For at least the past two decades, VPNs have been the most used method of accessing company files outside of the office. However, the once-popular technology has proven to be ineffective when it comes to modern work. Many businesses see Virtual Private Networks (VPNs) as a major risk and security weakness in their systems. 

One of the most notable examples of VPNs failing from a security perspective is the Colonial Pipeline debacle of 2021. In this colossal blunder, which led to massive fuel shortages throughout the United States’ East Coast, cybercriminals were able to crack the Colonial Pipeline’s environment by using a former employee’s VPN password. The VPN account was not tied to multifactor authentication and was not monitored.

The rest was history once the hackers were in. The compromised VPN allowed the crooks to move laterally in their environment and gain access to everything that was meant to be secure. The intruders were able to shut down operations and ransom the company for a large sum of cryptocurrency. And they were successful.

The Colonial Pipeline paid roughly $5 million in ransom to the hackers.

All this could have been avoided if the Colonial Pipeline had moved beyond VPN usage for frontline employees. But why have VPNs become so antiquated in recent years? What makes them so vulnerable? And most importantly, how can businesses operate in a hybrid work environment without VPNs?

 

What makes VPNs so vulnerable?

One of the main challenges to VPNs is ease of access. Once a successful VPN connection has been established, whoever is using that connection has the ability to access the entire domain internally. The only thing standing in the way are credentials, like a username and password, of a privileged (administrator) account. Once the credentials are cracked, the user (whether wanted or not) is then able to move laterally throughout an environment – accessing everything.

The issue often stems from the management of VPN credentials. Many times, VPN credentials are poorly managed and end up in the wrong hands. Companies fail to use multifactor authentication and often, removing VPN access for a former employee is a manual effort. The problem is pervasive and immediate, so much so that the FBI recently issued a warning about US universities’ VPN credentials being put up for sale on Russian crime forums. The mismanagement of credentials can come as the result of an error in manual efforts to reset or terminate usernames and passwords, or can even be caused by an error in automation.

Whatever the reason, businesses’ VPN credentials are compromised time and again. This makes VPN usage one of the most predominant attack vectors.

 

VPNS are indicative of a legacy architecture

It is unfortunate, but many companies are completely aware that VPN services are an obvious attack vector, yet simply choose not to address the issue. Because VPNs are so engrained as a necessary part of their operations, they refuse to change. After all, forcing a shift in operations is almost always difficult and is often met with resistance.

Those reluctant to adjust are likely using legacy infrastructure. VPNs are a crucial component of the legacy “Castle and Moat” model, where on-premises servers are used for storage, print, identity, and more. The strategy relies on keeping everything good inside the domain (where servers live) and keeping everything bad out.

The “Castle and Moat” model was largely disrupted when the pandemic forced a shift to hybrid work. When all your employees are outside the domain, the model is broken.

Because the usage of VPNs is so commonly recognized as an antiquated practice, cybercriminals see their presence as indicative of a legacy environment. This makes organizations that overutilize VPNs an easy target. Compromising a VPN connection is a first step for a cybercriminal. Then the attacker moves on to obtaining admin credentials and examines what low-hanging fruit there is to exploit.

 

VPNs provide a poor employee experience

VPNs were never meant to support every employee in an organization, and the price of licenses can add up quickly. This became glaringly evident, again, through the forced shift to remote work during the pandemic. Businesses that once granted VPN access to a select few suddenly encountered the issue of their entire workforce requiring access. Consequently, the costs of VPN licenses quickly skyrocketed for those met with this challenge.

In this same scenario, companies encountered overcrowding in their VPNs. This made access to the VPN’s pipeline extremely slow as too many people were using it at once. The lag caused by the congested pipeline caused performance issues and resulted in decreased productivity.

Finally, the act of simply signing into a VPN is just plain cumbersome for many organizations. To get in, users need to turn on the VPN and then access the pipeline. This is often complicated by issues with a connection being rejected, complex firewall settings, or VPN software issues. These sign-in issues can create a surplus of support tickets for help desks, costing time and money.

 

VPNs lack access to modern work tools

Those using VPNs to allow their employees access to files are missing out on the benefits of modern work technologies. Architectures that have moved beyond VPNs allow for live collaboration, automated backup, and syncing capabilities.

Consider software like OneDrive, SharePoint, or Teams. These modern technologies allow for live collaboration and don’t require a VPN for access. Without modern tools, employees are forced to rely on dated work processes like emailing files back and forth to one another and waiting for replies.

 

The solution – a cloud-based Zero Trust infrastructure

Fortunately, VPNs are no longer necessary for groups embracing a cloud-based Zero Trust infrastructure. This ultra-modern methodology makes the “Castle and Moat” strategy obsolete by providing employees access to resources from anywhere, and on any device. The cloud-based system speeds up work, promotes collaboration, and is user-friendly, providing a secure connection for users and devices.

Further, the cloud resource is drastically more secure. Zero Trust architecture assumes every access request is a potential breach on your network.

It, therefore, runs a dynamic policy check on device state, user identity, geolocation, and more each time an access request occurs. The system explicitly verifies the request before granting access, allowing secure access. Zero Trust also limits user access to only the requested resource using a concept known as “Least Privilege Access.”

 

Conclusion

Now is the time to move past VPNs. By embracing a modern cloud-based Zero Trust architecture, your business can eliminate the crutch of VPNs and their accompanying security vulnerabilities. All while improving your team’s experience with technology and creating a more secure environment.

 

 

 

Contact us to learn more about zero trust

 

Shane Sloan

Shane is our Vice President of Products and Innovation our managed service line of business as well as our enterprise Intune migration program. Shane is a graduate of Vanderbilt University’s Owen Graduate School of Management with a Master’s in Business Administration (MBA). Prior to joining Mobile Mentor, Shane spent 9 years at AIG’s Life Insurance division focused on development, automation engineering and quality assurance leadership. In 2007, Shane obtained a Bachelor’s of Science in Information Technology from Colorado Technical University. Prior to undergrad, Shane had a distinguished career with the US Army as a Blackhawk helicopter crew chief.