InfoSec Insider

Death of the VPN: Enterprise Security Needs New Foundations

Twenty years in, enterprise VPNs occupy a uniquely solid position in a changing landscape.

Introduced to the market nearly two decades ago, enterprise VPN technology has been uniquely enduring. Most large organizations still employ a VPN solution, and many seem to rely on it unquestioningly to provide secure remote access. It’s a rarefied position for a tool that hasn’t fundamentally changed in 20 years.

A VPN’s ability to provide employees, clients and third parties with “secure” remote access to internal applications is still considered a necessity in today’s corporate world. Yet what was once a simple and effective remote utility has become an increasingly inefficient and insecure solution when viewed in the context of today’s modern networks. Mobile users, bring-your-own-device (BYOD) policies and cloud applications are testing the limits of the traditional VPN-reliant architecture, and it’s uncertain that legacy tools like enterprise VPNs will survive the ongoing technology shift.

Before exploring their faults, it’s worthwhile to explain that enterprise VPNs are basic gateways that allow employees to access internal resources from a remote location. Here, access control works in essentially the same way as on a local device: Each worker is granted a login with a predetermined degree of access to network services.

The issue is this: The line between “internal” and “external” in modern enterprises is blurring as businesses deal with a growing number of contractors, providers and third-party vendors that all require remote access. What’s more, they all require varying permissions. Overseeing these various privileges is difficult at best, and that makes for a widening attack surface.

The rapid migration of applications to the cloud is also an important consideration. That includes both software-as-a-service (SaaS) and infrastructure-as-a-service (IaaS) environments. As a result, we are no longer shielded by a secure network perimeter with clear demarcation points.

Legacy VPN security as it stands can’t adequately address this level of complexity. It’s a one-size-fits-all solution that doesn’t take into account today’s flexible enterprise perimeter.

The Wider the Perimeter, the Larger the Risk

In the past, life was simple: We had statically wired, corporate-owned devices accessing static, well-defined enterprise applications in a fixed enterprise footprint. VPNs worked well here – especially in companies with fewer than a hundred employees, no third-party users, no application upgrades and no frequent role changes.

Today, we have multiple devices – both corporate and personal – connecting from any number of places to corporate resources. It is still mistakenly assumed that if a device belongs to an employee and is authenticated to the LAN, it should be allowed network access, including if it is connected remotely over a VPN. This assumption perpetuates a traditional and outdated perimeter model in which a user’s position on the network defines their credibility and suitability for access to fixed assets. The technology simply lacks the ability to enforce the granular controls or varied permissions that modern businesses now require.

As a result, an authorized user connecting to the network via a VPN is inherently granted a level of access that’s almost always in excess of the minimum required. That means even a well-designed and segmented network would leave a wide range of network resources visible to attackers should they compromise one of these connections.

That scenario isn’t just theoretical: This fundamental excess of access has been leveraged by attackers in one way or another during many successful breaches. In just one high-profile example, retail giants Lord & Taylor and Saks Fifth Avenue announced in early 2018 that their stores were subject to a massive credit-card data breach believed to have compromised the information of up to 5 million customers.

Though few details were released regarding the attack vector, the New York Times reported that the attack was likely initiated by a phishing scam sent to employees of the stores’ holding company. The compromised users’ stations were then used to infiltrate the network environment further. As with the vast majority of malware, this could have been prevented by simply removing, mediating or further authenticating the access rights of the end user. It’s basic privilege management.

Many organizations simply don’t take into account that 40 percent of breaches originate with authorized users accessing unauthorized parts of the network. In such cases, continuing to focus on legacy authentication and an assumption of trustworthiness on the network level makes no sense.

A Better Way

Corporations are no longer oriented around branches, on-premises users and internal data centers. So as the perimeter becomes less clear, network access mechanisms that are not designed around users and the specific resources they need to reach fall short.

A zero-trust architecture provides an alternative model that prevents “trusted” users from gaining excessive access to a network, simply because there are no trusted users on the network to begin with.

This approach relies on a number of technologies and concepts to form one overarching solution. For example, a software-defined perimeter (SDP) and micro-segmentation provide improved isolation and control of the network. Access decisions are transferred from the collective network layer to the more granular application layer, where they are made based on user-specific information. Permissions are then arbitrated on a case-by-case basis, based on an informed understanding of the person’s identity and the minimum level of access he or she requires.

Converting to this access model also often means using an identity-aware proxy (IAP) that ensures that users logging in are not merely authenticated once but also continually verified, and their activities are checked for behavioral anomalies in real time. When a user attempts to use an application, they are vetted by identity, device security status, and IP address, and security keys are used to further authenticate the user and prevent account takeovers.

Security teams can then rely on SaaS, cloud-native applications that streamline employee access without granting entry to the privileged network areas that users don’t need to see. This allows end users to receive case-by-case access to individual applications specifically mapped to their identity.

Death of the Enterprise VPN?

Many enterprises still rely on a VPN to provide privileged users or outside parties access to critical infrastructure – although for security in a modern enterprise, VPNs can fall short. The practice may endure to some degree in years to come, but a growing perimeter and the resulting complex security challenges mean that the enterprise VPN is unlikely to last much longer in its current iteration as the cornerstone of corporate access technology. Instead, it will exist only as a limited utility in the future, representing just one piece of a more precisely managed cloud-native model of network access – if it exists at all.

(William Chalk is a researcher at Top10VPN.)

(Enjoy additional insights from Threatpost’s InfoSec Insider community by visiting past contributions.)

Suggested articles