Rethinking VPNs in a Cloud-Everything World
Conventional thinking is that a VPN is a VPN—a utility technology and a commodity that every company has, and there’s not much to consider. VPNs started to become commonplace back when most applications and data were locally hosted and data centers were internal. Applications, including email, generally did not have their own encryption for data in motion. Most VPNs were used to connect branch offices or remote employees to headquarters. The IT world was a very different place.
Applications Based in the Cloud
Today, the opposite is true for most organizations. Applications are predominately SaaS and based in the cloud, and data centers are rapidly shifting to mainly public cloud-based. For many organizations, local networks have completely disappeared. The WAN and LAN days are becoming quickly forgotten. Now, it may be more common to have all or most employees working remotely, and some organizations may not have physical offices at all. In the modern world, applications, and even browsers, have built-in encryption. This might suggest that, perhaps, VPNs are no longer necessary or relevant.
VPNs Can Secure Access
In reality, VPNs can provide vitally needed access protection and management, which is especially important with such high proportions of work-from-home employees. User accounts and computing devices have been the primary means for attackers to gain access to company assets, and the increase in remote working has made this even easier. VPNs can also help ensure secure end-to-end access from remote employees to company resources in the cloud. With a sharp increase in cloud-everything companies and dispersed workforces, VPNs can and should take on a larger role.
Security used to be about creating or protecting a perimeter around an organization. Later, not only was it about defending a perimeter but also about monitoring and protecting the inside of a network. Arguments ensue over whether organizations still have a perimeter today, since, essentially, users, systems, data and applications are all in the cloud, or at least across the cloud. Regardless of whether one still thinks in terms of the perimeter, the notion of attack surface is quite real, and threats abound. VPNs can be key to protecting and managing this different landscape.
A Private Network to Cloud Resources
In today’s world, VPNs need to be more than just secure tunnels traversing the internet. In a world without networks—or at least with a diminishing number of networks—VPNs can create what their name actually implies—a virtual private network, over the public internet, from whatever access point an employee uses (public WiFi, shared workspace offices, home internet, etc.) to the cloud resources to which they need to connect. Think of an invisible “dome” reaching from users to applications, data and resources.
Within this dome, VPNs can be used to provide better controls, security, and compliance using a combination of technology and procedures. Both are important—technology can be used to create and enforce rules and bring manageability to the “Wild West” of the internet as a network. Procedures must leverage the technology to reduce risk, increase security and enforce requirements. The use of static IP addresses for users or resources, for instance, can bring more determinism in terms of understanding who is going where and doing what and legitimacy to thwart the hijacking of users or various phishing ploys. Rules can be created and applied, such as local security checks or requirements for establishing identity or conducting authentication. Logs can be used for investigations, threat hunting or proof of compliance.
New Role of VPNs
The new role of VPNs requires more fully featured, robust VPNs and more thought to how they can be used. Rather than just being a commodity utility, a VPN can be part of a new strategy to secure the network-less organization. Ironically, when rethinking VPNs, one is really going back to the literal definition of the term. At the same time, VPNs should not be overly complex and require excessive time to manage and maintain. While “set and forget” is probably not a practical expectation, VPNs should be able to be managed by smaller and medium businesses with smaller, possibly less technical teams.
With the stakes for compliance violations and data loss ever-growing, organizations need to re-think the use and role of VPNs to meet current challenges and realities.