Recently our own Twain Taylor here at TechGenix described some recent acquisitions happening in the IT security space and why they’re important for customers to know about. One of the acquisitions he talked about was how Symantec had recently snapped up Luminate, a leader in the software-defined perimeter technology space. For the benefit of those of our readers who are unfamiliar with software-defined perimeter technologies and why many companies are now transitioning away from virtual private networking (VPN) to SDP as a better solution for secure remote connectivity for their workforce, I recently had a chat with Don Boxley, CEO and co-founder of DH2i, a company that makes multiplatform software-defined perimeter software for Windows and Linux that enables enterprise applications to connect securely and move freely among bare-metal, virtual, and cloud environments. With more and more businesses leveraging the power of cloud computing, and with their employees working more frequently from home or at coffee shops, the traditional approach of using perimeter-based VPNs to grant authenticated users access to remote corpnet resources is beginning to give way to the newer SDP approach that utilizes policies to grant user access to specific resources such as applications instead of the entire internal network.
Risks of VPNs
I began my conversation with Don by pointing out that while VPNs are often seen as a way to safeguard anonymity for users on the Internet, they’re also commonly used in corporate environments for secure remote access. When I asked Don about the risks involved when using the VPN approach, he agreed that the most common way to “securely” access networks for many years now has been via a VPN. “While the main business advantage of using a VPN is generally thought to be improved security via the technology’s end-to-end encryption capabilities,” Don said, “the fact is that VPNs not only expose sensitive data to increased security risks but in today’s cloud-based environment, they actually multiply those risks exponentially.”
I asked him to elaborate a bit about the nature of these risks associated with using VPNs in corporate environments. “One of the primary ways VPNs endanger data security," Don said, “is that enterprises usually end up needing to manage multiple types of VPN connections to accommodate the networking technology of each third party (vs. requiring vendors to use just one VPN, which can be ridiculously expensive). Not only does this become a painful administrative headache, it also generates much more room for lateral movement attacks since it vastly expands the network surface area that is exposed and vulnerable since users gain access to a ‘slice of the network’ so to speak. Not only do inbound connections create attack surfaces, but without application-level segmentation, it’s impossible to reduce attack surfaces, leaving networks vulnerable.”
Don continued: “You may be asking yourself, ‘Why is this happening now?’ as VPNs have been the venerable ‘go-to solution’ for secure endpoint connections that safeguard data from hackers?” That’s exactly what I was going to ask Don next. He replied that “The answer is that VPN technology was not engineered or intended for a world of mobile devices, virtual teams, and third-party vendors tapping into the network; it was created with traditional on-premises security in mind. The VPN model originated in a different era — when an on-premises, non-cloud environment was king, with physical servers and virtual machines. In such a world, VPNs were appropriate. But today, IT is much more likely to incorporate hybrid cloud settings, blending on-premises with public/private cloud environments. Each time you layer on another IT scenario, your chances for data exposure and security breaches increase.”
And it gets even worse. “This opens another can of worms when someone is continuing to buy into the myth of VPN security,” Don said. “It is now much more difficult for organizations across various industries/markets to enable business partners and other third-party organizations with secure access to internal data and infrastructure in today’s digital economy. Enterprises can’t underestimate this challenge and just go with what’s worked in the past, since granting access to any third party represents a huge security risk that can lead to a number of technical and business threats that weren’t in playback in the days when the only concern was on-premises security.”
Software-defined perimeter vs. VPNs
I next asked Don how the software-defined perimeter model is different from the VPN approach and how does software-defined perimeter circumvent VPN’s security issues? “Basically, in three ways,” he said. “One, it creates greater security by granting connectivity across multiple clouds, sites, and domains to distributed apps and clients; two, it gives users access at the application level, moving beyond network-level access; and three, it decreases lateral attacks, creating an environment I like to describe as ‘secure by default,’ which is achieved by giving remote users access only to specific services. The software allows you to shift workloads as needed from cloud to cloud, leading to the ability to avoid the threat of cloud vendor lock-in. A software-defined perimeter solution also eliminates chaos by allowing for installation on any host, without network reconfiguration or appliance hassles. In short, innovative networking software such as software-defined perimeter can help organizations navigate today’s security challenges, including hybrid and multicloud deployments, reducing attack surface as well as the vulnerability of their key data."
I pointed out next to Don that users living in countries with oppressive governments often use VPNs to hide their Internet activities from authorities and communicate with people beyond their country’s borders. I asked him then if software-defined perimeter software should be utilized similarly in such situations or whether SDPs were only workable when they’re deployed inside trusted borders of a country or group of countries. Don simply answered, “Yes. Policy-based, secure access and network segmentation create one-to-one network connections between the user and the resources they access. Everything else is completely invisible and untraceable, even the system itself. This not only applies the principle of least privilege to the network but also reduces the attack surface area by hiding network resources from unauthorized lookers and potential users. To enable total privacy, data security, and classification,” Don said, "software-defined perimeters provide client and endpoint protection, identity and access management, OS and application-level security — all while encrypting traffic with mutual TLS and DTLS encryption.”
To close our discussion, I asked Don if he could pull everything together on this subject in a few succinct words. “The age-old management proverb that says ‘what got you here won’t get you there’ is equally true for IT,” he said. “As a traditional perimeter security solution, VPNs worked in the old world of physical servers and virtual machines, but they don’t have what it takes to protect data in today’s heterogeneous, hybrid, multicloud environment. It’s time to let go of the VPN security myth and embrace today’s new realities with a progressive security solution that’s specifically designed to accommodate the cloud and today’s digital transformation reality.”
Featured image: Shutterstock