The evolution of the VPN and its importance in the age of cloud computing

Grey padlock with inscription VPN on a pile of steel chain close up
(Image credit: Shutterstock)

Back in 1996, a Microsoft engineer by the name of Gurdeep Singh-Pall developed the Peer-to-Peer Tunneling Protocol (PPTP). The goal was to use IP addresses to switch network packets and offer employees a secure and private means of connecting to their organization’s intranet. It was a watershed moment that would instigate the advent of VPN technology.

In its beginning stages, when the VPN was employed by professional users to work remotely, the majority of systems and applications were used within the company data center. Consider Microsoft Exchange, for example. To use the platform, individuals were required to use a Messaging Application Programming Interface (MAPI) or a Remote Procedure Call (RPC) client to access their emails. This meant users also had to be on the VPN network, unless they had significant security holes in their firewalls. However, in 2003, a new connection protocol termed RPC over HTTPS emerged, which allowed a client to connect to a Microsoft Exchange Server through an SSL-secured channel on the internet; thus, eliminating the need for a VPN and eventually, enabling the ‘Outlook Anywhere’ model.

Today, we find ourselves in the age of cloud computing and the way in which we access applications, email or otherwise, has been further revolutionised. All of our files, applications etc. can be hosted by a third-party server and made available through the internet. Returning to the email example, rather than having to set up an ‘Exchange Server’ on the company server to host and manage emails, this can now be done on the Cloud through Office 365. In other words, we are seeing most productivity applications becoming ‘webified’.

In light of this, some sceptics have begun to question the relevance of VPNs at all. They may have been useful in offering secure access to data when we had a clear and defined network perimeter, but these lines have blurred considerably with cloud computing and the employment of software as a service (SaaS) tools. Add to this the recent surge in remote working, and many would go as far as declaring VPNs all but dead. Yet, such a blanket statement fails to recognize that VPNs are simply evolving and what we are seeing is a change in how they are used and who is using them. The remote worker VPN may have become redundant but in a number of other situations, they are still the best way of securing internet traffic.

Protecting the route between your cloud and on-premise systems

One such situation is in the connection between an organization’s cloud environment and on-premise systems.

Formerly, secure channels created by traditional VPNs might have been compromised as a result of an end-user falling victim to a phishing attack or the like. Lack of network segmentation would then allow bad actors to navigate across to critical infrastructure. In this use-case, however, the VPN creates a safeguarded tunnel through which data can be transferred and it is integrated with the cloud infrastructure. This means employees can safely access data without ever seeing its implementation, while organizations gain granular control of user-access.

Access to data and services are limited based on a range of criteria from job role and location, to the type of network used and the data being retrieved. In this way, this adapted form of VPN is critical to meeting the tenets of Zero Trust Architecture. Nevertheless, organizations should ensure that the VPN never terminates at the heart of the data center as this places too much trust on the origination point.

Securing remote administration sessions

Whether to enable an employee to utilize programs located on their office desktop or to have IT support step in and troubleshoot technical issues, remote administration sessions are indispensable; particularly, during this year’s mass experiment with remote working. Unfortunately, running such sessions puts a target on one’s back if not done securely and if ports are left exposed. Attackers will undoubtedly be quick to take advantage of this easy pathway to unrestricted control of a device, from mouse and keyboard to everything on screen.

As such, it is pivotal that a VPN is employed to fortify these sessions. More importantly, this should be paired with strong authentication. As earlier mentioned, there are security limitations when an employee is involved in the implementation of a VPN. All it takes is one mis-click of a phishing link, inviting an unsuspecting user to share their credentials. Once a bad actor has captured login details, it won’t be long before they connect to the VPN and the network in general. Therefore, multi-factor authentication is critical. Even if a user’s credentials are compromised, cybercriminals would be hard-pressed to get past a second security check; be it a one-time, time-sensitive password sent to a separate device or the use of biometrics. Above all else though, default credentials should be immediately removed. It may appear obvious, but it is regrettably, a common mistake that has been frequently leveraged by cybercriminals.

Alongside strong authentication, organizations should adopt behavioral analytics as well, bringing us to our third use-case.

The consumer VPN

The popularity of VPNs has boomed outside of the working environment and into everyday life, as the general consumer population begins to understand the risks of using unsecure networks. With a VPN, users can encrypt their traffic and secure it across unprotected hops, or trips that data packets make from a router to another point in the network. This prevents users from falling victim to an ‘Evil Twin’ Wi-Fi attack, for example, whereby a fraudulent Wi-Fi access point is manipulated to snoop through the users’ traffic. In this way, allowing users to safely perform tasks such as accessing their bank account from a local coffee shop.

From an organizational point of view, security teams should be keeping an attentive eye on user behavior during VPN sessions. While strong authentication is important, it does not highlight when credentials may be misused or if the business is facing an insider threat. Monitoring behavior will help businesses to detect suspicious behavior and proactively respond to minimize the damage. With these audits, organizations can better protect their intellectual property as well as general operations.

The VPN continues to be valuable in a number of ways. It can support organizations in securing the movement of data between on-premise systems and the Cloud, it safeguards remote administration sessions, and it enables consumers to encrypt their internet traffic regardless of the Wi-Fi they log into. Nevertheless, the effectiveness of a VPN is dependent on three key factors. Firstly, the VPN should never terminate in a data center. Strong authentication as well behavioral analytics should also be applied alongside. We need to ensure that admin VPNs are correctly configured and assume that anyone and everyone is a potential threat, whether they possess the encryption keys or not. Skepticism here is our best defense.

Dan Conrad, field strategist, One Identity

Dan Conrad is field strategist for One Identity. He retired from the USAF in 2004 and returned to government IT as a contractor where his primary focus was Active Directory design, migration, and sustainment.