This is Not Your Father’s VPN
To many, VPNs seem unremarkable and haven’t changed much in the past decade. A VPN is a VPN is a VPN. Some even think that VPNs are hardly necessary with the rise of building encryption directly into email, browsers, applications and cloud storage. The reality is that—especially for small and medium businesses (SMBs)—VPNs are still vital; they can and should take on additional responsibilities to meet the challenges of a largely remote workforce and the increasing amount of IT resources and infrastructure residing in the public cloud.
In today’s challenging and ever-changing environment, modern VPNs are less about point-to-point encrypted tunnels and more about enabling a new kind of networking to secure employees and other users, regardless of where they are located, and protecting cloud-hosted resources, ranging from SaaS applications and services to storage. In essence, this represents a shift to a cloud VPN that ensures secure access and provides necessary controls while also enabling agility and scalability. The internet is the network, but a cloud VPN is a secure, virtual, private network within it.
Traditional Corporate Networks
For many companies, the idea of a traditional corporate network is long gone. Even enterprises with sizable physical offices may no longer offer anything resembling a local area or wide area network. Most simply have internet access points. Even peripherals, such as printers, may be connected directly to the internet. Some companies have most or all of their employees working remotely and, for them, the network is comprised of each individual’s internet connection. Some companies no longer have physical office locations at all and, instead, rely on shared workspace locations as needed. Again, the network is wherever these might be. At the same time, for a growing list of companies, all systems, applications and storage are in the public cloud.
Rethinking VPNs
The new cloud reality calls for a rethinking of VPNs that shifts from connections from discrete points—offices, private data centers and remote access VPNs—to new cloud networks tailored to each organization that encompass all access points and all resources. Such cloud VPNs also leave hardware behind, including expensive and complex MPLS, and are fully cloud-delivered. Similarly, they are not an add-on to endpoint computer security suites or corporate firewalls. They can be fully automated and far easier to set up and maintain.
Despite providing scale and flexibility, these new cloud VPNs can improve the level of security much more than in past generations. One way is through the use of static IP addresses. IP addresses should mainly be static to provide deterministic knowledge of who is going where, enabling necessary access controls and logging or audit trails. Previously, fixed IP addresses were considered to limit flexibility and cause expense, but now, as cloud-delivered capabilities, fixed IP addresses can be implemented quickly, affordably and at scale.
Cloud VPN
Having fixed IP addresses is also important for providing identity-based access controls and creating zero-trust type environments. Zero-trust has been difficult for most SMBs to achieve due to its complexity and the time and cost required to create and maintain it. Through a cloud VPN, zero-trust network access can be implemented at the application and network layers rather than having to depend on gateway-based architectures or microsegmentation. Conditional access and rules can be implemented and high levels of authentication and authorization maintained. Proper logging enables compliance with stringent regulations, such as GDPR or U.S. state-specific laws and to achieve necessary certifications, such as SOC 2. A cloud VPN could provide the means for verification, concealment, monitoring and containment—all four aspects of zero-trust network access.
Another important element to consider is the use of a cloud VPN as the means to implement a software-defined perimeter that can hide and protect all traffic within it. Rather than just simple point-to-point tunneling, the cloud VPN provides a virtualized, encrypted network to connect all users to systems, data and resources with new levels of determinism, trust and control. In some cases, some specific cloud resources or systems may be whitelisted to enable additional security or access controls with rules or policies. IP whitelisting can significantly reduce the attack surface and risk associated with unauthorized access, particularly when users have static IP addresses. In this case, a cloud VPN can take on the centralized role for IP whitelisting, removing it from specific hardware—such as firewalls, edge routers or servers—or from each application. IP whitelisting can also provide better security and control of IoT devices.
The notion of a VPN being outdated, table stakes or no longer needed is based on an outdated view of what VPNs were in the past. New cloud VPNs are built on legacy technology to help organizations embrace new challenges while providing the economics, agility and scale of the cloud. Cloud VPNs are not at all “your father’s VPN” but the means for many—especially SMBs—to advance their security, compliance and infrastructure agility.