Do VPNs make you more or less secure?
This is a question many companies found themselves asking in 2019.
From emerging reports of hacked VPNs to the rise of Zero Trust, VPNs were subject to much scrutiny in the last year of the 2010s.
VPNs have been considered a key element of network security since the 1990s when companies began installing them to create secure connections between internal networks and outside users. But the world has changed since the 90s, as you might have noticed. Back in the 90s and early 2000s, the people using your corporate VPN were your employees. If they wanted to work while out of the physical office, they would log on to the company VPN and get access to resources as if they were working in-office.
Today, trends like the gig economy and the use of third parties means that there are lots of outsiders accessing your network via VPN connections. This method offers no granularity, thus granting these external entities a direct access path into all internal resources. This creates a huge potential attack surface—and scarily, there’s little way to guarantee that users are legitimate.
Moreover, at this past August’s Black Hat Conference, researchers performed a POC in which they exploited vulnerabilities in two major VPN providers. Then just a few days later, malicious attackers used that same code to hack the VPN provider’s customers. So not only did VPNs not keep their users safe, in some highly publicized incidents, they made their users less safe. Ouch.
Here Comes Zero Trust
But far more detrimental to VPN’s reputation has been the rise of Zero Trust. Zero Trust is not a “tool” or a “solution”. Rather its a strategy that posits that everything and everyone trying to access resources must be verified, whether they sit inside or outside your network. The traditional castle and moat, or “inside perimeter = trusted, outside = untrusted” approach doesn’t work in our complex and fluid work environment today.
Thanks to the myriad of high profile breaches over the last few years, it’s clear that Zero Trust is the only way forward in security. And VPNs cannot verify anything, putting them at odds with a Zero Trust strategy.
But if Zero Trust isn’t a tool per se, how are companies going about implementing it? We already understand that to adhere to Zero Trust, everything—everything—needs to be verified before being granted access to any resources and applications. One solid way to implement this is with a Software Defined Perimeter or SDP. SDPs allow organizations to provision secure access to applications only once certain criteria are met. If they are not met, the requesting party is denied access. This is a true Zero Trust architecture.
Should You Rip and Replace Your VPN?
Does this mean you should ditch your VPN and shift your application access over to an SDP? While some SDP-only proponents will shout a resounding “YES!”, that’s not necessarily the only solution. Moving over to a full SDP deployment is a huge step, one that is surely beneficial and wise in the end—but one that should be undertaken with carefully planned baby steps to ensure you get it right. And in this sense, retaining your VPN while getting started with SDP actually makes a lot of sense.
For starters, they still fulfill their purpose of allowing you to securely connect to internal networks when off site via strong end-to-end encryption.
Additionally, there are some risk-averse environments where ripping and replacing what you’ve already got isn’t an option. Many organizations simply want a safer, less aggressive way to incorporate SDP into their already existing architecture that also retains the benefits of their VPN.
SDP and VPN — Better Together
Now you can adopt a Zero Trust SDP architecture without getting rid of your VPN. Safe-T’s SDP enhances VPN security by adding SDP capabilities, allowing access to applications and services only after trust has been verified. Deploying SDP on top of the existing VPN offers a customized and scalable zero trust solution—with all the benefits of SDP while lowering the risks involved in adopting a new technology. It’s ironclad Zero Trust, with no changes to your users or how they access resources, as they can continue using your VPN client.
So what’s the answer to whether or not VPNs make you more secure or not? The answer is that it depends; are you using it as part of a comprehensive Zero Trust strategy? If you are, you can rest assured that you’re more secure with it.