Time to Eliminate Traditional VPNs - Security Boulevard

SBN Time to Eliminate Traditional VPNs

 It is time to stop trusting your endpoints implicitly and reduce the complexity and risk associated with traditional VPN access and flat networks.

Varied digital ecosystems, cloud migration, and workforce mobility have created a climate where the network perimeter no longer exists. This is evident in the massive amount of data breaches we’ve seen in the last five years, with the vast majority occurring as a result of trust being abused inside of the perimeter. Threats are moving inside and internal apps are getting attacked from “trusted sources” by overly privileged access and a host of other common application layer attacks. Once inside, malicious actors are moving laterally based on “most privilege” and exfiltrating data before anyone notices and able to identify that a breach has even occurred, which makes trusting access based on IP address unreliable.

According to Akamai’s State of the Internet Security Report there has been a 38% increase in application layer attacks from 2016 to 2017* and according to McAfee’s “Grand Theft Data Report” insiders are responsible for 43% of data breaches.** 

Fig 1KR.png

Figure 1 Source: McAfee Grand Theft Data Report

Traditional perimeters are modeled on the principle of least privilege at each layer, where the inner layers of the network (host, application, data) inherit trust from the outer layers (physical and DMZ perimeter). This makes the network more susceptible and prone to data exfiltration from internal users – malicious or not. In fact, McAfee’s “Grand Theft Data” report identified that almost two-thirds of data breaches involved traditional corporate networks. 

 Fig 2 KR.png

 Figure 2 source: McAfee Grand Theft Data Report

Enterprises need to consider how they can move away from a traditional perimeter security model (e.g. using VPNs for remote employees, contractors, vendors, and developers to access applications) and institute a zero trust security model that removes any level of inherited trust at all layers within the network. Tactics such as network micro-segmentation have proven difficult and cumbersome to manage and still don’t reduce the necessary risk as “permit any” access still allows for lateral movement within the network. 

VPN elimination is a core tenet in a zero trust model. Eliminating the VPN removes the associated trust at the inner layers, addresses lateral threats, and reduces the attack surface. Akamai’s Enterprise Application Access (EAA) gives individual access to internal applications on a per app basis without providing full network access, thus helping to improve an organization’s security posture by reducing their attack surface and not allowing lateral movement within the network. EAA is a cloud-based solution that is designed to be simple and quick to configure, manage, and maintain. IT organizations get a centralized managed solution that does not rely on traditional remote access technologies (VPNs, VDI, RDP or proxies) or require hardware or software.

Akamai commissioned Forrester to create a total economic impact (TEI) report on Enterprise Application Access, published in September 2018. During the course of Forrester’s interviews with Akamai customers, an executive shared thoughts on the challenges the company faced with its VPN.

“We had a VPN appliance, but it had some high-profile security vulnerabilities, some of which required no authentication whatsoever. As a result, we decommissioned the VPN. The problem was that we didn’t give people remote access to applications that they needed for work… when they traveled they had no way to get access to information.”

Enterprise Application Access (EAA) supports the transition from, and eventual elimination of, the VPN to move from a traditional perimeter to a globally distributed Identity Aware Proxy at the edge that supports agility, simplicity, and a better user experience. EAA is a cloud-based access approach that locks down the corporate network with dial-out only access to applications behind the firewall. Application access – regardless of where the apps are hosted (on-prem, IaaS, SaaS) – is based solely on entitlement, identity, authentication, and authorization at a per-app level. EAA incorporates native multi-factor authentication (MFA) and true single sign-on (SSO) and also integrates with third-party MFA and IdP sources. EAA can be deployed alongside of VPNs for app-specific access and control, allowing organizations to gradually transition to a perimeter-less environment, and phase applications away from requiring VPN access.

EAA now offers a client connector for devices to access thick client applications such as mail clients, Oracle E-Business Suite, and integrated development environments (IDEs), as well as the previous clientless access to web apps. The EAA client connector also now allows users to enable additional advanced security features that can be very difficult to achieve are impossible in a traditional model, such as advanced threat protection and restrictions based on device status, geolocation, time of day and past user activity. As a cloud-based service, EAA doesn’t require the need for appliance deployment, management and patching. EAA is also designed to provide a simple and better user experience for both end-users and IT administrators. IT can implement access controls on a per-app/per-user basis, and can spin-up or decommission users and apps in a matter of minutes through a simple dashboard.

Why Eliminate VPNs for App Only Access?

  • Reduce lateral attacks with access to only necessary applications without exposing the full network.
  • Support a better user experience, increase workforce productivity and reduce IT helpdesk tickets.
  • Lower costs associated with IT hours spent updating firewall rules and maintaining hardware and software.
  • Understand who is accessing apps, where data is going, and how it is being accessed with visibility into access, system, and admin event logs.

To learn more on how EAA can help you transition from your VPN to reduce network access and minimize data breach risk, read these materials:




*Akamai SOTI/Security Summer 2018 Report – https://www.akamai.com/us/en/about/our-thinking/state-of-the-internet-report/global-state-of-the-internet-security-ddos-attack-reports.jsp

** McAfee Grand Theft Data Report – https://www.mcafee.com/enterprise/en-us/assets/reports/rp-data-exfiltration.pdf?clickid=xFSXcW0DJWIDXi91R%3ARegwgVUkg2ugUwiw6I0M0&lqmcat=Affiliate:IR:null:74047:10078:10078:null&sharedid

*** This is a Security Bloggers Network syndicated blog from The Akamai Blog authored by Kristen Raybould. Read the original post at: http://feedproxy.google.com/~r/TheAkamaiBlog/~3/cAwIZ6-e8_o/time-to-eliminate-traditional-vpns.html