Latest, in our series of evaluating traditional security practices, we’re taking a look at VPNs. Historically, Virtual Private Networks (VPNs) have played an important role in cybersecurity strategy, offering encrypted pathways for data and a key mechanism for authenticating access to far away networks. In the advent of the internet VPNs cemented themselves as the leading solution to the challenges of navigating the internet and accessing networks. However, as technology has evolved, the role of VPNs in cyber defense has also evolved.
The rise of cloud services and remote work means traditional perimeter-based security models have become less effective and less relevant. Many modern companies don’t even have networks anymore. Secondly, encryption of the internet itself has advanced significantly, and the move to cloud-based operations means the two primary purposes of VPNs, providing encryption and authenticating access to perimeter networks, may no longer be as important a problem for VPNs to solve. This leads us to the question: what is the role of the VPN in the modern tech world?
In the evolving field of cybersecurity, it is important to constantly evaluate the tools being used, and to assess if they are still serving the purpose they historically served. In this article, we discuss how VPNs serve as a prime example of a tool whose role, in the evolution of technology, has changed substantially and argue recognizing its changing role is essential in avoiding over-estimating its value.
While VPNs still have their uses, it's crucial to approach their deployment thoughtfully. In a rapidly changing cybersecurity environment, it's important to avoid overestimating the value of tools like VPNs and remain informed about their role. This analysis aims to provide a balanced understanding of VPNs' place in modern cybersecurity strategies.
Historically, the adoption of VPNs stemmed from the pressing need to address various security concerns and operational requirements. This capability was also valuable for remote workers or employees accessing corporate resources while traveling. By simulating a local network connection, VPNs facilitate access to internal systems, applications, and files, regardless of geographical location.
Additionally, VPNs guaranteed encryption transmission, providing a secure tunnel for internet traffic. By encrypting data transmitted over public networks, VPNs safeguard sensitive information from interception and unauthorized access. This encryption ensures the privacy and integrity of communications, crucial for protecting confidential business data and maintaining regulatory compliance.
VPNs also offer a range of additional use cases that enhance user experience and security. For instance, VPNs can bypass geo-restrictions imposed by content providers or governments, allowing users to access region-locked websites or services. VPNs also contribute to anonymity by masking users' IP addresses and online activities, bolstering privacy and reducing the risk of tracking or surveillance. Another use case/benefit can be using them to enforce authentication for a network or subnet. For example, even when directly connected to a corporate network, the company may require connecting to a “Production” VPN with privileged credentials in order to access production systems.
The landscape of the internet and cybersecurity has undergone significant transformation since the early days of VPNs. Most significantly, traditional perimeter-based security models have become less useful with the rise of cloud services and remote work, challenging the efficacy of VPN-centric security approaches. Organizations now face the challenge of securing a distributed workforce accessing data from various locations and devices, necessitating a shift towards more adaptive and resilient security strategies. Specifically, the primary boundary has moved from the network to the identity. At the same time, applications have moved from on premise networks into the cloud. The security guarantees that were once afforded by VPNing into a local network are now afforded by identity-based authentication to public cloud applications.
Historically, the internet operated on unsecured and unencrypted pathways, leaving data vulnerable to interception and manipulation. VPNs were the solution to this threat. However, the evolution of HTTPS encryption has brought a new era of secure internet browsing, ensuring that data transmitted between users and websites remains confidential and integral. Now, the vast majority of the internet communication is encrypted using an encryption protocol called Transport Layer Security (TLS). The historic concerns of coffee-shop wifi networks don’t present the same threat they once did because encryption is already in place.
With the evolutions addressed above, businesses that continue to rely on VPNs as the primary security solution are at risk of assigning false value to the role they are playing. With the shift away from traditional perimeter-based security models, and with the advancement of internet encryption technologies like HTTPS, VPNs may duplicate existing security measures rather than adding an additional layer of protection. While VPNs provide encryption and remote access capabilities, this is now often already at play, so the added value of the VPN is largely duplicative. One example we commonly see: A user authenticates to the VPN with their IdP credentials, just to again authenticate to a public cloud SaaS app with the same IdP credentials.
There certainly is still space in cybersecurity for VPNs; for example, IP whitelisting for private services can sometimes still be the cheapest control to administer. There’s also the argument that while encryption may prevent a snooper on public wifi from seeing what you are sending to various remote networks, they are still able to gain some potentially valuable information, e.g. when using public DNS.
With that context, organizations must understand the role a VPN is playing in its overall security program. It's crucial to caution against accrediting excessive security value to VPNs and advocate for a multi-layered security approach. The concept of Defense in Depth emphasizes the need for diverse security strategies tailored to specific threats and vulnerabilities. Each security measure should contribute uniquely to the overall security posture, rather than merely duplicating existing defenses. This can be especially disastrous if, due to the comfort blanket of a VPN, a company treats anyone on the local network as “authenticated” and disregard security best practices for network resources. While it’s not an inherent fault of VPNs, it is a reality of human organizations.
The purpose of this article was not to argue against the value and use of VPNs. VPNs continue to play a valuable role in modern cybersecurity strategies, and offer benefits and security capabilities when used in the right context. Cases such as IP whitelisting, bypassing geo-restrictions, and enhancing privacy through encrypted DNS lookups are all valuable use cases for VPNs.
Zero Trust Architecture is a good example of a direct reaction to the shortcomings and inconveniences of perimeter focused network security, and the ‘what’ this article is drawing attention to, is the risk of placing over-reliance and misplaced value on what exactly a VPN is contributing to a cybersecurity strategy as both the nature of the internet and way of operating has evolved over time. It’s important businesses adopt a holistic approach to cybersecurity, and constantly assess security requirements and implement appropriate measures tailored to specific needs. Understanding the role of each cybersecurity tool in building a robust defense ensures that false confidence is not being built in an ineffective strategy. By adopting a thoughtful and comprehensive approach, businesses can better mitigate modern security challenges and safeguard their sensitive data and resources.
To stay up to date on Company news, and future events we’re involved with, follow us on LinkedIn.
Interested in learning more on this topic? Check out our latest article: In Defense of Local Admin Rights and our other articles here.