Why Virtual Private Networks Aren’t Enough to Ensure Cybersecurity

Virtual private networks (VPNs) have been touted as an effective method to protect computers and networks against system breaches. But they aren’t the complete solution anymore, given the growing sophistication of cyber thieves and hackers. In this conversation with SupplyChainBrain Editor-in-Chief Bob Bowman, Bert Kashyap, co-founder and Chief Executive Officer of cybersecurity firm SecureW2, discusses what additional measures need to be taken.

SCB: Virtual private networks have long been touted as a solution to ensuring business cybersecurity. Is that still the case?

Kashyap: I think they will still play a part, but strategically long-term, we see a sunsetting of VPNs, or certainly their morphing into a new form. That’s going to be some years in the making, but we do see a horizon for change.

SCB: Where are the cracks that have shown in VPNs recently?

Kashyap: It’s at a very fundamental level, which is the fact that organizations traditionally trusted having a hard outer shell to protect themselves. VPN was one layer, and firewalls and other products also prevented you from getting in. But with the new set of challenges in cybersecurity, the model of just protecting yourself at the hard outer layer is no longer valid. Customers are moving toward what they believe is the next generation, which is zero-trust-based network access.

SCB: Do you feel like many have fallen prey to insecure VPNs? If so, why?

Kashyap: Yes. There are a couple of reasons why. One is that multiple vulnerabilities have been found in VPN devices by every manufacturer you can imagine. Some of them have been zero-day vulnerabilities, where patches hadn’t been released yet and weren’t visible to customers. And even when patches are released, if you don’t take advantage of them quickly, you’re still going to be potentially exposed. And with all these nation-state actors, you can’t rely on time being a friend here. The second aspect is around general authentication of VPNs. People haven’t moved to the newer models of authenticating users.

SCB: Traditional passwords methods are flawed?

Kashyap: The traditional method of using usernames and passwords was fine originally, but then there started to be all these credential compromises and phishing attacks. Then customers moved to multi-factor authentication, but that also has its challenges. More and more what we’re seeing is that in order to protect your network, you have to combine multi-factor with device trust. Organizations haven’t caught up to that, and that’s where the challenge lies.

SCB: So multi-factor authentication is not itself flawed, but only when combined with an unauthorized or unsecured device?

Kashyap: Yes. Multi-factor authentication has its place. But it can potentially compromise the network if it isn’t implemented properly. If you don’t add an additional layer on top of that, which is device trust, then you’re leaving yourself vulnerable. What we see customers doing is creating this defense-in-depth philosophy, where you’re assuming that one layer is going to be compromised. It gives you a long-term strategic window, when VPN can still be viable while migrating your infrastructure to more of a zero-trust-based security.

SCB: So is zero-trust authentication the answer? And if so, are we talking about authenticating the user, the device or both?

Kashyap: It authenticates both. The philosophy here is that you don’t give them access to the soft inner shell, the soft inner network, and just have a hard outer shell. If customers are moving to a zero-trust-based infrastructure, they won’t have to worry about leaving access to the inner core that traditionally VPN leaves you vulnerable to. You assume everything is hardened.

SCB: Where are we now with regard to the cybersecurity level of most companies? Are they well behind the curve in adapting this type of technology, or is some of it already in place?

Kashyap: We still find VPNs being heavily used, but zero-trust is starting to pick up steam. Some of the major firewall vendors and VPN vendors are beginning to introduce zero-trust-based access. Fewer and fewer folks are doing traditional credential-based access on VPN, but the Colonial Pipeline ransomware attack showed us that large infrastructure providers are still using a username and credentials instead of moving to multi-factor. Those that are doing multi-factor are definitely moving toward adding device trust on top of that to create additional security. The multi-factor authentication market is quite strong, but there’s room for improvement, even in traditional VPN architecture.

SCB: If we embrace these new technologies, does that solve the problem? Or are hackers and cyber thieves always going to be one step ahead of us?

Kashyap: There’s always the strategic challenge. You could implement multi-factor authentication, but still have a day-zero attack where your VPN hardware is compromised because there’s a vulnerability that wasn’t released to I.T. administrators on time. This is why zero-trust plays a big part. It assumes that even if hackers break the outer shell, you’ll have protections in place on the interior to limit where they can go. Organizations shouldn’t place too much reliance on one piece of technology to protect them. That’s a flawed methodology in protecting against the kind of cyber threats that we face today.