Facing the Reality of VPN Security Flaws, And How to Overcome Them

0
142

NEXT UP, SOFTWARE DEFINED PERIMETERS

By Don Boxley, CEO and Co-Founder, DH2i

Virtual private networks (VPNs) have served as a valued tool on most data and cybersecurity professionals’ tool belts.  However, today’s data reality — where cloud, IoT, big data, and other progressive applications reign supreme — many are learning the hard way that traditional VPNs simply cannot support today’s data security demands.  Others are unknowingly in for an inevitable rude awakening.  However, more proactive organizations are already exploring or have deployed more advanced solutions that are able to meet today’s security requirements, as well as provide additional IT, business and budget benefits. 

A Brief Look Back

For many years now, the VPNs have served as the most common way to “securely” access networks. Unfortunately, however, while the main business advantage of using a VPN is generally regarded as improved security via the technology’s end-to-end encryption capabilities, the fact is that VPNs not only expose sensitive data to increased security risks but in today’s cloud-based environment, they actually magnify those risks exponentially.

One of the main ways VPNs endangers data security is that enterprises often end up having to manage multiple types of VPN connections to accommodate the networking gear of each third party. (The alternative—requiring vendors to use just one VPN—can be very costly.) Not only is this juggling act an administrative nightmare, but it also creates much more room for lateral movement attacks, since it massively expands the network surface area that’s exposed and vulnerable since users gain access to a “slice of the network,” so to speak. Not only do inbound connections create attack surfaces, but without application-level segmentation, it’s impossible to reduce attack surfaces, leaving networks vulnerable.

Why Now?

Why now, when VPNs have been the venerable “go-to” for secure endpoint connections that safeguard data from hackers? The answer lies in the fact that VPN technology was not designed for a world of mobile devices, virtual teams, and third-party vendors tapping into the network; it was made with traditional on-premises security in mind. The VPN model came into being in a different era—when an on-premises, non-cloud environment was king, with physical servers and virtual machines. In such a world, VPNs were appropriate. But today, IT is much more likely to incorporate hybrid cloud settings, blending on-premises with public/private cloud environments. Each time you layer on another IT scenario, the chances for data exposure and security breaches increase.

This indicates a significant issue with continuing to buy into the myth of VPN security. Digital transformation has made it much more difficult for organizations across multiple industries to provide business partners and other third parties with the ability to securely access internal data and infrastructure. Organizations simply cannot take this challenge too lightly and just go with what has worked in the past, since granting access to any third party represents a major security risk that can lead to a number of business and technical threats and vulnerabilities that were not in playback when the only concern was on-premises security.

By simply providing a partner or vendor access to your system in a cloud environment means that your security level will instantly plunge. Not only is there a chance of inadvertently inviting malware into your system, but now the safety of your organization’s applications and information is at the mercy of that vendor’s security controls. If their controls are weak, then so are yours. All that needs to happen for your data to be compromised is for one unapproved source to compromise the vendor’s system, and that attacker can gain access to your network. Consider the biggest recent data breaches – many can be traced back to a third-party vendor. Add to this the fact that remote-access VPNs are complex to configure, and you have created the perfect storm for a suboptimal system.

Traditional Perimeter Security Is Now Officially Obsolete

For those who continue to depend on VPNs for secure web connections, it is time to face the fact that traditional perimeter security is now officially obsolete. Today, the cloud is ubiquitous. Technology has moved on when it comes to network perimeter security. Proactive organizations have updated their security strategies to accommodate what work looks like today, and have moved beyond yesterday’s VPNs and direct link approaches, as well as their associated security risks.

Next Up – Software-Defined Perimeters

A new approach and associated technology is now available, designed specifically from the ground-up to address the aforementioned issues, and to enable enterprises to optimize today’s data opportunities.  It is commonly known as software-defined perimeter (SDP), and it can enable companies to overcome security challenges such as hybrid and multi-cloud deployments, reducing the attack surface. How does SDP circumvent VPN’s security issues? In a nutshell, it does so by:

  • Decreasing lateral attacks – by creating an environment that can be described as “secure by default,” which is achieved by providing remote users access only to specific services.
  • Providing users access at the application level, moving beyond network-level access.
  • Creating greater security by granting connectivity across multiple clouds, sites, and domains to distributed apps and clients.

An SDP allows its users to move workloads as needed from cloud to cloud, leading to the ability to avoid the threat of cloud vendor lock-in. An SDP also eliminates chaos by allowing for installation on any host, without network reconfiguration or appliance hassles.

So, what’s holding you back? As traditional perimeter security, VPNs likely worked for you in the old world of physical servers and virtual machines.  But, it is likely that even if you have not already experienced a breach, you know they don’t have what it takes to protect your data in today’s heterogeneous, multi-cloud, advanced application environment. It’s time to embrace today’s new realities with a progressive security solution that’s specifically designed to answer to your requirements, and let go of yesterday’s VPN security myth.

About the Author

Don Boxley Jr is a DH2i co-founder and CEO. Prior to DH2i, Don held senior marketing roles at Hewlett-Packard where he was instrumental in sales and marketing strategies that resulted in significant revenue growth in the scale-out NAS business. Boxley spent more than 20 years in management positions for leading technology companies, including Hewlett-Packard, CoCreate Software, Iomega, TapeWorks Data Storage Systems and Colorado Memory Systems.  Boxley earned his MBA from the Johnson School of Management, Cornell University.  Don can be reached online at don.boxley@dh2i.com. DH2i’s website is www.dh2i.com. Follow DH2i on Twitter: @DH2i.