OpenVPN Security Advisory: Dec 14, 2018
Action needed: Important update for OpenVPN Access Server

Debunking VPN Myths: VPNs Are Here To Stay

A Forbes author recently published an article stating that VPNs are an antiquated solution for securing organizational data. However, the author based his argument on several opinions that expert analysis reveals are factually inaccurate and undermine the overall argument. The incorrect statements deal with accommodating third parties, administrative ease, lateral move attacks, the hybrid cloud environment, setup/configuration complexity, and other solutions as a comprehensive alternative.

We need to set the record straight: the VPN is here to stay, and is a necessary and vital component for every organization's cybersecurity infrastructure. Our mission is to offer secure, thorough protection in the digital world, which in this case means clearing up misconceptions and fallacies. Every business leader should be aware of this information to make a fully informed decision in regards to the security of their organization:

Accommodating third parties: It is not necessary for users to manage multiple types of VPN connections to accommodate third parties that want access. Some vendors may wish to connect using different VPN technologies — but this will hold true for any security solution if the company does not impose its technology on third parties. To reduce unnecessary risk, businesses should only allow third parties to access their network using organizationally vetted, approved, and adopted solutions.

Administrative ease: Most top-line security solutions require a high level of touch so that administrators can clearly define and grant user privileges to access specific applications. This level of granularity is offered by VPN solutions that support configuring access to particular IP address ranges over specific protocols and port ranges for users or groups of users. Enforcing this least privilege access can be an essential part of any security plan.

Lateral move attacks: Strong cybersecurity policies should always be part of a layered approach, and should include least privilege access and network segmentation for working with third parties. In that case, third parties are only granted access to the specific data and applications they need. Lateral movement attacks can be easily prevented using VPN solutions that allow administrators to configure whether or not users have access to private subnets. Organizations should always take this approach when collaborating with third parties. Otherwise, they are inviting unnecessary risk into their networks.

Hybrid cloud environment: The VPN model is highly applicable to today’s hybrid cloud environments, as long as organizations are utilizing proper cloud security. For instance: marketing data companies that use Amazon for their cloud storage can set it up so that the servers are public facing, which is a considerable risk. But this error is in how organizations secure their cloud environment, not with their VPN use.

VPN complexity: Many VPN solutions are relatively quick and straightforward to set up and configure. It takes about an hour (or less) to set up a personal OpenVPN from your home network, then fewer than five minutes to set up the connection to your laptop and phone. Access Server takes a little time to set up but is not complicated by any stretch of the imagination — it is on par with, and sometimes simpler than other solutions.

Proxy chaining alternative: Proxies and VPNs (like apples to oranges) cannot really be practically compared, they are two different solutions with very different sets of benefits. While proxy chaining can be helpful (especially for ethical hackers), as a business solution it isn’t as practical because most companies just aren’t in a position to learn how to set proxy chaining up — it can be very complex, especially compared to managing a VPN. It also doesn’t offer the same benefits as a VPN: such as the ability to easily configure and implement remote access and access control. Suggesting that a robust, layered cybersecurity approach could ever be replaced with some “be all, end all” solution is dangerous to organizational security.

Just like overall organizational contingency theory, no one individual cybersecurity solution can adequately protect a business — businesses should always adopt a layered approach. A good VPN solution that provides the granular access controls needed to create the appropriate network and application segmentation plays a significant role in securing least privilege access for businesses. A VPN is not the only cybersecurity tool businesses should use — it should be layered with other security measures depending on organizational needs. But a VPN should always be at the core of cybersecurity infrastructure.

“The reality is that VPN technology is always developing — especially with the OpenVPN open source community so vibrant and active, ‘stagnant’ simply isn’t a word that can be used to describe this tech. We’re always growing and improving.” - Francis Dinha, OpenVPN CEO

Share