While virtual private networks once boosted security, their current design doesn’t fulfill the evolving requirements of today’s modern enterprise.
The quest for security has shaped our species for thousands of years. Since the earliest traces of civilization, we find evidence of fortifications that were erected in order to protect one tribe from another.
The desire for security persists in today’s Information Age, though many of the measures we take to ensure security are often little more than window dressing. We purchase complex and expensive cyber defenses that prove so difficult to operate that misconfigurations continue to permit attackers unauthorized access to information. To deter employees from stealing, we see frugal business owners installing replica surveillance cameras. We enforce byzantine password policies for workers that are easily undone by a simple phishing campaign.
Do these actions actually make us more secure or do they simply make us feel more secure?
Security guru Bruce Schneier famously coined the phrase “Security Theater” to describe this paradox, noting that security is both a feeling and a reality. “The propensity for security theater comes from the interplay between the public and its leaders,” Schneier wrote. “When people are scared, they need something done that will make them feel safe, even if it doesn’t truly make them safer.”
Enterprise security often falls prey to the same reflexive approach to new and unknown threats. There is perhaps no better example of this than the continued adoption of virtual private networks (VPNs), which, for a time did improve security, but whose design doesn’t meet the evolving requirements of today’s modern enterprise.
No Time for Complacency
Twenty-five years ago, VPNs were the cutting-edge technology of the day, providing users with a relatively straightforward way to securely access protected network resources. Despite the explosive innovation these past two decades, VPNs remain synonymous with secure remote access for an outsized portion of today’s populace.
The situation today has been exacerbated by a number of converging factors. The current pandemic has forced millions of workers to log in from home, making it incumbent on CISOs to provide remote access without compromising security. Meanwhile, cloud computing and massive mobility have shattered the perimeter paradigm. Their arrival created new demands to protect data regardless of where it resides.
For too long, organizations looking to implement secure remote access solutions defaulted to installing and expanding their legacy VPN technology investment rather than pivoting toward a new generation of secure remote access solutions. Now’s the time to retire VPNs, and if you don’t believe me, consider these three reasons why VPNs are indeed more theater than security.
VPNs Are Plagued With Vulnerabilities
The warning signs of VPN vulnerabilities continue to flash bright red and it seems that every month a new advisory is released. In June, the NSA issued a fresh warning that VPNs could be vulnerable to attack if not correctly secured, urging organizations to patch a critical flaw which if exploited would allow attackers to take control of a device without a password and gain access to the rest of the network.
Even when a patch has been available for months, a stunningly low number of organizations deploy patches in an expeditious manner, with some industry surveys estimating that 70% of known vulnerabilities remain unpatched one month after discovery.
VPNs Are Complex, Expensive, and Brittle
As any battle-tested CISO can attest, complexity is the enemy of security — even modern VPN systems require a considerable degree of manual intervention which are prone to configuration and other operator errors.
Compared to modern alternatives, VPNs remain expensive and require a significant amount of network and manpower resources to properly operate. For example, in .mil and .gov firewalls, approximately 80% of the tens of thousands of firewall rules are associated with VPN management. Managing and configuring these rules translates into significant costs (i.e., manpower, training, licensing, and hardware) and greater complexity for the end user and IT staff, leading to increased exposure to a host of potentially catastrophic risks.
VPNs Have Become Highly Attractive Targets for Bad Actors and Nation States
While threat actors have been actively setting their sights on VPN-specific vulnerabilities, they have become especially attractive targets over the past couple of years as a successful exploit can provide unfettered, system-wide access and a foothold for threat actors in search of sensitive data.