Sort of…” DevMom paused, trying to think. “A tunnel is like a secret passage through those walls, think of — a magical door! What goes in one end comes out the other, and no one can see what happens inside."
"Okay, but why is tunneling bad?"
"Well, tunnels bypass the protective walls, Alice," DevMom explained. "Imagine if you created a tunnel from your friend Bob's house to ours. Bob could skip the front door and come straight in."
"That sounds cool, like a secret entrance!" Alice's eyes lit up. “And Bob doesn’t even need to wait for the front door to let him in!”
"It does sound faster, doesn’t it? But remember," DevMom continued, "the tunnel isn’t the same thing as our own front door. Once someone passes through the tunnel, they have free access to the rest of the house. If BadHats find out about the tunnel, they could use it to sneak in and then — boo! Your ice cream is stolen."
"But I don't want my ice cream stolen," Alice frowned. "Can't I only let Bob use our secret tunnel?"
“How would you do that?”
“Say…” Alice gave it some hurried thought, "Say we lock the tunnel, then give Bob a key?"
“Ah,” DevMom nodded with understanding; children are prone to not thinking too far. “Some people think that works, but then BadHats steal Bob’s key. Or you get tricked into giving ‘Bob’ another key, but it’s actually a BadHat.”
“But I can look and see who’s coming through, right? And close off the tunnel?”
"No, because nobody can see what's inside the tunnel. You don't know who or what might come out. That’s what keeps it secret."
"But I could look at the entrance to see who comes in!" Alice insisted.
DevMom laughed. "That's true, but if you're already on both sides of the tunnel, why would you need a tunnel in the first place?"
“Oh. That’s true… oh!” Alice placed her hands together, “Then what if I open the tunnel into the backyard? Then Bob can still benefit from a tunnel, and I can see who comes out before I let them into the house! Like a… like, uh… um… a waiting room!”
"We call that network segmentation, Alice.” DevMom smiled at Alice’s quick thinking. “It's like dividing your perimeter into smaller rooms, each with its own walls."
"So, with network sensation, can we set up a VPN?"
"It's pronounced network segmentation,” DevMom corrected, pronouncing each syllable clearly. ”And no, it doesn't solve the Perimeter Problem."
"Problem?” Alice raised her eyebrows. ”Our walls have a problem?"
"Not our walls, the Perimeter Problem! When you trust everything inside just because it's … inside." DevMom frowned at her own explanation. “Think about it this way: anyone inside the house can open the refrigerator and take ice cream, right?“
“Yes.”
“Shall we lock the refrigerator?”
"Noooooo." The girl looked horrified at the thought. “So network cessation doesn’t work?”
“It’s pronounced seg-men-ta-tion,” DevMom corrected firmly. “And no — adding more segmentation creates its own issues, like having too many locked doors in the house. And having too few means BadHats can enter freely and steal your ice cream."
“That is very true. Hrm…” the girl puffed out her cheeks, trying to think of how this could work. “What if I trust Bob to not lose his key, and I trust that only Bob can use the tunnel?”
“That’s a lot of trust.”
“Well of course, Bob is my friend!”
“What if Bob decides to steal your ice cream one day?”
Alice blinked. “Bob can do that?”
“Never forget that betrayal can only come from those you trust, Alice,” DevMom warned, then softened. “What happens if you and Bob get into a fight? That tunnel you want doesn’t check to see if Bob might be coming through to steal your ice cream, nor does it continuously check if Bob is doing things you wouldn’t mind. It just sees the key and opens up."
"Oh," Alice seemed to understand, “I guess that could happen. But wouldn’t that be the same with our front door?”
“It normally would be, yes,” DevMom admitted. “Because at the end of the day, the question isn’t whether someone is trustworthy, but whether what they’re currently doing is safe. Trustworthy people can still make bad decisions, right?”
“Yes.”
“So, remember DevDad’s lesson on context-awareness and the importance of continuous verification? If Bob comes to play Minecraft with you, but things go poorly and he decides to steal your ice cream after having come in, what then?”
“We can’t have that!”
“No, we can’t. And to make sure that is stopped before it can happen, our front door adds a tracker to every action someone takes.” DevMom ruffled Alice’s hair, “But that’s a bit much. You just wanted to know why we don’t set up VPNs, right? It’s because VPNs give BadHats another entryway through our perimeter. Having walls are nice until people try to take shortcuts and tunnel. Does that make sense?”
"I understand now. No Minecraft at school, I guess..."
"What was that?"
"Uh, I mean, I'm just disappointed I can't use a VPN for school in case I forget my homework at home!"
Stay up to date with Pomerium news and announcements.
Embrace Seamless Resource Access, Robust Zero Trust Integration, and Streamlined Compliance with Our App.
Company
Quicklinks
Stay Connected
Stay up to date with Pomerium news and announcements.