VPN: The End of an Era?

In a day and age where the importance of securing communications is finally gaining the recognition that it’s deserved, too many enterprises are still looking at traditional VPN’s as the best means to handle access and interconnection. While some may still be tied to existing implementations by regulatory constraints, most could gain additional measures of protection and flexibility by breaking that aging mold. Every organization, regulated or not, should be reassessing their current footing. The move to cloud and the final acknowledgement of the disappearance of the perimeter has made this a necessary imperative. Modern interconnection has to take context and identity to new levels to counter current risks.

The typical enterprise network has a host of interconnections and, historically, they’ve been broken down into access and remote links.  The former allowed connections for individual users and applications to all of the things inside the perimeter and the latter were aggregated links to branches and partners. There has been a considerable muddying of that distinction, as resources are distributed and new approaches, like SD-WAN, offer other options. In the world of access, Cloud Access Security Brokers (CASB) have become a means of providing secure access to cloud-based services and a clearing house for user authentication, supplanting much of access VPN functions. Even CDN provider Akamai is offering secure access through its Soha acquisition. The world has clearly changed and enterprises have to catch up to the new reality.

One of the larger pieces of this transition is that enterprises are being pushed for a need to apply greater context to securing connections.  More sophisticated attackers have changed the game, as a host of recent successful attacks have illustrated. While access VPN’s have a long history of using multifactor tokens as part of their identity proof, authenticated users often had wide access to resources behind the VPN gateway. Connections with partners often compromised on restrictions in the face of pressures to get connectivity established quickly. With a perimeter-centric security approach, this has created a large internal access risk.  When the density of VPN’s gets multiplied by the demands of the march to multi-cloud connectivity, that large risk can be compounded by the operational complexity that managing links to multiple VPC’s in multiple clouds creates.

So what’s a path forward that can mitigate that risk and still give enterprises the agility that modern environments demand?  The first step is to unify planning around access and remote connectivity requirements.  Remote requirements have become much more like users, with short duration and varied network options. Cloud, partner and application links need faster provisioning and more complex authentication.  All of these needs have to be rationalized at least within a common infrastructure, if not within a single technology.

The second step is to understand that there has to be greater context in access configuration on both ends of the connection.  The connection has to be constrained on where it’s coming from and where it’s going to.  For access applications, that’s going to mean some level of source geo-tagging and an awareness of the state of the source system. Identity still has a critical role. The connection end point has to be limited to the specific application it’s being used for.  Enterprises have to consider automated uses that will be leveraging API’s for application integration as part of the expanded role. The bottom line is that there has to be much more granular isolation available in the connection process and the only way to manage that is through expanded context.

A third aspect that enterprises should consider is the behavioral piece of any connection.  This may be an area where external tools contribute value. Integrating perspectives on the volumes of data that are being moved and time of day activity levels can enhance the assurance that all is well with a connection.  Some vendors provide this capability within their products and services.  Some enterprises prefer to use independent controls to accomplish this level of accountability.

Altogether, secure connectivity has to adapt to a new reality.  Greater context and agility is available today to make this real. Enterprises need to grab this with both hands to remain secure.

The ONUG Open SD-WAN Exchange working group is addressing a range of VPN use cases as part of their broader work around more agile and open network infrastructure. They’ll have information at the ONUG Europe conference to offer a broader perspective on what more secure and manageable interconnection should look like.

 

Author's Bio

Eric Hanselman

Chief Analyst at 451 Research