Brigadier General (Ret) Gregory TouhillMarch 30, 2020
COVID-19 Shows That it is Time for Government Agencies to Replace VPNs
There's a Superior Option
If the public sector doesn’t retire its legacy VPN infrastructure, then Congress needs to question why our agencies continue to invest in this inefficient technology, when superior technologies such as SDPs are available.
As America and the world “shelter-in-place” and exercise “social distancing” in an effort to limit the spread of COVID-19, government agencies and companies report their Virtual Private Network (VPN) infrastructures are being “crushed” as organizations make the shift to telework.
The problems these organizations face are significantly eroding mission effectiveness. Organizations have discovered their legacy VPN infrastructure does not have the capacity to handle the workload of the deployed workforce. Many are now attempting to “time share” access to the complex and limited VPN assets, in an effort to ration remote access to resources. Additionally, most organizations were unable to issue laptops and other devices to the deployed workforce, and find they now only can fully employ a fraction of their workforce. As a result, the legacy VPN infrastructure is proving itself to be a significant liability that is jeopardizing the security and mission of these organizations.
In an effort to maintain business continuity and continuity of operations, several government agencies are asking Congress for billions of dollars in additional spending authority to increase the capacity of their ancient VPN infrastructure. Rather than blindly throwing more money at the secure remote access problem by buying more of the ancient and expensive VPN technology, government agencies should invest in modern and more capable technologies that are more effective, efficient, and secure than legacy VPNs.
The Superior Alternative to VPNs
VPNs first hit the marketplace in the late 1990s and, after over 20 years of service, have been leapfrogged by Software-Defined Perimeter (SDP) technology. Industry experts, such as those at Forrester Research, highlight that SDP is a better alternative than VPN in all categories including security, simplicity, capability, extensibility, ability to rapidly scale (aka elasticity), ease of use, and lower price point.
The foundation of SDP was kickstarted by the Department of Defense’s (DoD) desire to mitigate security weaknesses in TCP-IP, which remains the backbone of the Internet. Over the last 10 years, SDP has evolved to a full-featured network security platform that embodies the core principles of Zero Trust including the capability to enforce “least privilege,” which means that you only see what you are authorized to see on a network, and nothing else.
Today’s Common Criteria-certified SDPs securely operate simultaneously on any operating system, on any device, in any cloud, and in on-premises or co-located data center environments. Unlike legacy VPNs, SDP technology reduces complexity for both users and security personnel while actually increasing the security posture of organizations. It also incorporates comply-to-connect security checking, which is essential in “Bring Your Own Device” environments as well as when employees shift from their office to operations at home.
How the Government Must Respond
As a former government CIO and CISO, I know that my colleagues are rightfully concerned about costs, often expressed in terms of time, personnel, hardware and software costs, licenses, maintenance support, and more. I encourage them to look to their counterparts in the private sector for experience and lessons learned in making the pivot to SDP.
Despite SDP having its roots in government-funded research, private sector entities have been early adopters of SDP technology while government organizations lag. The results are impressive as private sector entities using SDP technology report a 50-75 percent reduction in expenditures for secure remote access after they retire their legacy VPN and Network Access Control solutions.
While the cost savings are profound, there are several other benefits to SDP solutions government agencies will realize when making the switch, which include the ability to:
- Reduce security complexity for users and operators, which leads to greater user satisfaction
- Rapidly expand and contract based on mission
- Leverage any “identity authentication” capability including CAC and PIV
- Accelerate Zero Trust strategy implementation and the corresponding increase in defensive capability against bad actors are force multipliers
With the unprecedented and necessary pandemic response requiring massive work-from-home deployments across departments and agencies, instead of asking for more VPNs, government organizations should invest in less expensive, new secure remote access capabilities. If they do not, Congress needs to question why our government departments and agencies continue to invest in the deployment of ancient and inefficient technologies such as VPNs, when superior, more capable, less expensive, and less complex technologies such as SDPs are available.
M.F. Weiner is widely quoted for his 1976 “Don’t Waste A Crisis” quip. Let’s not waste the taxpayer’s money during this one. We must use this opportunity to rapidly enable secure remote access via SDP for our valued workforce. It will lower costs and complexity, boost our cybersecurity capabilities, and retire complex and expensive VPNs. In this time of great need, the time to move to SDP is now.
Retired Air Force Brigadier General Greg Touhill was the first Federal Chief Information Security Officer of the United States government. Now serving as President of Appgate Federal, he also serves on the faculty of Carnegie Mellon University’s Heinz College.