The slow death of the VPN

Summary

  • VPNs are very great if done correctly. A lot are not.
  • Insecure VPNs highlight the insecurities of the traditional castle-and-moat security model which most businesses use today.
  • A Zero-Trust model is a better model for todays technology.
  • There are better, safer, often cheaper ways to modernise your workplace than dropping in a VPN.

Intro

You’d think that COVID and remote work would highlight VPNs as the hero of the modern workplace.

And you’d be correct… if it was the year 2010.

That’s a bit harsh but in reality, implementing a VPN and ticking off ‘modernise my workplace’ from your to-do list can in fact be dangerous, and here’s why.

What is a VPN

Going deep is beyond the scope of this article but as a high-level overview, a VPN (Virtual Private Network) is a private, encrypted tunnel between two endpoints usually implemented over a public network. For everyday users, it enables you to connect to your office remotely via the internet, in a secure manner.

Why are VPNs used

Organisations use VPNs for numerous reasons, the most common being:

  1. To enable some level of ‘modern workplace’ characteristics by enabling staff to work remotely.
  2. To improve efficiencies and shared resources by connecting multiple office locations together.
  3. To solve a particular problem, and securing a connection from point A to point B over an unsecured network.

VPNs are great. They are a means of solving a lot of connectivity and security issues, but they should not be considered a silver bullet for all things ‘remote’. There are better alternatives for specific scenarios, which often incorporate VPN technology as part of them.

Dangers of VPNs

Enterprise VPN solutions are generally very capable, and when configured correctly with the appropriate security measures in-place can enhance network capabilities and result in very positive outcomes, but issues arise in both the quality of the VPN solution, its implementation and if it’s managed ongoing.

Time for an example…

Your business decides to use an Enterprise VPN solution to enable staff to work remotely. That’s great, good for the staff and will probably result in increased productivity, yay. Your IT team have even gone to the extent of mandating that only business-issued devices are allowed to connect remotely (using certificates), but what they can’t control is who has access to the business-issued device when it’s out of the office. What’s to stop staff giving the business-issued device to their child to follow the Youtube rabbit hole to God knows what and infect the machine? When the device is connected over a VPN, it generally has open access to everything on the corporate network.

“But we have policies!” Yeah paper won’t help much.

Even worse, most SMBs simply implement a username/password authenticated VPN without certificates. This means anyone with the credentials can connect to the business and have open access to just about everything. So in this example, prior to the VPN you could only connect to the network if you were physically in the office or probably within wireless range. Now, with the VPN in place you’ve effectively provided a front door to your network with a padlock. Yes, there are caveats to this like directing network traffic, denying access to the VPN for parts of the network etc but in the majority of SMB cases we can bet those measures don’t exist.

I think you’ll agree that if done incorrectly, a VPN can be dangerous but It’s not actually the fault of the VPN itself. The issue itself stems from the traditional IT network security approach based on the castle-and-moat concept.

Traditional IT Network Security – Castle and Moat

To summaries what this is, traditional approaches to network security involve separating the corporate network from the internet via a firewall. Everything behind the firewall (within the business network) is trusted, creating a castle-and-moat. Everything in front of the firewall (outside the castle) is blocked unless selectively allowed.

If you’re within the castle you are considered friendly, and if you’re outside the castle you are met with a security guard (the firewall) denying you access. A VPN essentially extends the boundaries of the castle to other places… Once connected, you’re friendly.

This model of security is slowly becoming inappropriate for today’s technology. If you offer a front door to your castle, there’s a good chance that with enough time, effort and incentive someone will get through that door, and once in they’re free to do whatever they like. Additionally, with the move to cloud services a lot of your systems aren’t even in the cloud anymore, rendering a VPN less and less effective.

This leads us to what’s now referred to as the “Zero-Trust security model”.

Zero-Trust

Without going into too much detail, Zero-trust is a broad term to describe a paradigm-shift in IT Network Security. The premise is based on assuming you have already been hacked and doing what you can to limit the risk. There’s no agreed-to method to achieve this, but one approach is to create a castle-and-moat around all individual systems, limiting access only to who/what requires it and authenticating at as many points as possible.

Sound difficult? It should, because it is… But not impossible, and SMBs are primed to benefit significantly from this with minimal effort and cost.

A prime example may be an SMB who has an internally-hosted application the is front-ended via a webpage. Traditionally, giving remote access to this was probably done by creating a VPN to the network and providing users the credentials to connect. Again, done properly and managed correctly this OK but there’s better and safer ways to achieve remote access.

One way that comes to mind would be to implement a cloud-based reverse proxy, fronted by your favourite authentication provider (i.e. Google, Azure etc) with 2fa and limiting access only to Australia. I’ve intentionally made this a mouthful because it’s outside the scope of this article, but it will ensure that only the people who are allowed to access the system can do so, both inside the network and remote, all without a VPN, aka Zero-Trust.

And in generally, Coretechs IT can implement this without any hardware or licensing purchases.

Conclusion

VPNs are great and can be used in numerous situations effectively IF done correctly, but they also highlight an inherit flaw in traditional IT Network Security models. There’s now better, more reliable ways to modernise your workplace and if this interests you, you should give us a call.

Coretechs IT

1300 313 384