AppGate Blog: Software-Defined Perimeter

Written by Justin Yentile on June 13, 2019

Your VPN Is an Insecure Liability

VPN authentication and encryption methods can be easily intercepted and bypassed, allowing malicious actors to gain control over an organization’s networks. But a Software Defined Perimeter (SDP) safeguards networks against unauthorized access and secures an organization’s sensitive data.


The VPN was first deployed in the 90s to connect remote users and systems to an enterprise network in a manner that was safe from prying eyes. It served as a bridge over the murky water that is the “public internet.” Though modern protocols and standards (SSL VPN with AES-256 encryption, for example) are used today, the VPN’s original purpose remains the same.

Until recently, when security practitioners and executives questioned if the VPN was secure, the universal answer was “yes,” due to the authentication and encryption methods. But these methods can be intercepted and bypassed, especially with the evolution of more complex attacks. For that reason, Gartner predicts that by 2023, 60% of enterprises will have phased out most of their VPNs in favor of Zero Trust network access.

Is My VPN Secure?

When investigating if a VPN is secure, organizations must start with a fundamental statement that should always be assumed to be true: Malicious actors want to break into my network to disrupt my business, steal my data, and cost me money.

They should also ask themselves these questions:

1. Is your organization’s VPN invisible to unverified users and devices?

If not, then it can be easily attacked or rendered unusable by a malicious actor.

2. Does your organization allow users to access entire subnet(s) of resources?

If yes, then your network’s potential attack surface is too large, making you an incredibly attractive target to cybercriminals.

3. Is your organization’s overall access based on static IP addresses?

If so, then what if IPs change? How are new resources added or deleted? This can lead to a large number of security holes that will require an immense amount of manual intervention down the road.

Can Any User Access the Network?

The VPN does not listen to advanced requirements and operates in a way where it merely affirms or rejects without context. For example, when asking if “User X” should be granted access to a production database server, the VPN will simply refuse or confirm.

By contrast, a proactive solution should respond with “it depends,” based on business, user, and device-specific conditions. The proactive solution would ask: Is “User X’s” machine patched? What time of day is it? Should “User X” be working on this project? Where is “User X” located? What is “User X’s” current security posture? Does “User X” have the right SAP credentials?

This is only a small subset of questions that network security solutions should be asking before allowing any user access to a critical resource – questions that the VPN is never able to ask.

A Modern Solution for Modern IT

The VPN is hindering your organization’s long-term security and success, and this must stop. Instead, adopt a Software Defined Perimeter, a proactive solution that has the ability to answer questions based on specific conditions.

The benefits of employing an SDP include:

  • Designed Around the User – Instead of centralizing access through an IP address, AppGate SDP builds a multi-dimensional profile of a user and device, seamlessly integrating with existing directory services and IAM solutions.
  • Deployment of Zero Trust – AppGate SDP applies the principle of least privilege to the network, and greatly reduces the attack surface. By default, users are not allowed to connect to anything. Zero Trust ensures that once the proper access criteria are met, a dynamic one-to-one connection is generated, and the user is granted only to the resources they need.
  • Utilizing Single-Packet Authorization Technology – AppGate SDP is able to cloak the infrastructure so that only verified users can communicate with the system. This makes it invisible to port scans and is cryptographically hashed for additional defense. Gateways and Controllers are completely cloaked so they cannot be probed, scanned, or attacked. This all but eliminates the ability of malicious actors from carrying out network reconnaissance or lateral movement.

Don’t be lulled into complacency by thinking that your current network VPN solution is “good enough,” just because the idea of phasing it out is daunting. It is time to enlist in a reliable proactive solution – a Software Defined Perimeter.

Want to learn more about the journey away from VPNs? This webinar showcases how one company replaced its VPN with AppGate SDP.

Kill Your VPN