Written by Chris Scheels on March 17, 2020
You’re Ready to Kill Your VPN, But Where Do You Start?
You might already know the time has come to phase out your VPN in favor of a more secure approach to enterprise network access. But you may be daunted by the scope of the transition and the headaches it may cause. It doesn’t have to be this way.
But the task of phasing out your VPN in favor of a Software-Defined Perimeter (SDP) – a solution that was designed and built with Zero Trust principles in mind – is daunting. You know the transition is necessary, but it’s likely to be a headache, and you’re worried that the whole process may end up disrupting the business.
A Less Painful Path to Zero Trust
First of all, a full scale rip-and-replace of all your VPNs is unrealistic. Many of our customers who adopt an SDP over a VPN approach did it strategically and incrementally, phasing out VPNs as part of their greater Zero Trust journey. The most pain-free way to shift from a VPN to an SDP is to identify initial areas where the change can be made with the least amount of friction or disruption to business workflows.
With this in mind, we lay out the following considerations when starting your VPN replacement journey:
1. Get a Firm Grasp on Your VPN Posture and Costs
If you are like most mid- to large-sized organizations, you have acquired multiple VPN solutions to control access to different resources in different locations. Identify what and where those are, who is using them, and for what purpose. This should include the identification of vendor names, user numbers, contract expirations, and any upcoming hardware refreshes. Also important is the assessment of the nature of the network, data and people each VPN bucket is providing access to, and the cost of each platform, both in terms of hardware maintenance and software licensing.
2. Identify VPN Replacement ‘Low Hanging Fruit’
Search for VPN replacement points that would cause the least amount of friction and disruption to business workflows. Using your list of VPN vendor buckets, sort by the nearest renewal date, and estimate the annual renewal cost for hardware maintenance, support and any licensing costs. This becomes your initial budget for killing your VPN over time and truly securing your remote access. A hardware refresh or license renewal trigger date can serve as the entry point for your first Software-Defined Perimeter install.
3. Evaluate Risk for VPN Replacement
Identify the most pressing risks the continued use of VPNs present. What would cause the most damage to your organization if the vulnerability inherent in all VPNs was exploited by attackers tomorrow? Would it be the compromise of a financial app, database protecting IP or PII, code repository, or often just plain old third-party vendor access? Maybe all of the above? While your organization may have robust security standards and practices in place, third-party partners that are allowed to connect to your network might not. VPN access points used by third parties are often the weakest security link and have become the attack vector of choice by cybercriminals and hackers.
4. Factor in the Business Value of Improving Operations
Client VPNs all have the limitation of only being able to connect to one location at a time. Maintaining site-to-site VPNs to connect to different site infrastructures is not only costly, it’s complex and brings its own set of vulnerabilities. This exposes more of the network to attack via inside lateral movement should one entry point be compromised. Users from different teams must connect to multiple locations throughout the day to do their jobs. This leads to excessive VPN switching, which lowers workflow efficiency and creates further security vulnerabilities. Moving to an SDP with multi-tunnel capability eliminates the need for VPN switching, and reduces the overhead cost and complexity of maintaining many site-to-site VPNs or MPLS traffic flows.
These are a few preliminary considerations for undergoing a VPN replacement. But in reality, there is no single right way to go about it. Every organization is different, with different complexities, teams, risks and needs – and these will need to be factored in as you embark on your journey from VPN-based security to an SDP.
If you’re serious about killing your VPN and want to transition to a Software-Defined Perimeter, we invite you to connect with an expert who can assist you on your journey.
To learn more about AppGate SDP, click here.