It’s time to kill the VPN
22 May 2019
Kurt Glazemakers, CTO Secure Access at Cyxtera, says that legacy technologies, such as VPNs, have worked as a stop gap, but are useless in a world of 5G, IoT and highly sophisticated attacks such as NotPetya.
At its inception, the internet was a simple system. What was once a space used primarily by researchers for sharing information between humans, is now seeing huge amounts of information generated and connections made not only by humans but computers too.
Already IoT devices generate significant volumes of data which is only set to grow. And this is before you even get to the exciting emergence of AI technologies.
The internet though, was never created with the understanding or consideration for this type of use or the way it has been exploited. One key area that was overlooked at the time was security. Security has since been added in over time - often leading to other issues, but who would be without it today?
With the average cost of a data breach costing $3.86 million having insufficient security and protection can bring down even the most profitable business in one go. What’s more, the increasing complexities and sophistication of outside threats mean that businesses with poor network security not only risk huge financial loss from areas such as fraud, but potentially even more via loss of data and subsequent litigation from GDPR and other regulatory measures.
Also of interest: What can we do to protect SMEs from cyber attacks?
Simpler times, simpler solutions
In an attempt to provide some form of protection, more than 20 years ago the perimeter concept was created and Virtual Private Networks (VPNs) were introduced to access the perimeter from the internet.
For the purpose of creating a point-to-point, secure connection, VPNs were successful. By creating a ‘tunnel’ that could not be entered by data that was not suitably encrypted, meant that up until recently they were considered as the easiest and therefore best way to provide secure remote access.
And for a time the internet was relatively uncomplicated and safe as VPNs provided a suitable solution. However, now in a world of 5G, IoT and highly sophisticated attacks such as NotPetya, it is clear simple VPNs, with their limited ability, to only provide point-to-point secure connections, are no longer fit for purpose.
Instead, it’s time to consider a better approach to network security, namely one that enables a true a Zero Trust model of information security. Welcome, to the Software Defined Perimeter (SDP).
Also of interest: Why cyber security is no longer restricted to the IT department
Protecting the castle
Unlike the legacy systems of VPNs, SDP is a security technology designed to micro-segment network access. Rather than creating an encrypted tunnel from one endpoint to another, SDPs dynamically create one-to-one network connections between the user and the resources they are permitted.
Built with a Zero Trust model in mind, SDP ensures that all attempts to gain access to a given resource are authenticated and authorised prior to allowing the user network access. In this way, a user — which can be either a human, IoT device or even AI programme — can only have access to what they have authorisation to. All other resources are invisible to them let alone accessible.
To put this a little more simply consider a fort with a moat. Inside the fort contains the castle, full with all the databases and digital assets. To gain access into the fort, users must give a password. Those who do not know the password cannot enter, but those who do have complete access to the entire castle, including all the assets within it.
This is similar to how the traditional security networks of VPNs work. Once someone has access to one part, they have the potential to access everything. Whether it is relevant to them or not.
In contrast, a Zero Trust identity security model such as SDP requires more than an access-all-areas password. Instead, imagine the levels of security that are faced at an airport or government building. Before stepping on the plane individuals must go through numerous security checks and customs, including passport control, bag scanning and possibly additional interviews too.
Even then, when you’re into the airport, to access other planes you have to have the correct tickets and credentials. Zero Trust, SDP are closer to that of airport security, but go a step further. Even once you have access to one area, you must provide further credentials to enter other parts of the network. And in those areas you are not authorised to enter, you won’t even have visibility of them.
In this way, SDP tools are a far better fit to modern security needs than VPNs.
Also of interest: Is it time for the cyber security industry to grow up?
Less rules, more control
It’s not just better security though that SDPs deliver. A recurring problem that businesses are facing when it comes to securing their network access is an inability to keep track of their network access rules. In fact, the use of rules for network access is out of hand and many organisations are facing a reality where they max out on limits!
Not only does this cause severe network management problems as businesses don’t know how many rules they have nor do they know who made them in the first place. What's more, it also leaves them highly vulnerable in terms of gaps in their security.
With SDP technology, rules can be automatically generated for short term access and then be deleted after they are needed. This means there are considerably more restrictions on who can access each part of the network, but fewer rules are needed. Consequently, security teams and network administrators have much better control and visibility over their entire enterprise network.
What’s more, the duration of the network rules can be controlled so that the user has access for only as long as they need it. When it comes to auditing too things are much easier. As the full list of rules and access can be printed off and handed over in mere minutes, reducing the need to complete what can be one of the most laborious parts of network administration.
Gone are the days when the internet was simple. With the uses of the internet increasingly becoming more complex and sophisticated, so too are criminal’s ability to attack. And this is only going to continue. The simple and temporary fix that VPNs provided for secure network access is outdated and insufficient in today’s modern world.
By giving access to users only as and when they need it and even then, only access to the areas they need, a Zero Trust approach powered by SDP technology provides a secure network access solution for enterprises. Simplifying life for network admins and increasing ease of use for users has never been better.