The Target hack of 2014 was a warning that VPNs are now a liability
VPNs are the backbone of enterprise remote access and yet their security limitations are starting to pile up. The problem is that the very thing that once made them so useful, network access, is now their biggest weakness. As the 2014 attacks on retailers Target and Home Depot painfully illustrate, this architecture can easily be exploited by attackers armed with stolen credentials to move around networks from within in ways that are difficult to spot until it's too late.
What looked like a VPN to employees and partners turned out to be an open door for the attackers and the rest is data breach history.
"The VPN hasn't changed in 20 years," says Zscaler's engineering sales director Mark Ryan as he sets out the case for something called Private Access, his firm's reinvention of the VPN in a form it believes is more suitable for a world of remote access to cloud applications.
"The biggest change has been moving from IPsec to SSL. It is an extension of my network and once users are authenticated they have access to the network," adds Ryan. "This presents a fundamental risk to security. From the security perspective this isn't the same as a VPN because we are not placing the user on the network."
The traditional VPN defence plan of deploying VLANs with subnets with firewalls to monitor movement between them offers a solution of sorts but can quickly become an expensive headache to manage across larger organisations. More likely it won't be. Factor remote access to cloud applications and the problems accelerate with traffic piped from data centre to cloud in a manner Zscaler's advertising blurb likens to "flying from San Francisco to London by way of Buenos Aires."
Outwardly at least, Zscaler's Private Access looks much the same as a traditional VPN and can, the company claims, be bought as a direct replacement for it. Instead of running a VPN client, the PC runs a Private Access client that intercepts addresses it works out are aimed at an Intranet or cloud application, directing these through Zscaler's global cloud and onwards to a 'connector' server that sits inside the customer's datacentre or the cloud itself.
None of this affects the authentication service or technology being used while the critical aspect of VPNs - end to end encryption- is maintained. Private Access is across Zscaler but the firm does not have access to the data moving across it. This isn't a VPN but it behaves like one. No underlying network is exposed because the applications and the network are separate things, nor is there a routable inbound connection for attackers to exploit.
Sign up for Computerworld eNewsletters.