2019: It’s Time to Kill the VPN
Anti-fraud security is a necessary priority for financial institutions. However, many organizations allow their internal security to fall to the wayside. A holistic security strategy must protect not just an institution’s brand and end users, but also its internal systems, sensitive data, and employees. In this post, we will discuss how organizations can successfully enhance their security by moving away from VPNs.
Perimeter-based security has no place in any modern organization. Today’s workforce connects from anywhere and everywhere – the days of a fixed and easily identifiable internal security perimeter are long gone, and the risk of massive data breaches extends to all industries, including finance. So why are we still pretending that VPN technology can be effective at keeping these institutions secure?
The VPN was created in 1996 when Microsoft first developed the peer-to-peer tunneling protocol. It was invented in a time when Blackberry was just launching two-way pagers and the term “cloud computing” was first coined. Using VPN technology to secure workforces today simply defies progress.
Today’s network landscape is one of incredible complexity with distributed applications, people, and data. Organizations have taken the standard method of protection – the trusted private network – and applied hundreds or thousands of VPN and firewall rules with complex topologies to manage the chaos. Expanding cloud and mobile ecosystems have made the perimeter both porous and irrelevant while, in the meantime, networks are infested with unsanctioned, insecure devices. To complicate matters, in an increasingly distributed work environment, cyber threats are just as likely to come from inside an organization as they are from the outside.
VPNs have four critical flaws.
VPNs do not provide security, and there are several reasons why:
- VPNs grant access to everything. Once authorized, users typically have complete access to the authenticated network.
- VPNs are too simplistic. In a world where the physical perimeter is no longer relevant, they are unable to keep up.
- VPNs provide static, perimeter-based security. This is ineffective when user context and security threats are ever-changing.
- VPNs are a siloed solution. Ultimately, VPNs are only useful for remote access by remote users. They don’t help organizations secure on-premise users or on-premise networks.
What’s an organization to do?
Gartner recommends a new strategic approach for information security – Continuous Adaptive Risk and Trust Assessment (CARTA). The idea behind this is that organizations can continuously evaluate in real-time if a user should be trusted or not. It mirrors similar sentiments from Forrester around Zero Trust, the notion that users should never be trusted until their identity has been fully verified. Both concepts – CARTA and Zero Trust – are fundamental for security within modern institutions.
Supporting both principles is the Software-Defined Perimeter (SDP), a Zero Trust cybersecurity model. A Software-Defined Perimeter is a network security model that dynamically creates one-to-one network connections between users and the data they access, meaning that users are only able to access specific, designated resources. SDP reduces the potential attack surface, ensuring that any internal or external actor attempting to carry out nefarious acts will be unable to move freely across an organization’s networks. Instead, each user can view only what they are entitled to view; everything else is invisible and inaccessible. This network segment of one is an individualized, micro-segmented network tailored for each individual user, device, and session. Further, the process is holistic – it provides a single secure access control platform for both remote and on-premise users accessing both remote and on-premise resources.
A Software-Defined Perimeter is designed to address the shortcomings of VPNs:
- It’s user-centric.
An SDP ensures we know as much about a user as we can BEFORE allowing them to make a connection to the network, including:
- What is their user context?
- What device they are using, and what is its security posture?
- Where are they located?
- It’s adaptive and extensible.
It manages access and adapts based on user context, device, and security conditions. It integrates with operational systems and provides an individualized perimeter for every user, granting specific access and visibility.
- It enforces Zero Trust
Cyxtera’s Software-Defined Perimeter solution, AppGate SDP, prevents modern attacks by reducing network attack surface and implementing adaptive security.
In 2019, organizations have a choice: keep employing outdated technology in an attempt to secure a world without definite security perimeters or realize that the VPN is dead. It is time to use the latest cybersecurity innovations to secure the technology of today.
For more insight on how to protect internal resources, read this blog post about securing legacy applications.