“Don’t VPN yourself into a box, and don’t get mad at the box, design a better box”

July 17, 2023
4 min read

How to stay secure and maintain remote availability of your resources in 2023

Many of our clients ask us to help strategize and design a solution to maintain flexibility in business and scale of resources securely. For years “the industry” has pushed everyone towards this concept of “zero-trust”. Many organizations have leveraged VPN cryptography as a core part of their network infrastructure and security for a long time, and I want to state today, that outside of individual use of client VPN while traveling or operating on less than trustworthy networks, the use of VPN in an organization should be viewed as an infrastructure tool, not a security tool. With this in mind, you would then view the cryptography level chosen simply as a security layer for that infrastructure but not as a core part of your security posture. We should not be designing solutions that are reliant on VPN any longer.

Before we delve into the world of Zero Trust, let’s take a moment to acknowledge the role that Virtual Private Networks have played in securing our connections. Protecting your traffic online and connecting to organization resources was the brilliance of VPN’s. They established a Virtual Private Network and allowed us to extend our perimeter. . VPNs have been a trusted tool for creating secure communication channels over public networks. Their encryption capabilities have allowed us to establish secure tunnels, protecting our data from prying eyes. This protects against external threat actors but does nothing to help if the threat actor is already on either side of the network.

That becomes the problem today. We no longer operate on a perimeter security model. Our industry has shifted to adopting elements of Zero Trust – which has core roots going back to the 80’s. Although this isn’t a new concept, adoption has been slow. It is important to know that VPNs are fast friends of threat actors that want bridges between networks. This is not to say that VPN cryptography is itself a problem. The issue isn’t the technology it is the methodology of what it represents. Zero Trust encourages us to “Assume Breach”, and if we accept this concept, we can recognize that VPN’s become an express way for malicious intent. As technology evolves and threats become increasingly sophisticated, relying solely on VPNs poses certain operational risks that we cannot overlook. VPNs assume that once a user gains access to the network, they are inherently trustworthy, granting them broad access to resources behind the firewall. This “trust once inside” approach can lead to potential vulnerabilities, as it only takes a single compromised user or device to jeopardize the entire network.

Fundamentally, VPNs interconnect separate private networks. This presents risk to the organization allowing for easier lateral movement for organization approved traffic, but also enabling lateral movement for threat actors. There are use cases for VPN technology, but over-reliance on this technology is using a hammer for every solution.

Further Limitations of VPNs:

While VPNs have served us well in the past, they do have their limitations. VPNs provide a level of security but can become a bottleneck for remote access, requiring all traffic to be routed through a central hub. This can result in increased latency, reduced network performance, and potential scalability issues as our organization grows. Additionally, managing VPNs can be complex and time-consuming, involving the distribution and maintenance of client software, certificates, and credentials.

At Tigunia, we recognize the incredible risk related to third party vendors leveraging VPNs to connect to client organizations, and as a result we take great steps to help provide our clients other solutions. Sometimes you simply rely on the ability to access core infrastructure remotely, and for those scenarios we advise using an applicable tool that performs authentication and authorization at each step. These tools often require we re-design some of our business applications or even core underlying services, but in the long run, we are all better off.