Virtual private networks (VPNs) have been around in one form or another for over 20 years. They’re extremely good at performing one very important task – creating a secure, encrypted tunnel that extends across public networks, allowing users to send and receive data as if their device were connected directly to an internal resource.
In recent years, VPNs’ ability to create this secure, remote connection has again given them a boost in popularity, despite claims by some security professionals that the technology is dead. In fact, enterprises grappling with large, decentralized workforces have turned to the VPN as a means for keeping employees and their devices secure while accessing sensitive applications and data – especially during the rise in remote work brought on by COVID-19.
But it’s not all good news for VPNs. While they do function well when it comes to tunneling and encrypting data from authorized users, there are a couple of significant catches.
Assessing the cost benefit of traditional enterprise VPNs
The world of security looks very different from where it was when VPNs first entered into the mainstream. Hacking and breaches existed, of course, but they were far less sophisticated and could often be beaten by the prevailing combination of VPN and firewall technologies. Since then, however, wave after wave of attacks, including denial of service (DDoS) and various zero-day attacks, have proven to take advantage of newly discovered vulnerabilities.
And as employees increasingly started using their own devices (BYOD) for work purposes and began to work more frequently outside the protection of the office, it became even more difficult for IT to have visibility into what was happening on those devices as the number of attack surfaces proliferated.
Today, the most common cyberattacks begin with phishing, which if successful, can quickly cause the loss of information such as usernames, passwords, bank account details and more. If that stolen information happens to include VPN login credentials, then a hacker could go almost completely unnoticed as they exfiltrate virtually any ‘unlocked’ asset in the organization. And because some VPNs are based on open source technologies, a single vulnerability can be exploited across multiple solutions.
Traditional VPNs face one more significant disadvantage. In the past, most companies kept applications and their data on-premise, running in corporate data centers. Today however, organizations have rapidly shifted away from the cost and complexity of self-managed data centers to the convenience and simplicity of privately hosted applications and data or SaaS applications hosted in the public web.
With most VPNs needing to be either ‘off’ or ‘on,’ sending application data down a tunnel to HQ and then out to the web is extremely inefficient and can quickly cause a bottleneck that results in frustrated employees. Many companies discovered this firsthand when their VPNs couldn’t scale to meet the sudden demand of employees all working from home.
Mobile VPNs tighten security as some risk remains
One common solution to the inherent vulnerabilities of VPN is the mobile VPN, which takes all of the strengths of legacy VPNs, but works particularly well for mobile devices outside the corporate network. Rather than becoming yet another choke point in the network, these VPNs can actually improve the user experience through the use of data compression, application persistence and other enhancement techniques. No more dropped sessions or session re-authentication required, even in areas with choppy Wi-Fi or cellular connections.
But even mobile VPNs aren’t completely future proof. As mentioned above, a hacker with access to a VPN’s credentials has almost carte blanche to access corporate data without being detected. The adoption of multifactor authentication (MFA) has certainly helped, but this also isn’t enough to ensure the continued integrity of corporate data.
The decentralized workforce accelerates SDP intrigue
As decentralized organizations with many mobile or remote employees continue to proliferate, companies are seeking technology with VPN-like benefits without the security risks and user experience challenges. The answer lies in deploying a software defined perimeter (SDP) around all of the devices used by the organization.
SDP, sometimes referred to as zero trust network access (ZTNA), uses a series of conditional criteria that must be met before any user or device is given access to corporate assets. Where is the user? What device are they using? Is the device running the latest, approved version of its OS? Does this user have authorization to access this application or data? There are literally dozens of criteria that can be used to judge each request’s authenticity and merits before it is allowed.
Having an SDP solution with the right set of policies means that even with the correct credentials, a hacker would not be able to access valuable data. Their device will set off a red flag based on visibility into location or any number of other factors.
VPN and SDP together reduce risk and improve user experience
SDP is not about to usurp the role of the VPN completely, and for most organizations, the choice between one over the other will not occur for at least a decade. That’s because SDP and VPN complement one another extremely well, creating a hybrid solution that combines the benefits of a mobile VPN’s data encryption, compression and application persistence, with the incredibly granular security benefits of an SDP.
One other thing to keep in mind: an SDP alone requires a controller (usually on the device) and a gateway somewhere in the network. That is significant because it means that an SDP alone can potentially become a chokepoint if it isn’t able to scale. Combining an SDP and an intelligent VPN would enable split tunneling directly to the web, reducing network congestion while maintaining security over corporate assets.
The reality for the foreseeable future is that most companies – about 98% in fact – still maintain some applications on-premise or at least hosted in a private cloud. For the vast majority of companies, therefore, evolving from a mobile VPN to a hybrid VPN / SDP solution before going all in on just an SDP makes the most sense.