SecureWorld News

Death of the VPN: A Security Eulogy

Written by Scott Schober | Sun | Sep 4, 2022 | 12:45 PM Z

Trust can be a hard thing to come by in this world but in the world of cybersecurity, trust is virtually non-existent, or at least it should be. VPNs got us all from crawling to walking in the early days of the internet, but security needs have outpaced VPNs' abilities to deliver true security and privacy for users and organizations so we now look to more advanced solutions to keep us cybersafe.

Back in 1996, a Microsoft, Ascend, and 3Com developed the peer-to-peer tunneling protocol (PPTP). PPTP was created in order to ensure a more secure and private connection between the user and the internet. As the internet rapidly expanded, so did viruses, malware and a plethora of attacks targeting end users and even their networks. It became clear that not only a more secure method of connection was in order but also a more convenient one too. In the early 2000s, internet users were becoming increasingly on-the-go and required the ability to connect remotely to a private network over a public connection.

This called for a standard that not only maintained privacy through encryption but also prevented malware all while affording users the ability to connect to their sensitive data from anywhere in the world. VPNs or Virtual Private Networks were born out of necessity for businesses to keep their data safe while employees accessed these private networks.

Unlike the original PPTP protocol, VPN allows many users and devices simultaneous access to private networks across a very public internet. This is accomplished using a three-layered approach involving tunneling, authentication and encryption. This was sufficient for its time, but the internet has exploded in use since the early 2000s and not just by business users.

Billions of internet users including consumers, journalists and gamers regularly connect using VPNs but the same convenience that allows them to connect from anywhere using any device also carries risks that stem from traffic that VPNs were never designed to handle. The rise of cloud computing among all internet users has revealed cracks in the surface of these networks that VPNs worked so hard to conceal and remediate.

Many free VPNs collect vast amounts data on their users that they then turn around and sell to advertisers. And while encrypted VPN data cannot be read by your internet service provider, they can determine that you are using a VPN and even the nature of the encrypted data since it all passes through their pipes. This can become an issue for users who are bound by agreements restricting internet use outside their own country for something as harmless as streaming a show on Netflix to something as serious as reporting human rights violations from within China.

The final nail in the coffin of VPN came in early 2020. The COVID-19 pandemic changed so many things about our daily lives especially remote working. Seemingly overnight, the remote workforce went from roughly 6% to over one-third of workers. Flexible remote work opportunities exploded during the pandemic so much so that many bosses and companies have resigned to the fact that many of these workers will never be stepping foot into their employers' offices again. Many other companies have adopted hybrid-remote policies in an attempt to keep an eye on employees while also affording them work-from-home independence. Unfortunately, all of these approaches collectively expand an ever-increasing attack surface that VPNs were not designed to handle.

Zero Trust Network Access (ZTNA) isn't a new concept, but security providers have been quick to adopt it due to urgent needs both during and post-pandemic. The essential difference between ZTNA solutions and VPNs is that ZTNA models utilize a "never trust, always verify" approach to each user before granting access. If we liken users and data to a two-way spigot extending off a giant network barrel, ZTNA offers unlimited spigots (one for each user) while VPN offers just one giant spigot for everyone. Zero Trust, as implied by the name, not only requires robust authentication but also segments users with granular access to specific apps. This limits their exposure to the network and minimizes risks to all users and networks. ZTNA is implemented with the security designed around users so when employees are connected both your network and your employees are protected.

And since ZTNA is a cloud-based solution, it scales globally all while implementing posture checks before connecting devices, privatizing user access with multi-factor authentication (MFA) and allows user and network management all from a single platform. Due to the physicality of VPN firewalls, similar scalability is more expensive, more time consuming and decidedly less secure.

ZTNA providers allow any organization a flexible, 360-degree view of all access and security.

 

This post appeared originally on LinkedIn here and was sponsored by Perimeter 81.