Virtual private networks, or VPNs as they’re more commonly known, have been around in one form or another for over 20 years. They’re extremely good at performing one very important task – creating a secure, encrypted tunnel that extends across public networks, allowing users to send and receive data as if their device were connected directly to an internal resource.
The rise and rise of the VPN
In recent years, VPNs’ ability to create this secure, remote connection has again given them a boost in popularity. Enterprises grappling with large, decentralized workforces have turned to the VPN as a means for keeping employees and their devices secure while accessing sensitive applications and data.
But it’s not all good news for VPNs. While they do indeed work remarkably well when it comes to tunneling and encrypting data from authorized users, there are a couple of significant catches.
More hackers, more cloud(s)
The world of security looks very different from where it was when VPNs first made a splash on the scene. Hacking and breaches existed, of course, but they were far less sophisticated and could often be beaten by the prevailing combination of VPN and firewall technologies. Since then, however, we’ve seen wave after wave of attacks, including denial of service (DDoS) and various zero day attacks that take advantage of newly discovered vulnerabilities.
As employees increasingly started using their own devices (BYOD) for work purposes and began to work more frequently outside the protection of the office, it became more difficult for IT teams to see what was happening on those devices as the number of attack surfaces proliferated.
Some of the most common hacks these days involve phishing, which if successful, can quickly cause the loss of information such as usernames, passwords, bank account details and more. If that stolen information happens to include VPN login credentials, then a hacker can go almost completely unnoticed as they exfiltrate virtually any ‘unlocked’ asset in the organization. And because some VPNs are based on open source technologies, a single vulnerability can be exploited across multiple solutions.
Traditional VPNs face one more significant disadvantage. In the past, most companies kept applications and their data on-premise, running in corporate data centers. However, this is no longer the case. Organizations today have rapidly shifted away from the cost and complexity of self-managed data centers to the convenience and simplicity of privately hosted applications and data or SaaS applications hosted in the public web. With most VPNs needing to be either ‘off’ or ‘on,’ sending application data down a tunnel to HQ and then out to the web is extremely inefficient and can quickly cause a bottleneck that results in frustrated employees. Many companies discovered this first hand when their VPNs couldn’t scale to meet the sudden demand of employees all working from home.
The Mobile VPN
One answer is the mobile VPN, which takes all of the strengths of legacy VPNs, but works particularly well for mobile devices outside the corporate network. Rather than becoming yet another chokepoint in the network, these VPNs can actually improve the user experience through the use of data compression, application persistence and other enhancement techniques. No more dropped sessions or session re-authentication required, even in areas with choppy Wi-Fi or cellular connections.
But even mobile VPNs aren’t completely future proof. As mentioned above, a hacker with access to a VPN’s credentials has almost carte blanche to access corporate data without being detected. The adoption of multifactor authentication (MFA) has certainly helped, but this also isn’t enough to ensure the continued integrity of corporate data.
New Kid On The Block
The answer lies in deploying a software defined perimeter, or SDP, around all of the devices used by the organization. This technology, sometimes referred to as zero trust network access (ZTNA), uses a series of conditional criteria that be met before any user or device is given access to corporate assets. Where is the user? What device are they using? Is the device running the latest, approved version of its OS? Does this user have authorization to access this application or data? There are literally dozens of criteria that can be used to judge each request’s authenticity and merits before it is allowed.
Having an SDP solution in place with the right set of policies means that even with the correct credentials, a hacker would not be able to access valuable data. Their device will set off a red flag, or their location, or any number of other factors. Quite frankly, SDP technology has enormous potential to be the next great leap in security for decentralized organizations with many mobile or remote employees.
No eulogy required
You’d be forgiven for thinking that the SDP is about to usurp the role of the VPN completely. In fact, many SDP vendors (who typically don’t have a VPN of their own) often shout that the VPN is dead. But not so fast.
This shouldn’t be a case of one over the other, at least not for at least a decade. These two technologies actually complement one another extremely well. There is certainly an argument to be made for a hybrid solution that combines the benefits of a mobile VPN’s data encryption, compression and application persistence, with the incredibly granular security benefits of an SDP.
One other thing to keep in mind: an SDP alone requires a controller (usually on the device) and a gateway somewhere in the network. That is significant because it means that, again, an SDP alone can potentially become a chokepoint if it isn’t able to scale. Combining an SDP and an intelligent VPN would enable split tunneling directly to the web, reducing network congestion while maintaining security over corporate assets.
Alternatives
All of this is not to say that VPNs and SDPs are the only game in town. Another one of the new technologies gaining ground in this space is the CASB, or cloud access security broker. CASBs do a very good job of protecting resources, as long as those assets have completely migrated to the public cloud.
The reality for the foreseeable future is that most companies – about 98% in fact – still maintain some applications on-premise or at least hosted in a private cloud. For the vast majority of companies, therefore, migrating to a hybrid VPN / SDP solution makes the most sense.
