It’s 2025. Do you know where your VPN is?
IT teams considering remote network access have traditionally leaned toward virtual private networks (VPNs). But after a year that saw a number of attacks on the privacy architecture, some organizations are rethinking things, including moving to software-defined perimeters (SDPs).
Jim Coyle, US public sector CTO at Lookout, told IT Brew that the situation is complicated.
“There’s still a need, even in large corporate environments, for VPNs,” Coyle said. “It’s a very specific use case; if you have explicit trust, then a VPN can be utilized, meaning you know the user, you know the environment, you know the hardware that they’re on, and you run all of it.”
That doesn’t necessarily mean that VPNs are secure, however. DH2i co-founder and CEO Don Boxley Jr. told IT Brew in November that he has concerns over how the attack surface has evolved due to the pervasiveness of VPNs, and urged a rethinking on how organizations approach virtual network security.
“The real issue for those large organizations is where they’ve got thousands of people accessing critical systems via VPNs,” Boxley said.
Drawbridge, down. Zscaler, which offers a zero-trust network access based on software-defined perimeter (SDP) principles, noted on its site that SDPs were “first conceptualized by the Defense Information Systems Agency (DISA) in 2007” and have become widespread in the industry in recent years due to their ability to control security controls in the cloud.
Boxley compared the VPN and SDP difference to a castle. A VPN, Boxley explained, is like entering the castle, surrounded by a moat. You’re protected by the moat, but you are able to move around within the castle—even to some places that you might not be allowed to go. An SDP, on the other hand, allows you in the castle, but then locks you into the room you’re in and only lets you go to already defined areas.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
“I’m giving them access to a specific program; that’s all they’re going to have access to and they won’t be able to, no matter how clever they are, break out,” Boxley told IT Brew. “Using the breakout room/escape room analogy, they’re locked in, and that’s all they can do.”
Coyle told IT Brew that he agrees with that point of view in general, although “it’s going to be completely use-case dependent.”
“If I’m just working from home and I need to access corporate resources, it’s far safer to have a VPN replacement in that scenario, because now I can limit access to the resources and what happens with those resources,” Coyle said.
Raiders at the gate. Despite SDPs and other alternatives, VPNs remain prevalent. But the change is coming—in part, ESG Senior Cybersecurity Analyst John Grady told TechTarget, because of the increase in potential replacements.
“We’ve known there are issues with VPNs for years,” Grady said. “It wasn’t until the access paradigm became inverted with more users being outside of corporate locations than in. With the availability of alternative technologies, the need and possibility of exploring other options became real.”