VPN is Dead, Long Live VPN!
Every morning as I start my day, I tend to shuffle my way to my home office/lair/den of tinkering to sit at my workstation, log in to my desktop PC, and initiate what will inevitably be a full day of pondering life’s many mysteries: Why do we need to sleep, medically speaking? Why is “W” called double-u when it’s really two V’s stuck together? Why do we shout “head’s up” when one is expected to duck? And…
What the heck is up with VPNs?
VPNs (Virtual Private Networks) are essentially an extension of a private network to allow users to send and receive data as if they were connected directly to said private network. They’ve become ubiquitous in the routines of remote desk-jockeys, disciples of anonymity, grade-schoolers checking their social media, and patrons of region-locked content on the World Wide Web. Imagine a bridge connecting an island to the mainland; point-to-point access to avoid the inconvenience of the water below. Got it? It WILL be on the quiz.
As a security researcher, I truly see VPNs (historically and currently) as a beneficial and essential tool in establishing connectivity while circumventing the many perils of opening a portal to the Clearnet. These network tunnels are not without their flaws, though. VPNs are not able to initialize connections with complete anonymity, but they allow for increased privacy and security. Tunneling protocols and encryption can afford the authenticated user a decent amount of anonymity to prevent the disclosure of sensitive data, but this is not inherent to the standard model. In the world of cybersecurity, A surge of exploits and attack vectors arose from the sudden and unprecedented need for VPNs in early 2020… The onset of the Covid-19 pandemic.
Due to the massive scale of remote work that the crisis triggered, the InfoSec community sought to remediate the insufficiencies of traditional work VPNs. Granted, VPN services were already under the magnifying glass for their shortcoming well before the global pandemic, as ransomware crippled massive companies like Travelex at the end of 2019 thanks to weak VPN security. Protecting such a large number of workers, data and endpoints have become overwhelming for the solutions implemented by most organizations. The saying goes that conflict and crisis breed innovation (or was that boredom and inspiration?)… so, a smattering of new forms of remote access have taken the VPN belt and given it a fresh, shiny new polish. For brevity, I will focus strictly on a handful of workplace remote access solutions:
1. IAM / PAM / IDaaS
For a fairly simple bolt-on approach, IAM (Identity and Access Management) or PAM (Privileged Access Management) can provide a more robust authentication process than the common VPN username & password. IAM can provide the organization visibility of the user’s activity and control of the user’s access. PAM takes that a step further by securely managing privileged accounts. Privileged accounts pose a greater risk to security and warrant the additional features of PAM, such as password obfuscation & frequent reset rotation, system and data access control, and user activity monitoring. While IAM & PAM are typically on-prem solutions, IDaaS (IDentity as a Service) takes a 3rd party, cloud-based approach. By setting identity authentication services on the cloud, the customer benefits from offloaded risk, (typically) cheaper costs, and accelerated time-to-value. All of these options provide a solid improvement over traditional VPN.
Instead of throwing your busted, malware-ridden home PC on your work network with a traditional VPN, why not access an active workstation remotely? VDI (Virtual Desktop Infrastructure) allows employees from home to utilize the resources already securely connected to the internal network. It’s an ideal solution for protecting sensitive internal data from exfiltration and affords the employees access to their expensive tools without risking removing them from the premises. This can be achieved through cloud servers as well, taking the form of a DaaS, or Desktop as a Service. While VDI is not a fresh solution, It still provides a higher level of security on the remote network access front.
It’s not a phase, mom… It’s a lifestyle! ZTNA (Zero Trust Network Access) is part of a broader framework, aptly named the Zero Trust Security Model. “Zero Trust” means what one might think it means: never trust, always verify. ZTNA can perform the standard functions of a VPN (like granting users access to specific networks and systems), but can also utilize the principle of least privilege (PoLP) to automatically default to the lowest level of access for all users. This extra layer of security effectively contains the user session just in case of compromise, limiting the range and files the malicious actor can access. When used in tandem with a network monitoring solution and endpoint protection platform, attacks are quickly and summarily halted in their tracks. This leads into…
In ZTNA, all devices and their users are authenticated and verified at the network layer AND application layer before permitted access. This only solves part of the problem, and on massive enterprise networks, it is nearly impossible to monitor all traffic. This is where SASE (Secure Access Service Edge) rides in like a knight on its noble steed.
::cue brass fanfare::
SASE, being cloud-based, combines those network and security features in a neatly bundled service architecture, empowering medium to large enterprises with streamlined operation and management, greater visibility, security via additional layers of network functionality, reduced cost, and simple cloud-native security architecture.
5. SDP / SD-WAN
While many traditional VPNs rely on a physical hardware appliance for network connectivity, SDPs (Software-Defined Parameters) and SD-WANs (Software-Defined Wide Area Network) allow for greater mobility and versatility since they are cloud-based, software-defined solutions. Liberated from the router-centric distribution model, SD-X can do away with typical ACLs and route connections based on security clearance, QoS, priority, etc. In addition, SD-WAN can automate the fluid configuration of edge routers on the WAN and move data over a hybrid network of public broadband and private MPLS links. Similar to SASE, the end result is lower cost & complexity, and higher security & flexibility that is also scalable.
The TL;DR is that business VPN (in its current state) is not necessarily disappearing as much as it’s pupating into more secure, inspired, mature solutions. As threats arise, secure remote connectivity solutions likewise rise to meet these challenges head-on. What this means for remote business/enterprise stakeholders is a more robust security stance against threats from outside and inside their environments.
Nick Whittington is a professional musician/multi-instrumentalist and music producer turned ethical hacker and cyber-security enthusiast. As a valued Security Engineer at Prescriptive Data Solutions, Nick views challenges as the scaffolding of growth and wisdom and approaches all that he does with wonder, humor, and enthusiasm. He takes pride in his ability to see solutions from unconventional perspectives and is passionate about observing, learning, adapting, and creating.