VPNs: The Cyber Elephant in the Room

While virtual private networks once boosted security, their current design doesn't fulfill the evolving requirements of today's modern enterprise.

Brigadier General (Ret) Gregory J. Touhill, President, AppGate Federal Division

September 8, 2020

5 Min Read

The quest for security has shaped our species for thousands of years. Since the earliest traces of civilization, we find evidence of fortifications that were erected in order to protect one tribe from another. 

The desire for security persists in today's Information Age, though many of the measures we take to ensure security are often little more than window dressing. We purchase complex and expensive cyber defenses that prove so difficult to operate that misconfigurations continue to permit attackers unauthorized access to information. To deter employees from stealing, we see frugal business owners installing replica surveillance cameras. We enforce byzantine password policies for workers that are easily undone by a simple phishing campaign.

Do these actions actually make us more secure or do they simply make us feel more secure?

Security guru Bruce Schneier famously coined the phrase "Security Theater" to describe this paradox, noting that security is both a feeling and a reality. "The propensity for security theater comes from the interplay between the public and its leaders," Schneier wrote. "When people are scared, they need something done that will make them feel safe, even if it doesn't truly make them safer."

Enterprise security often falls prey to the same reflexive approach to new and unknown threats. There is perhaps no better example of this than the continued adoption of virtual private networks (VPNs), which, for a time did improve security, but whose design doesn’t meet the evolving requirements of today’s modern enterprise.

No Time for Complacency
Twenty-five years ago, VPNs were the cutting-edge technology of the day, providing users with a relatively straightforward way to securely access protected network resources. Despite the explosive  innovation these past two decades, VPNs remain synonymous with secure remote access for an outsized portion of today's populace.

The situation today has been exacerbated by a number of converging factors. The current pandemic has forced millions of workers to log in from home, making it incumbent on CISOs to provide remote access without compromising security. Meanwhile, cloud computing and massive mobility have shattered the perimeter paradigm. Their arrival created new demands to protect data regardless of where it resides.  

For too long, organizations looking to implement secure remote access solutions defaulted to installing and expanding their legacy VPN technology investment rather than pivoting toward a new generation of secure remote access solutions. Now’s the time to retire VPNs, and if you don't believe me, consider these three reasons why VPNs are indeed more theater than security.

VPNs Are Plagued With Vulnerabilities 
The warning signs of VPN vulnerabilities continue to flash bright red and it seems that every month a new advisory is released. In June, the NSA issued a fresh warning that VPNs could be vulnerable to attack if not correctly secured, urging organizations to patch a critical flaw which if exploited would allow attackers to take control of a device without a password and gain access to the rest of the network.

Even when a patch has been available for months, a stunningly low number of organizations deploy patches in an expeditious manner, with some industry surveys estimating that 70% of known vulnerabilities remain unpatched one month after discovery. 

VPNs Are Complex, Expensive, and Brittle
As any battle-tested CISO can attest, complexity is the enemy of security — even modern VPN systems require a considerable degree of manual intervention which are prone to configuration and other operator errors.

Compared to modern alternatives, VPNs remain expensive and require a significant amount of network and manpower resources to properly operate. For example, in .mil and .gov firewalls, approximately 80% of the tens of thousands of firewall rules are associated with VPN management. Managing and configuring these rules translates into significant costs (i.e., manpower, training, licensing, and hardware) and greater complexity for the end user and IT staff, leading to increased exposure to a host of potentially catastrophic risks. 

VPNs Have Become Highly Attractive Targets for Bad Actors and Nation States
While threat actors have been actively setting their sights on VPN-specific vulnerabilities, they have become especially attractive targets over the past couple of years as a successful exploit can provide unfettered, system-wide access and a foothold for threat actors in search of sensitive data.

Because of this, nation states have been especially keen to exploit these critical vulnerabilities that provide an easy stepping stone to commandeer a network. For example, in late 2019, suspected Iranian hackers successfully breached the VPN application of an unnamed organization that culminated in a "wiper attack" that erased data from most of the machines attached to the network. The group behind the REvil ransomware has also been busy extorting a variety of critical infrastructure organizations across the globe by targeting known Citrix and Pulse Secure VPN vulnerabilities

Towards a Software-Defined Future
While enterprises have invested heavily in VPNs over the past two decades, there comes a time when one needs to stop throwing good money after bad and look towards a software-defined future built around a Zero Trust framework.

Organizations using software defined perimeters (SDP) report a 50% to 75% reduction in secure remote access costs; significantly reduced training, manpower and overhead requirements; and acceleration of their Zero Trust security strategy implementation. Other key SDP attributes include the ability to enable network microsegmentation, enforce least-privilege user access, and apply comply-to-connect (C2C) rules to ensure that patches and hardened configurations are applied to devices before they ever connect to the network. All of this serves to not only reduce complexity for the user and operator but also makes it that much more difficult for the attacker to turn a small compromise into a full-fledged data breach.

Although we are living in a time of great uncertainty, CISOs who are championing digital transformation initiatives would be well-served to reframe this challenge as an opportunity to re-think their existing security paradigm and invest in frameworks that can meet the requirements of the modern enterprise.

While we all enjoy a good show, it's about time we demand less theater and better security.

About the Author(s)

Brigadier General (Ret) Gregory J. Touhill

President, AppGate Federal Division

Brigadier General (Ret) Gregory J. Touhill, CISSP, CISM, serves as President of AppGate's Federal Division, which offers AppGate's market-leading cybersecurity capabilities to federal agencies and departments.

Prior to joining AppGate, Touhill was appointed by President Barack Obama as the nation's first ever Federal Chief Information Security Officer in 2016, where he was responsible for ensuring that the proper set of digital security policies, strategies and practices were adopted across all government agencies.

Touhill retired U.S. Air Force officer and combat veteran who served in several commands around the world including U.S. Transportation, Central, and Strategic Commands, and led the creation of the Air Force's cyberspace operations training programs. He is a sought-after speaker and author within the information technology industry, where he is best-known for his "Cybersecurity for Executives: A Practical Guide," which is used widely at colleges and universities across the country.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights