Most consumers regard Virtual Private Networks (VPNs) as a credible means of securing their data transmissions and overall privacy. Few realise VPNs were initially designed to provide these benefits for on-premise settings, offering only limited efficacy on the assortment of mobile, hybrid cloud, and multi-cloud technologies commonly used today.
By Don Boxley, CEO and Co-Founder of DH2i.
In fact, in these environments it’s not uncommon for the perils of VPNs to outweigh their purported advantages. In February, US Senators Marco Rubio and Ron Wyden wrote to the Director of the Cyber security and Infrastructure Security Agency (a subset of the Department of Homeland Security) about the 'national security risk' of VPNs for government employees.
The concern for national security is just the latest in the long line of VPN problems in distributed settings including issues of privacy, enterprise security, and regulatory compliance. Many of the Senate’s most pressing apprehensions - about transmitting US data over foreign servers - would be non existent if those data were securely routed at the application level with the flexibility of Software Defined Perimeters (SDP).
With the capability of providing these boons for enterprise security and privacy in hybrid and multi-cloud settings, these compartmentalised micro-tunnels eliminate the risk of VPNs for the secure transmission of all data, whether in the public or private sector.
Wyden and Rubio’s letter highlights a critical flaw in the way most VPNs are architected, particularly those disseminated on mobile devices via apps users download to their smartphones. The pair rightfully points out these mechanisms let, 'VPN providers route all user traffic through their own servers'.
National security issues arise when those servers (and the VPN companies operating them) are in foreign countries of interest to the US - the letter mentions VPN providers in Russia and China that could potentially access sensitive information from government officials via these apps.
Similar issues exist for any organisation transmitting proprietary data over VPNs via the provider’s servers, effectively putting users’ data in the hands of others. The Senate’s concerns are indicative of the overall trend of targeting American IT systems for espionage. Previously, Homeland Security removed a Russian manufacturer’s components from federal IT systems and the House Intelligence Committee evaluated Chinese telecom equipment for this very reason.
Software Defined Perimeters rectify this aspect of VPN use in which third parties are privy to users’ data. With this approach, data are never routed to third-party servers. Instead, they’re delivered directly between the source and the target systems at the application level, only accessing the user’s servers supporting them. If both systems are within the continental US, the data would never leave the country.
By transmitting data directly between applications and their servers, these ad-hoc tunnels don’t allow any room for others to access users’ networks, nor expand those networks as VPNs do. This architecture obsoletes the Senate’s concerns about putting data on foreign servers for transmission, redressing this fundamental flaw of VPNs.
Privacy and compliance
The notion of privacy is intrinsically engrained with that of security. VPNs make private data transmissions difficult in many ways, including by transporting data onto third-party servers. Research indicates that over 80% of Android mobile VPN apps request access to sensitive user data such as text messages and user account information.
Findings also indicate that two thirds of these apps use third-party tracking systems on user data, and that less than one percent of VPN app reviews make note of privacy concerns. These results are especially alarming because of the tide of regulations stipulating organisations are responsible for the practices of vendors processing their data, particularly as they relate to privacy and sensitive or personally identifiable data.
Conversely, the Software Defined Perimeter approach to securely transmit data at the application level reinforces privacy in many ways. The lack of third-party intervention eliminates all of the aforementioned VPN concerns about tracking systems and requests for data. Also, once this solution connects the applications or their servers, the ports joining them are closed so that no one other than those two parties is even aware they’re connected.
Whereas VPN ports are usually left open and are easy for scanners to detect, the closed ports of Software Defined Perimeters renders these micro-tunnels all but invisible for private data transmissions primed for regulatory adherence.
The foregoing research also determined that VPN security is remiss in several pivotal areas. 84 percent of VPN apps were found to leak user traffic, nearly 20% didn’t encrypt traffic at all, and almost 40% were associated with malware activity. Such issues are nonexistent with competitive Software Defined Perimeter solutions specifically designed to offer protection in each of these areas, and more. These cloaked micro-tunnels utilise full DTLS encryption and Public Key Authentication, so that even if malefactors were able to detect transmissions, they wouldn’t understand the underlying data.
It’s difficult to even detect such transmissions because these tunnels transmit data between the source and target systems’ gateways over UDP, as opposed to the more commonly used (and more detectable) TCP. Those gateways connect to each other through a cloud matchmaking service that randomly generates a port - at the time of the connection request - to link the applications, so hackers can’t simply hone in on the standard ports used by applications like SQL Server.
All of these security measures ensure that not only are there no exfiltration attempts or ‘inside jobs’ to leak data (which occurs with VPN), but that it’s exceedingly difficult to even detect data transmissions between remote settings.
Better safe than sorry
The expedience and ubiquity of VPN options today doesn’t always make them the best choice for cyber security issues. Not only is their basic architecture for transmitting data over third-party servers risky, but there are too many ways in which they flout best practices for secure, private data transfers.
Software Defined Perimeters not only eschew these architectural and operational mishaps, but also deliver a number of means of fortifying security for today’s distributed data landscape. They reinforce security and privacy instead of undermining them.