When Your Old Reliable is No Longer Enough: Why it’s Time to Move on From VPNs

Hank Schless  00:11

Hi, everybody, and welcome to this episode of Endpoint Enigma. I'm your host, Hank Schluss. And today, I'm very excited to be joined by Sundaram Luxan, our Chief Technology Officer of SASE products. Sundram, welcome to the show today.

‍

Sundaram Lakshmanan 00:25

Thank you, Hank, for having me on your show.

‍

Hank Schless  00:27

Always a pleasure, my friend. So, Sundaram, I'm particularly excited about today's episode, because we're going to dive into something that I think is actually pretty familiar to most people in the security world, which is virtual private networks, or VPNs. And it had been around for a long time. And they've also been a pretty frequent topic of discussion, especially as security teams and organizations as a whole have been figuring out what their security posture is going to look like during the current transitional period of moving from remote work into a more permanent hybrid work model, which honestly isn't too surprising. So you know, that being said, and as we'll discuss, there are definitely some fundamental ways that relying on VPN could be a little bit difficult for teams, kind of depending on what they decide to do. But before we get to all that: Personally, I think VPN is kind of an older technology, I think of 10 to 15 years ago, using an RSA token to log in to a VPN to remote desktop in and do that whole thing. Could you give us a little bit about how it all started?

‍

Sundaram Lakshmanan  01:28

Definitely, it's a very interesting technology. If you really go back, it started almost, like, two decades ago, you could time it almost with the advent of laptops. And people were given these laptops. This is a very good productivity tool. People took the laptop home, and they wanted to stay connected. And that's when this VPN became very popular. VPNs had actually two big use cases, right? One is connecting the remote users to your office and office applications. And also connect to your remote branch offices over the public internet. Because, Hank, one thing you need to remember this was the time when frame relay, MPLS, ATM –– you know, these are popular VAN technologies, and they were pretty costly –– to get these leased lines. And internet was exploding. People started experimenting, “Hey, can I move some of the unwanted traffic over to the internet, from branch to my headquarters?” And that's where, you know, the site-to-site VPN came into being. And since then, I have to say until recently, VPN's have really boosted the employee productivity. I mean, you know that I know that we are connected all the time in MP, to office email to all office applications. So definitely they're all technology. They're still good, still relevant to major productivity boosts? I would say, Hank, yeah, absolutely. 

‍

Hank Schless  02:44

I mean, I think there's still a place for them for sure. But one thing that's sort of interesting is that it doesn't sound like it's really changed that much. I mean, obviously, you know, there's some kind of nuances to that, but it seems like it's just advanced a lot more slowly than other security technology has, especially for something that's been around for so long. Why do you think that is?

‍

Sundaram Lakshmanan  03:05

Actually I want to kind of give a slightly different spin, if I may, right. It's not that they have not changed, they definitely have changed. It's like, you know, the comparison I would give is, you know, in the automobile, you take a gas engine versus this hybrid, and there's more and more electric vehicles, right? These are completely different technologies and VPNs were built for the problem two decades ago, and they kept on augmenting, right, like, going from V2 to V4 to V8 and supercharged turbo engines. VPNs definitely kept up like, you know, site-to-site VPN… and network access control points, you know, extended authentication mechanisms. They kept on doing. They kept on enhancing for the problem. For the last decade, what changed was the problem itself, digital transformation…  everything started going to cloud, right? And VPS were built where… for when 5% 10% of your workforce wanted to work remotely or maybe 20%, 30%. But now, just hanging on, I know how much in all of our conversations… how much we hear about remote working in the last one year –– this has exploded. So VPNs, kind of they solved the problem for the last decade. But for this decade, of course, the problem has changed. So in that sense, they are not there, right? And that's why they appear so suddenly sold, even though last year… people have invested heavily again, to enable all the remote workforce.

‍

Hank Schless  04:29

So basically, what sounds like you're telling me is that we need to get Elon Musk on this podcast to talk about the parallels between, you know, electric vehicles and VPN technology. So we'll… we'll work on that. Okay, so you talked about digital transformation, everything being in the cloud, from an access perspective, like I just think about what it used to be, you know, you log into VPN, and you have access to everything. It seems like now there's so many different apps and platforms that we use that I would think that you'd want to be able to kind of control that access a little more in that case. Or, you think people are still okay with that all or nothing approach as long as it means people can get their work done? 

‍

Sundaram Lakshmanan  05:03

However, an IT admin, right? Even though I want a very granular axis, the current set of capabilities that is available is what it is, which is weepy. And then that's why, you know, I had to jump on it on day one. But situations have changed. As we come across in multiple conversations… take a scenario here, where in this day and age people use any device they can get hold of to access any application enterprise applications, right? For example, I jump on my spouse's laptop or my family computer, I access my Office 65 emails, I access, let's say, my Salesforce accounts, my Box account, my G Drive account. These all have very sensitive data, right? At the same time, you know, we're on the same machine. My kids are playing games, and we go to all these internet sites, check out our banking, financial healthcare news. And just imagine these laptops or devices, how much they are exposed to the internet in this day and age. This is where the situation has changed with remote working when people bring a lot of these personal devices. And also, on the other hand, you have to see, it doesn't matter. Like even if enterprises issue their devices, people use those devices for their personal work as well. So there is no clear black and white boundary here. And because these devices are unmonitored for most of the time, there is a high chance here that these devices could be compromised. And this is where, Hank, the situation has changed drastically, at least in the last year or so, where… when you give a full network access, what happens is, people may still be, you know, using the applications as intended, which is, like: connect to the VPN and then access the application as they always plan to. But these middlewares that are acting underneath, under the hood, right? They can now jump laterally into the network, right? And this is the biggest gap that has been exposed in the last few years. And that's where people are suddenly waking up and saying, “Oh, whoa, we brought a bold technology, like a VPN that was built for the last decade, into this new world of digitally transformed remote working environments.” And this is what is untenable. So definitely there is a lot of emphasis on the X-assign, as you said.

‍

Hank Schless  07:27

Okay, there are a couple of things I want to touch on there. The first is, can you just… just a quick couple sentences, just explain what you mean by lateral movement? 

‍

Sundaram Lakshmanan  07:35

Yes, so let's say my machine is infected, okay. And here I'm opening and connecting the VPN, and I'm connecting my HR app, right? I'm kind of going through my on-prem HR app, or on-prem ERP app. Guess what the malware does, or the end malware underneath the hood, because now I have a new VPN? It just scans all the machines on the network, right, and then finds the most vulnerable machines; it could be somebody else's laptop, because the VPN is to allow that. Or it could be some machines or servers running in the data center, or could be another application. And then they easily hijack, they go infect those machines, then the infection spreads. That's kind of the lateral movement that we're talking about. And at the application level, also, this could happen, like a Word document that you're working on, or a PDF or something can get injected. And when that document gets uploaded into your internal applications and somebody else clicks…

‍

Hank Schless  08:24

Okay, that makes sense. And then we're talking about how this malware can move laterally, it seems like, you know, access is definitely a thing. So the first thing that comes to mind when I think of access these days is just the philosophy in the principle of zero trust. Obviously, in the last couple of years that's really come up in the analyst community and then throughout other technologies a lot. But without talking about like the specific zero trust technologies, but as a philosophy, how does that play into the way that VPN has evolved at the same time?

‍

Sundaram Lakshmanan  08:52

That's a very good question. VPNs definitely did a bunch of things related to zero trust, they always pinned their access based on identity. For example, the VPNs do support single sign on. They used to support radius based authentication. They used to support enterprise based authentication. That was one part. And then the next part is VPN has also introduced some kind of a network access control, NAC they used to call it, which is: Check the device posture before letting you in. But one thing to remember, these things were done one time, just when you access, right? If I were a hacker, if I were a malware developer, that's all I need to look for. Okay, so that time of access, if I can stay under the hood, there's nothing that gets exposed, right? But the situation has changed, as we talked about, just coming back to my analogy, gas engine versus electric vehicles, right, like this is day and night. Very different. Now we're talking about applications getting access to all the time from any device. Now, first and foremost, with so much hacking and so much credential theft happening, you will have to start by assuming that a lot of credentials, there is a high chance that they could be compromised through phishing or something; that's always the entry point. So there needs to be a continuous authentication, there needs to be a continuous verification, that's where the zero trust starts. Okay, I trust but I haven't gone to verify every activity, not just only at the time of access –– that's about the user, even though you present invalid credentials –– then about the device itself. Again, you cannot assume that the device is in that connected state, that way the posture changed so drastically. So again, the device trust also has to continuously evolve, and then narrow down the axis. So this is where the VPS could not keep up with a game. And that is where VPNs have to be left where they belong. And when you go into the newer world, start thinking new and start rethinking how to address all these problems.

‍

Hank Schless  10:55

Got it. I like the way that you kind of reposition that. I think that makes a lot more sense. So I do want to get more into zero trust in a little bit. But before we do that, one thing that I always think about with VPN, and again, more traditional in the user experience of it, because if I'm remembering correctly, you know, there's a lot of, like, hairpin in traffic. And let's say you're working out in the field for an oil and gas company or something like that. And you're out in some oil field in the middle of Texas, and you have to connect to a VPN to do something from the Panasonic Toughbooks or, like, a tablet. It has to go all the way back to the base of the host infrastructure and then all the way back to you. Is that still true? And are there any kind of user experience shortfalls that you can think of when it comes to VPN?

‍

Sundaram Lakshmanan  11:37

Absolutely, I mean, just from my personal past experience, right? VPN based access always had its user experience challenges for many reasons. You'll never know what’s slowing you down, like even when you used to connect back to your headquarters or data centers. And people started all loading it for full tunnel Internet access as well. But guess what? Now, in this decade, at least in the last few years, cloud and VPN are oxymorons. You don't use them together. But people, because they wanted to have some kind of access control even to cloud applications, that started happening, as you said. I mean, Office 65 is everywhere. Why would I put my users to come through a VPN to access this cloud service? Internet is everywhere. Why would I put a user to come on a VPN into my data center to access the internet, just because I couldn't offer them enough security checks, enough content inspection, just to bring that back. VPN was the one technology that allowed to hairpin or trombone, whatever the case may be. And this leaves a lot to be desired here. Latency for one user experience, really, when it comes to web applications. If the page doesn’t load it, you're not going to be happy, I'm not going to be happy. And we see a lot… and the downloads are going to take longer, accesses are going to take smaller, and it kind of puts a speed bump into your day-to-day work. And VPNs, you know, productivity… but now they're kind of taking you on the other path.

‍

Hank Schless  13:09

It's fine. I actually never really thought about that that way, that like it's almost contradictory to itself to talk about cloud and VPN in the same breath. Now, in preparing for our conversation today, I was doing some research on any instance we'd seen in the past regarding VPN. And obviously, there's a fair amount of that. But in terms of, like, a provider, honestly, that I think we're all pretty familiar with in Pulse Secure, because they've been around for a while. I think they had some vulnerabilities earlier this year that I saw maybe from a couple months ago. Is there anything you can offer in regards to that?

‍

Sundaram Lakshmanan  13:39

Actually, it has happened multiple times. And to be honest and transparent. It's not just false. It's like many other weapons, including… Cisco AnyConnect has been in the news, right? And there have been multiple other VPNs that have been in the news. And, you know, having done product development for the last two and a half decades, I have to be honest, there is no perfect product. It's all software, and even ASICs have had… I mean, even Intel has had security bugs in their CPUs. So to be honest, there is nothing like a perfect product. But one thing I would like to say: the architectures have to evolve. So at least the damages can be limited. Just as an example, VPN is giving you full access to the network. So what it means is, if a VPN is compromised, my entire application network is compromised. On the other hand, for example, we are going to be talking about the DTNA or the next evolution, which gives you only granular access to a particular set of applications that the user is authorized to… just that architectural shift will keep enhancing the security as we go. Great. Hank, as you know, there is no defense in depth anymore. I'll give you a panel but there's no defense in depth. Like, you know, you have a firewall. You have IDS, IPS. You have a secure web gateway. You have all these new technologies before you access an application that's gone. Now cloud service is one URL; you type it on a browser and you are there already. So now where is… The defense in depth we have to rethink. Now, we should not be bringing the old technologies to solve new problems. We have to rethink, because these are new architectural paradigms. And that's where I would advise, or guide my customers and my people that I talked to, because the bugs are going to be there. And I'm not surprised by that. 

‍

Hank Schless  15:19

I completely agree with you. There's definitely no perfect product. And, you know, especially being in the security world, for anyone to say that they have a perfect security product, I think everybody would, would shoot that down pretty darn quick. But one thing you did mention there super briefly that I want to dive into is your trust network accessories. ZTNA. So could you tell us a little bit more about that, and where that fits into this whole ecosystem that we've been talking about?

‍

Sundaram Lakshmanan  15:42

… So now, as we already talked about, in the case of VPN, we put a lot of trust on the user side entity, put a lot of trust on the device. I mean, even though there was some simple checks, right? And then give them carte blanche access to the network. With zero trust network access, what's happening is, there are a few continuous principles that need to be applied. One is, first and foremost, limit access. If the user wants to access your HR app, why does he need a network access, which might also allow him to access? Let's say, ERP access in the same connection? Why? That's the first question. So in that sense, limit, first thing. Second, continuously assess. It's not like I do one check. Just as we all go to concerts, we all go to different engagements and conferences. There is always a badge check at the front gate, identity check verification. But that doesn't mean that you go inside and do whatever you want. Like there will be some more polishing, some more eyes watching what's happening just to regulate the crowd. Exactly the same principles; you trust a lot of people, you will let them come in. But you verify at every activity, when somebody is downloading very sensitive content on your HR app, or ERP, or CRM app. Just check one more time. Why is he downloading? Is that a right thing? And if he's coming from an unmanaged device, can we challenge him to provide additional credentials like a step up authentication, or check the device posture and continuously monitor the devices, apps? And you know what? If somebody is suddenly downloading a malicious app during the middle of a VPN, unbeknownst to them, that's unacceptable. That's where the zero trust principles are taking us. And network access is getting redefined in this new world of digitally transformed enterprises with cloud applications. And these applications running in private data centers, AWS as your GCP public cloud, right? You just cannot put boxes there. But instead, give connectivity only to those applications. And that's where the zero trust network is taking us. 

‍

Hank Schless  17:46

Yeah, I mean, I think personally, the most interesting and important part of that is the continuous part. Secondly, I would say, would be the ability to make sure that even from an unmanaged device that can still have those same protections, because, I mean, like you mentioned earlier, in our conversation, you know, we all use all sorts of devices all the time. We just expect to be able to be productive for them, no matter what it is. And even if your company says, you know, “Here's an issued laptop or an issued phone; it's only for work purposes,” you will inevitably check your Facebook, you know, whatever it may be, you’ll check a couple of things. And you know, we could go down a whole path and what could happen from there. But yeah, there is inevitably a little bit of crossover no matter what the deployment model is. So I guess my last question for you would be, what can organizations really do at this point? I mean, it sounds like there's definitely a place for CCNA for zero trust network access. And then finally, do people move completely away from VPN? Do they kind of have a hybrid approach to it? What's the way that companies can approach that? And what's the balance, if any? And basically, what's their direction from here?

‍

Sundaram Lakshmanan  18:44

That's a very good question. So there is nothing that we could do to shift the balance overnight. But if we work through methodically, first and foremost, where the enterprises need to focus on is, do not bring all technologies and old solutions when you rethink the architecture –– just like for example –– digital transformation, right? When you are moving, let's say your applications that were running in your data center to a public cloud like AWS or Azure, or GCP for that matter, right? Do not try to stitch it with old solutions like a VPN, for access, or try to bring other gateway solutions, or all these things in a virtual form, or whatever form, because the problem has actually changed. And that's where initially, it will always be kind of a transition period and a hybrid deployment. The TNS can help move these applications smoothly, keeping and giving a very good user experience, meaning this is still users directly accessing the cloud… And the second thing is there are newer problems to address in this scenario, like what we talked about: people accessing from any device and malwares and zero trust where we need to continuously enforce. And that's where the VPNs are not going to be helping you but VPNs are networking devices. In fact, I used to be shut down earlier, even a decade ago, if I say VPN is a security device. It is a networking device at the end of the day. It just gives you confidentiality and a certain level of security, they just were giving you connectivity. So treat it as is. Do not bring the old solutions… And then there is an inflection point when things become truly hybrid, like application infrastructures become truly hybrid. And the types of applications also keep changing. There will be a period when VPNs have already crossed their shelf life. And there will be a time very soon, where nobody will be talking about VPN, just like we don't talk about frame relay or anymore, right? It will be a time like that. And now it's time for CCNA in the next decade, right? And the CDN is only going to keep improving from here on.

‍

Hank Schless  20:52

Yeah, it sounds like it's time for VPN to retire, get some well deserved time off and go hang out on the beach for a little while. Enjoy all the hard work, it's done.

‍

Sundaram Lakshmanan  21:01

I go back to my analogy… and say, “You know, they have been firing our autos for the last 100 years. Now the EVs are here. Of course, EVs are not replacing and they won't replace entirely but eventually ride cleaner, simpler, faster, better.

‍

Hank Schless  21:16

That's a great metaphor for it and very relevant. So Sundaram, I think that is all the time we have for today. So thank you so much for joining us.

‍

Sundaram Lakshmanan  21:24

And it's my pleasure, Hank. It's always good to join you and thanks for a very nice conversation. Thanks.

‍

Hank Schless  21:29

Yeah, absolutely. Always a pleasure. And thank you everyone for listening in today. You can always find Endpoint Enigma anywhere you find your podcasts and be sure to to check us out on LinkedIn and Twitter at Lookout. We're always trying to offer more thought leadership information to help people understand the evolving security landscape. And thanks for joining us. We'll see you next time.