Confront Your VPN

VPNs have been at the core of many of the biggest breach headlines recently. The Department of Homeland Security named “unpatched Virtual Private Networks” as a top 10 vulnerability in 2020.

The reality is VPNs are not fit for purpose in modern, hybrid IT environments. It’s no surprise when you consider VPNs hit the market in 1996. What 25-year-old technology are you still using?

It’s time to confront your VPN for what it is – a clunky and unreliable liability. This is especially important to do if your organization, like most, is embracing a remote and flexible workforce model. The inherent security flaws in VPN architecture make it antithetical to the Zero Trust access model. Companies who don’t confront these flaws are susceptible to a costly breach. Along with this obvious concern, VPNs are complex and costly to maintain and frustrate users who tire of signing into a VPN and getting dropped due to bandwidth constraints. Combined, these issues can hamstring operations and curtail digital transformation.

VPN Security Flaws

Before we address the performance issues with VPN, let’s outline the risk a VPN brings to your organization:

• Visible Attack Surface: By design, VPNs have ports that are always open and listening for incoming connections. This makes them scannable and visible to adversaries running reconnaissance and looking to conduct credential stuffing, forced entry or DDoS attacks.

• Weak Authentication: VPNs don’t use context or identity to authenticate, just an IP address. This makes it difficult to authenticate the person behind the device or the context in which they are requesting access.

• Too Much Authorization: Most VPNs grant over-privileged access and unsanctioned lateral movement because it’s become too complex to write and manage thousands of firewall rules.

VPN Performance Issues

If the security flaws alone were not enough, then let’s breakdown the performance issues of the VPN that lead to operational complexity and IT inefficiencies:

• Scale Limitations: VPNs are hardware-bound, so the only way to scale them is with more infrastructure. This is both costly and time-intensive.

• Backhauling Traffic: Accessing cloud-hosted resources with a VPN requires hair pinning traffic through your datacenter, introducing additional latency.

• Connectivity & Latency: VPNs are temperamental, and we’ve all experienced the need to reconnect after a crash or the brutally slow connections due to the “clogged pipes” in their centralized architecture.

• Management Complexity: Whether it’s a swath of IT tickets or the overwhelming number of VPN induced policies, we’ve had to retrofit people and process for an antiquated technology.

A Superior Approach to Remote Access

The Software-Defined Perimeter was architected for the IT and threat landscape of the 21^st century and its capabilities make the VPN look like what it is, antiquated. It’s like trying to compare the productivity gains and security of the latest iPhone against the original Nokia mobile phone—you know, the one with a snake on it.

Here are the benefits of Appgate SDP compared to that of your existing VPN:

• Invisible Resources: Using a technology called Single Packet Authorization we cloak all resources unless authenticated. This immediately breaks the Cyber Kill Chain and prevents reconnaissance from adversaries. Right out of the gate we’re reducing the attack surface and risk by not making our front doors (ports) visible.

• Identity-Centric Authentication: By integrating with existing identity systems (roles, permission, MFA), using environmental contextual data (time, location) and evaluating device posture (firewall, anti-virus, malware) we’re able to build a multi-dimension user profile that is used to dynamically produce risk-based entitlements.

• Least Privilege Access: Fine-grained micro-segmentation allows users to only get access to resources they are permitted, while unauthorized resources are completely invisible. This greatly reduces the risk of lateral movement and insider threat.

• Programmable, Scalable and Hybrid: This might feel like 3 buzzwords stuck together to fill some space, but in this case they’re all valid. Robust APIs unleash automation and extend capabilities with integration into existing systems and process. Lightweight hosting requirements and automated policies make it easy to deploy and scale, like and with the cloud. And for complex enterprises running heterogeneous environments, it works across Public Cloud, Private Cloud, Traditional On-Premises and even legacy systems.