Why every CIO should retire their VPNs
Now is the time every CIO should retire their virtual private network (VPN) technology.
Such a statement may be considered heretical by those who believe that VPNs “saved the day” as organizations around the world pivoted from their offices to a massive work-from-home (WFH) environment. Nevertheless, it is appropriate. Like Xerox became synonymous with photocopying, many people consider VPN synonymous with secure remote access. This is unfortunate as it perpetuates an aging, expensive and increasingly vulnerable technology.
During the rapid pivot away from the traditional office environment, many CIOs invested heavily to rapidly expand their VPN infrastructure. More VPN appliances and software were quickly purchased and installed by CIOs “under the gun” to quickly expand secure remote access capabilities. Behind the scenes, many help desks were inundated by frustrated users struggling to configure their home computers as they attempted to securely access corporate resources from their shelter-in-place locations. For many organizations, continuity of operations subordinated considerations such as cost, performance and security. Despite the costs, frustration and other risks associated with the COVID-19 VPN surge, many celebrated that “the VPNs kept us up and operating.”
With many regions relaxing stay-at-home orders, organizations are taking stock of their pandemic lessons learned. Many recognize the WFH environment is cost-effective and presents the opportunity to reduce their office space and other overhead costs. This “new normal” presents challenges and opportunities for CIOs needing to maintain corporate secure remote access while minimizing their operating and capital expenditures. Because of this, CIOs need to rethink their secure remote access capabilities and retire their expensive, aging and increasingly vulnerable VPNs in lieu of new technologies that are more effective, efficient and secure.
In today’s digital world, VPNs are ancient technology. VPNs premiered in 1996, the same year Derek Jeter was American League rookie of the year and the Palm Pilot was introduced. As CIOs and CISOs look to deliver results in the “new normal” state, they ought to be asking, “Why should we use VPNs when there are much more modern, effective, efficient and secure remote access technologies available?”
VPNs are expensive and require a significant amount of network and manpower to operate. For example, in .mil and .gov firewalls, approximately 80% of the tens of thousands of firewall rules are associated with VPN management. Managing and configuring those tens of thousands of rules translates into significant costs including manpower, training, software licensing and hardware. It also presents greater complexity for both the end user as well as the information technology staff, often leading to misconfigurations and greater cyber risk. During my time as the Director of the National Cybersecurity and Communications Integration Center in 2014-2015, our United States Computer Emergency Readiness Team (USCERT) identified misconfigurations of firewalls and VPN tunnels as one of the top five cyber risks exploited by nation state and criminal hacker groups.
Today, VPNs remain vulnerable to attack and exploitation. Nation state and criminal hacker groups are known to compromise VPNs in their attacks such as when attackers used VPNs to gain and maintain access to targeted resources during the Office of Personnel Management breach. Not only did the attackers use VPNs to gain access to their targets, they leveraged a notorious “feature” of VPNs where the encrypted VPN “tunnel” drilled a hole not only through the firewall, but also through the Intrusion Detection and Intrusion Protection Systems, rendering them moot. The most recent USCERT Top Ten Routinely Exploited Vulnerabilities (USCERT AA20-133A) highlights that malicious cyber actors are increasingly targeting VPN vulnerabilities.
There are less expensive and more effective alternatives to VPNs for secure remote access. For example, in 2004 the U.S. Department of Defense kickstarted research into alternative technologies to better secure access to information, spawning creation of software-defined perimeter (SDP) technology. Now commercially-available, SDP is proving to be a game-changer for CIOs and CISOs alike. Organizations using SDP report a 50-75% reduction in secure remote access costs; significantly reduced training, manpower and overhead requirements; and acceleration of their Zero Trust security strategy implementation. Key SDP attributes include microsegmentation, Least Privilege enforcement, comply-to-connect and reduction of complexity for the user and operator while increasing complexity for attackers.
VPNs were great when Jeter was a rookie, but they have been leapfrogged by newer technology that is more effective, costs less and is more secure. It is time to rethink how we provide secure remote access.
Now is the time every CIO should retire their VPN technology.
