VPNs Aren’t Dead, They Just Need to Evolve

Companies have long relied on VPNs to secure corporate data and devices for remote workers, suppliers, contractors and other people authorized to access the company network. As technology continues to evolve, VPNs have held strong as a tried-and-true method for corporate security.

However, the nearly 20-year-old technology is being seen under a more critical light recently due to changing work and networking routines, and evolving hacking methods and threats. Telecommuting is becoming more and more common, and employees no longer just have a laptop—they’re likely connecting their phones and tablets to the VPN as well. With more devices connecting, the perimeter and attack surfaces grow ever larger. The manageable, well-defined perimeter no longer exists, and enterprises are realizing they need something more.

Gartner has predicted VPN technology will be falling by the wayside. In a November 2017 report, the analyst firm predicted “by 2021, 60 percent of enterprises will phase out network VPNs for digital business communications in favor of software-defined perimeters.” Some experts have even gone as far as to say that the VPN is dead; however, it’s fairer to say that it needs rethinking. As hackers evolve and have shown that they can (and will) take advantage of holes in the perimeter, cybersecurity practices must evolve and close those gaps as well.

That’s where the software-defined perimeter comes in. SDP is a “zero trust” solution that vets two key access criteria: Should this device be allowed to connect, and, is this particular user authorized? In a nutshell, SDP closes external network access for unauthorized users and devices and opens it on demand for those who have been authorized only.

While many claim that SDP completely replaces VPNs, in reality it simply closes the gaps and adds the layers of security needed to thwart would-be attackers. Here’s how:

  • It eliminates an organization’s visible internet presence—SDP prevents hackers from port scanning and other detection methods.
  • It doesn’t require managing end-user certificates.
  • It does not require physical network and application access, only pinpoint application access.
  • No open ports in the firewall from untrusted segments to trusted ones, which cuts down on room for error.

And, most important of all, users are authenticated before getting access. Why is this so crucial? Think about going into a top-secret government building, and imagine that, to get in, you first have to go to a certain building to be authenticated—your credentials and identification would be verified. Then, you are blindfolded and brought into a specific room at the top-secret location, so you would not know how you got there or what else is located in the building beyond what you are there to see. Enterprises should treat their data as securely as this, and that means authentication before access. This is what a true “zero trust” solution looks like.

VPNs may have faults—the prime being its assumption of trust—but they do still have their place. Instead of ripping them out, implement a smart and focused SDP solution that closes gaps and more effectively secures the ever-growing perimeter.

Eitan Bremler