Since the advent of coronavirus, enterprise VPN adoption has increased. However, many security pros have learned that VPNs may become security liabilities due to their limitations. For example, the lack of granular security leads to remote access vulnerability. Likewise, there are issues concerning connectivity and scalability.
The main concern with VPN is that it is a legacy approach to securing a much-advanced technology system. Hence, the need for VPNs to level up.
Emerging technologies such as Software Defined Parameters and Secure Web Gateway are transforming our understanding of VPNs. The result is the implementation of security principles such as zero-trust, secure remote access, and automated threat detection.
VPNs may not be going away anytime soon, but the incorporation of new technologies would bring us to a new generation of security.
Shortcomings of Traditional VPNs
a) Remote Access Vulnerability
The traditional VPN model does not provide an avenue to secure third-party access, which is perhaps the weakest attack link. For instance, Airbus was the victim of multiple attacks over the past year as attackers gained access to sensitive data by hacking into its suppliers’ VPNs.
VPNs could also be considered the worst attack links, considering that they often control a significant part (or even the entirety) of the network resources, thereby providing broad access and a large attack surface. Last year, Talos Intelligence reported how hackers impersonated VPN applications to steal credentials and launch man-in-the-middle attacks.
The persistent inability to balance productivity with security is another challenge of VPNs. A common complaint about VPNs is how it reduces network speed. Because VPNs reroute requests through a different server, it is inevitable that the connection speed would not remain the same due to increased network latency. Even with the best VPN services, network speed lags, albeit ever so slightly.
Besides that, there are other performance issues sometimes relating to the use of kill switches and dynamic HCP (DHCP). Apparently, the security provided by VPNs, while being necessary, often comes with undue complexity, particularly for enterprises, but not so much for private VPNs.
VPN deployment for most organizations happens gradually, with units expanded as the organization’s network resources increase. Unfortunately, this slow scaling approach also means that the organization’s security may not match the increasing sophistication of cyberattacks.
The problem with full-tunnel VPN (which is the most common) is that it can get easily overwhelmed by immense traffic volume. In fact, this is responsible for most of the performance problems discussed above.
On the other hand, split-tunnelling, while it saves on bandwidth and boosts scalability, it also increases vulnerability due to the fact that some of the network traffic bypasses VPN and is routed through the public internet. Either way, it seems there is no winner here.
Next-Gen VPN Security
The term ‘Next-Gen VPN Security’ does not necessarily mean that the emerging tools will replace VPNs. Instead, think of them as an upgrade to the normal VPN protocols. In fact, SDPs and SWGs, both of which are explained below, are different from VPNs but can be configured to work with the latter for stronger security.
A software-defined perimeter interfaces between functions of traditional VPNs and firewalls. Unlike VPNs that grant access to the entire network, a Software-Defined Perimeter Technology, SDP, creates an isolated network connection for each authenticated user albeit the same server.
In addition, each user connection contains a personalized collection of resources. An SDP access only grants access upon authenticating a user’s identity and the device used. This establishes a Zero Trust framework for mitigating network-based attacks. With this, it is impossible for any user (even the CEO) to access a network they are not authorized to enter.
SDPs are more secure and ensure easier scaling and management than VPNs, especially when there are multiple access requirements and levels. Normally, to access two different databases on the same server, IT would need to set up two VPNs.
On the other hand, an SDP provides more granular security, establishing secure connections to the accessible services for each user. Think of it as creating smaller private VPNs rather than granting access to the broad server.
According to Gartner, a Secure Web Gateway, SWG, is “a solution that filters unwanted software/malware from user-initiated Web/Internet traffic and enforces corporate and regulatory policy compliance.” It inspects web-traffic content and analyzes it against company policy in real-time, ensuring continuous protection against malware and other threats.
Given that employees are the first-line of a cybersecurity attack, blocking their access to malicious traffic goes a long way in securing a network.
Particularly, a secure web gateway is a hassle-free model to protect remote connections. In addition, an SWG provides data leak prevention, drastically reducing the risk of insider threats/attacks. Like SDPs, SWGs provide granular access but they may become complex over time if access is too wide-scale.
New VPN platforms such as Switcherry are already working to implement these next-generation technologies to better improve their zero-trust framework. No doubt this feature, alongside their other features such as full-time anonymity and unlimited servers will definitely give them an edge not just over other VPN platforms but against the much-advanced cyber threats.
To be clear, VPNs would remain around for a long time as they play a critical role in enterprise cybersecurity, even if some of their functions are outdated. The fact that we saw a significant rise in the adoption of VPNs in the wake of COVID-19 testifies to the indispensability of VPNs. Yet, companies need to rethink their approach and welcome new solutions that make up for the shortcomings of legacy VPNs in security, connectivity, and performance.