What Got You Here, Won’t Get You There – When It Comes to Perimeter Security
By Don Boxley,CEO and Co- Founder at DH2i,
Traditionally, the virtual private network (VPN) has been considered the most secure method by which to access networks. There’s an irony, though, to the faith that many enterprises put into this technology in terms of data protection. While the main business advantage of using a VPN is generally touted as improved security via the technology’s end-to-end encryption capabilities, the fact is that VPNs not only expose sensitive data to increased security risks, but in today’s cloud-based environment, they actually multiply those risks exponentially.
One of the chief ways VPNs compromise data security is that enterprises commonly end up having to manage multiple types of VPN connections to accommodate the networking gear of each third party. (The alternative—requiring vendors to use just one VPN—can be very costly.) Not only is this juggling act an administrative nightmare, but it also creates much more room for lateral movement attacks, since it massively expands the network surface area that’s exposed and vulnerable since users gain access to a “slice of the network,” so to speak. Not only do inbound connections create attack surfaces, but without application-level segmentation, it’s impossible to reduce attack surfaces, leaving networks vulnerable.
New World, New Realities
Why is this happening now, when VPNs have been the longstanding “go-to” for secure endpoint connections that safeguard data from hackers? The answer is that VPN technology wasn’t designed for a world of mobile devices, virtual teams, and third-party vendors tapping into the network; it was made with traditional on-premises security in mind. The VPN model came into being in a different era—when an on-premise, non-cloud environment was king, with physical servers and virtual machines. In such a world, VPNs were appropriate. But today, IT is much more likely to incorporate hybrid cloud settings, blending on-premise with public/private cloud environments. Each time you layer on another IT scenario, your chances for data exposure and security breaches increase.
This points to a major problem with continuing to buy into the myth of VPN security. Digital transformation has made it much more challenging for companies across diverse industries to provide business partners and other third parties with the ability to securely access internal data and infrastructure. Enterprises can’t be cavalier about this challenge and simply go with what’s worked in the past, since granting access to any third party represents a significant security risk that can lead to a host of technical and business threats that weren’t in play back in the days when the only concern was on-premises security.
In a cloud environment, simply giving a partner or vendor access to your system means that your security level will instantly plummet. Not only is there the possibility of inadvertently inviting malware into your system, but your organization’s critical data is suddenly at the mercy of that vendor’s security controls—if their controls are weak, then yours are too. All that has to happen for your data to be compromised is for an unapproved source to compromise the vendor’s system, and that attacker can gain access to your network. Think about the largest data breaches in recent years; many can be traced back to a third-party vendor. Add to this the fact that remote access VPNs are complex to configure, and you have a recipe for a suboptimal system.
For the Cloud
It may be painful to hear for those who continue to rely on VPNs for secure web connections, but traditional perimeter security is now officially obsolete. While many companies remain stuck in the past and thus vulnerable in a world where cloud is ubiquitous, technology has moved on when it comes to network perimeter security. Proactive organizations have updated their security strategies to accommodate what work looks like today, and have moved beyond yesterday’s VPNs and direct link approaches, as well as their associated security risks.
New networking software known as software defined perimeter (SDP) can help companies navigate current security challenges such as hybrid and multi-cloud deployments, reducing attack surface as well as the vulnerability of their key data. How does SDP circumvent VPN’s security issues? In a nutshell:
- It creates greater security by granting connectivity across multiple clouds, sites, and domains to distributed apps and clients.
- It gives users access at the application level, moving beyond network-level access.
- It decreases lateral attacks, creating an environment I like to describe as “secure by default,” which is achieved by giving remote users access only to specific services.
The software allows you to shift workloads as needed from cloud to cloud, leading to the ability to avoid the threat of cloud vendor lock-in. An SDP solution also eliminates chaos by allowing for installation on any host, without network reconfiguration or appliance hassles.
When it comes to security, the timeless management saying that “what got you here, won’t get you there” continues to hold true. As a traditional perimeter security, VPNs worked in the old world of physical servers and virtual machines, but they don’t have what it takes to protect data in today’s heterogeneous, hybrid, multi-cloud environment. It’s time to let go of the VPN security myth and embrace today’s new realities with a progressive security solution that’s specifically designed to accommodate the cloud.