Are VPNs a thing of the past?

Attention world: In 2018, we officially surpassed 4 billion internet users[1] – and there are no signs of adoption rate slowing down. Yet the Internet as we know it has only been around since the 1990s. Along with it, different iterations of virtual private networks (VPNs) have been created and utilized. Why have end users used this technology to connect remotely to private networks on a gigantic scale? Simply, they are seen to be efficient and can enhance productivity in a variety of ways, but (and there is always a “but”), the assumption is they are completely secure. Unfortunately, both unscrupulous individuals and organized crime groups have proven VPNs aren’t the panacea that organizations think they are.

One high-profile and well-known example of this is the Target breach of 2013. This now-infamous case was the result of malicious actors hacking a third party Target contractor, compromising their machine, and gaining access to the corporate network to steal data. When a VPN tunnel is opened between a client and a corporate VPN device (usually on the inside of the network) all applications can traverse that tunnel and are free to go mostly unmonitored.

In today’s working environment, third-party contractors, remote workers, support teams, and the like all need access to mission-critical back-end systems. These systems can reside in the cloud or in “secure” data centers, but either way, they house information that must be accessed. Historically, to get a user onto a system, said users were equipped with something they know (password), something they have (second factor device) and something they are (username). Yet, this isn’t always practical with third-party users who sometimes lack one of these three credentials and do not have a solid cryptographic fingerprint. Sometimes they are given dispensations to access systems, but without the correct level of authentication, the entire network may as well be considered compromised.

To their peril, many companies prioritize productivity and maximizing profit at the expense of fundamentally necessary security. Security is often seen as a hindrance because of the amount of effort needed to implement and log in. Traditional difficult requirements include multiple hard-to-remember passwords and multi-factor authentication tokens that are easily misplaced, which cause helpdesk requests and delays.

On top of all this, VPNs add significant costs to organizations, as each access point (multiple data centers or clouds) require additional hardware (VPN concentrators, IDS/IPS, Proxies, Firewalls, etc). Not to mention, the amount of resources needed to manage all the policies and access controls skyrockets with the solution. Mismanagement of this can lead to even greater lapses in security.

What is a company to do? VPNs are expensive and can have some security constraints, but the costs associated with both reputation tarnishing and data loss are even greater and far-reaching. The better choice: enable a zero trust mentality around network access. This starts by only providing access at the application layer based on who the user is and what they have. In other words, authenticate only applications the user is authorized to use (nothing more), and enforce multifactor authentication. This allows organizations to secure access to resources and reduce the amount of hardware and periphery that go along with it.

So, in the new age of the Internet with the growing number of users, threats, and applications – are VPNs really a thing of the past? In short, the practicality of VPNs is no longer what it once was. Combining the high cost of running and maintenance with the various factors associated with third-party access (such as the above Target case) show a fundamentally new approach to access is needed. A zero trust approach is a new paradigm to many, but the first step is awareness. View this infographic for a visualization on why zero trust is the security model you need to take your business from the 1990s to today (and beyond).  

*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Dan Kirwan-Taylor CISSP. Read the original post at: