Is it time to retire your VPN?
Historically, one of the most popular tools used to connect remotely to a corporate work environment has been a virtual private network -- VPN for short. A VPN enables corporate users to send and receive data across public networks such as the internet through a secure encrypted tunnel, providing something akin to a direct, private connection to the corporate network.
However, VPN technology was introduced at a time when business IT environments reside on business premises, and did not include distributed elements that are now commonplace, such as cloud computing, mobile devices, and flexible remote work policies. Even as VPNs have adapted to stay relevant to some of the changes in how people now work, they have struggled to keep up with the modern threat landscape.
Yet thanks to office closures associated with COVID-19, VPN traffic is at an all-time high. Organizations doubled-down and invested heavily in VPN technology to quickly connect their newly distributed workforce to the applications and resources they need. While they were perhaps not the perfect solution, they were on-hand, familiar, and easy to augment quickly.
Despite the recent increased dependence on VPNs, change is unquestionably coming. Ironically, the impetus for that change is also a phenomenon that experienced rapid growth during the pandemic: Specifically, burgeoning – and often VPN enabled -- threats to network security.
The issues with VPN technology have led many security-minded organizations to search for a more secure alternative -- one that supports the objective of attaining "Zero Trust" security.
The Major Dangers of VPN
One principle of Zero Trust security is that the inside of your network should not be "flat." In other words, once a user gets past the perimeter of the network, they should encounter interior perimeters -- network segments -- that protect your most important resources.
VPNs don’t readily support network segmentation. True, administrators can implement internal segmentation manually, for instance, by provisioning every segment with its own router or Layer 3 switch. However, that approach doesn’t scale very well -- you’ll need to add more hardware every time you want a new network segment, which is not ideal for traditional networks and completely unsuitable for dynamic networks.
In addition, VPNs don’t come with internal monitoring capabilities, meaning that there’s no way to tell what users are doing on the network once they are in. This means that a hacker -- or a malicious insider -- can operate inside the network without fear of being detected by your VPN.
Finally, VPNs don’t provide robust Wi-Fi security. If you’re a remote user using a VPN on an open wireless network, your connection will leak thousands of packets worth of data before your VPN connects. This is more than enough data for an attacker to exploit.
Weighing your ZTNA Options
Some organizations looking to adopt a Zero Trust Network Access approach may think that they need to jump full-scale into an SDP solutions to, among other things, replace VPNs. But the jump in recent VPN deployments to support new distributed workforces demonstrates that a full scale rip-and-replace is not going to occur in the foreseeable future for many organizations. Even without Black Swan events like the pandemic, many organizations tend to hang on to tried and tested legacy tools such as VPN, regardless of the issues associated with securing and maintaining them.
While SDP is one known way to achieve ZTNA, it is certainly not the only way. Some micro-segmentation solutions can be added to existing networks and VPNs to enforce Zero Trust Network Access controls, without the wholesale network infrastructure replacement that many SDP solutions entail. Users can log in and connect via their standard VPN client or local network as usual -- no extra sign-ins or hoops to jump through, and applications and IT resources get protected with powerful Zero Trust security capabilities.
What About East and West?
While much of the discussion regarding Zero Trust Network Access is focused on the security threats associated with remote access (aka "North-South" access), there are also risks associated with overly broad internal access. Security professionals know that one of the key challenges they need to address is the risk of a malicious insider, who can steal data, disrupt systems, and create havoc. Securing this internal network access use case, known as "East-West" access, is something that the majority of SDP solutions do not address.
Many micro-segmentation solutions can address both North-South and East-West use cases. Whether the challenge is keeping external hackers away from sensitive corporate applications and data, or it is ensuring that internal access is limited – thereby mitigating the impact of any insider malicious activity -- these solutions can have an organization covered.
Choose the Right Path to Secure Your Business
If you’re relying on VPN alone to provide secure remote access to internal resources, it’s time to evaluate upgrading to a Zero Trust Network Access solution (ZTNA). The question is what is the most effective and efficient way to get there?
While many SDP solutions have clear benefits, they also have some downsides, like cost, spinning up a project to replace VPNs, and limited ability to secure internal access use cases. Fortunately, micro-segmentation-based alternatives do not have the SDP-downsides of having to replace existing VPN infrastructures with new technologies. These solutions can prevent attacks by limiting remote and internal application and resource access to only what is typically required. Cloaking applications from unauthorized users isolates them from attack, eliminating lateral movement within the network and stopping the spread of threats like ransomware. They also can cover the East-West secure access requirements that were discussed earlier.
Whether its SDP or some form of micro-segmentation, the tools and solutions are there for every organization to start their Zero Trust Network Access journey. Now is the time to take the first step.
Image credit: Denys Prykhodov / Shutterstock
Gerry Grealish is Chief Marketing Officer at Ericom Software