One of the main ways VPNs endanger data security is that enterprises often end up having to manage
multiple types of VPN connections to accommodate the networking gear of each third party. (The
alternative—requiring vendors to use just one VPN—can be very costly.) Not only is this juggling act an
administrative nightmare, but it also creates much more room for lateral movement attacks, since it
massively expands the network surface area that’s exposed and vulnerable since users gain access to
a “slice of the network,” so to speak. Not only do inbound connections create attack surfaces, but without
application-level segmentation, it’s impossible to reduce attack surfaces, leaving networks vulnerable.
Why Now?
Why now, when VPNs have been the venerable “go-to” for secure endpoint connections that safeguard
data from hackers? The answer lies in the fact that VPN technology was not designed for a world of
mobile devices, virtual teams, and third-party vendors tapping into the network; it was made with
traditional on-premises security in mind. The VPN model came into being in a different era—when an on-
premises, non-cloud environment was king, with physical servers and virtual machines. In such a world,
VPNs were appropriate. But today, IT is much more likely to incorporate hybrid cloud settings, blending
on-premises with public/private cloud environments. Each time you layer on another IT scenario, the
chances for data exposure and security breaches increase.
This indicates a significant issue with continuing to buy into the myth of VPN security. Digital
transformation has made it much more difficult for organizations across multiple industries to provide
business partners and other third parties with the ability to securely access internal data and
infrastructure. Organizations simply cannot take this challenge too lightly and just go with what has
worked in the past, since granting access to any third party represents a major security risk that can lead
to a number of business and technical threats and vulnerabilities that were not in play back when the only
concern was on-premises security.
By simply providing a partner or vendor access to your system in a cloud environment means that your
security level will instantly plunge. Not only is there a chance of inadvertently inviting malware into your
system, but now the safety of your organization’s applications and information is at the mercy of that
vendor’s security controls. If their controls are weak, then so are yours. All that needs to happen for your
data to be compromised is for one unapproved source to compromise the vendor’s system, and that
attacker can gain access to your network. Consider the biggest recent data breaches – many can be
traced back to a third-party vendor. Add to this the fact that remote access VPNs are complex to
configure, and you have created the perfect storm for a suboptimal system.
Traditional Perimeter Security Is Now Officially Obsolete
For those who continue to depend on VPNs for secure web connections, it is time to face the fact that
traditional perimeter security is now officially obsolete. Today, the cloud is ubiquitous. Technology has
moved on when it comes to network perimeter security. Proactive organizations have updated their